From 75c43fe27246b66e2f7a7caaeb3d77b6213fbab2 Mon Sep 17 00:00:00 2001 From: Samuel Kuang Date: Wed, 15 Mar 2023 17:19:44 -0700 Subject: [PATCH 01/14] Adds base for updating Microsoft.SecurityInsights from version preview/2023-03-01-preview to version 2023-04-01-preview --- .../2023-04-01-preview/AlertRules.json | 2543 ++++++++++++++ .../2023-04-01-preview/AutomationRules.json | 1495 ++++++++ .../preview/2023-04-01-preview/Bookmarks.json | 751 +++++ .../2023-04-01-preview/Enrichment.json | 381 +++ .../preview/2023-04-01-preview/Entities.json | 1556 +++++++++ .../2023-04-01-preview/EntityQueries.json | 507 +++ .../EntityQueryTemplates.json | 304 ++ .../2023-04-01-preview/FileImports.json | 564 ++++ .../preview/2023-04-01-preview/Incidents.json | 1657 +++++++++ .../preview/2023-04-01-preview/Metadata.json | 824 +++++ .../2023-04-01-preview/OfficeConsents.json | 234 ++ .../2023-04-01-preview/OnboardingStates.json | 284 ++ .../2023-04-01-preview/Recommendations.json | 564 ++++ .../SecurityMLAnalyticsSettings.json | 444 +++ .../preview/2023-04-01-preview/Settings.json | 423 +++ .../2023-04-01-preview/SourceControls.json | 735 ++++ .../ThreatIntelligence.json | 1097 ++++++ .../TriggeredAnalyticsRuleRuns.json | 353 ++ .../2023-04-01-preview/Watchlists.json | 721 ++++ .../2023-04-01-preview/common/AlertTypes.json | 81 + .../common/EntityTypes.json | 2550 ++++++++++++++ .../common/IncidentTypes.json | 246 ++ .../common/RelationTypes.json | 95 + .../common/ThreatIntelligenceTypes.json | 48 + .../2023-04-01-preview/dataConnectors.json | 2992 +++++++++++++++++ .../actions/CreateActionOfAlertRule.json | 43 + .../actions/DeleteActionOfAlertRule.json | 14 + .../actions/GetActionOfAlertRuleById.json | 24 + .../actions/GetAllActionsByAlertRule.json | 27 + .../GetAlertRuleTemplateById.json | 53 + .../GetAlertRuleTemplates.json | 238 ++ .../alertRules/CreateFusionAlertRule.json | 845 +++++ ...nAlertRuleWithFusionScenarioExclusion.json | 851 +++++ ...softSecurityIncidentCreationAlertRule.json | 58 + .../alertRules/CreateNrtAlertRule.json | 136 + .../alertRules/CreateScheduledAlertRule.json | 270 ++ .../examples/alertRules/DeleteAlertRule.json | 13 + .../examples/alertRules/GetAllAlertRules.json | 412 +++ .../alertRules/GetFusionAlertRule.json | 310 ++ ...softSecurityIncidentCreationAlertRule.json | 30 + .../examples/alertRules/GetNrtAlertRule.json | 55 + .../alertRules/GetScheduledAlertRule.json | 95 + .../AutomationRules_CreateOrUpdate.json | 171 + .../AutomationRules_Delete.json | 17 + .../automationRules/AutomationRules_Get.json | 65 + .../automationRules/AutomationRules_List.json | 68 + .../examples/bookmarks/CreateBookmark.json | 143 + .../examples/bookmarks/DeleteBookmark.json | 13 + .../examples/bookmarks/GetBookmarkById.json | 64 + .../examples/bookmarks/GetBookmarks.json | 67 + .../bookmarks/expand/PostExpandBookmark.json | 43 + .../relations/CreateBookmarkRelation.json | 43 + .../relations/DeleteBookmarkRelation.json | 14 + .../relations/GetAllBookmarkRelations.json | 28 + .../relations/GetBookmarkRelationByName.json | 25 + ...CheckRequirementsAzureActiveDirectory.json | 22 + ...tsAzureActiveDirectoryNoAuthorization.json | 22 + ...irementsAzureActiveDirectoryNoLicense.json | 22 + .../CheckRequirementsAzureSecurityCenter.json | 22 + .../CheckRequirementsDynamics365.json | 22 + .../dataConnectors/CheckRequirementsIoT.json | 22 + .../CheckRequirementsMdatp.json | 22 + ...RequirementsMicrosoftCloudAppSecurity.json | 22 + ...MicrosoftPurviewInformationProtection.json | 22 + ...quirementsMicrosoftThreatIntelligence.json | 22 + ...RequirementsMicrosoftThreatProtection.json | 22 + .../CheckRequirementsOffice365Project.json | 22 + .../CheckRequirementsOfficeATP.json | 22 + .../CheckRequirementsOfficeIRM.json | 22 + .../CheckRequirementsOfficePowerBI.json | 22 + .../CheckRequirementsThreatIntelligence.json | 22 + ...ckRequirementsThreatIntelligenceTaxii.json | 22 + .../dataConnectors/ConnectAPIPolling.json | 24 + .../ConnectAPIPollingV2Logs.json | 27 + .../dataConnectors/CreateAPIPolling.json | 368 ++ .../CreateDynamics365DataConnetor.json | 57 + .../dataConnectors/CreateGenericUI.json | 437 +++ ...viewInformationProtectionDataConnetor.json | 57 + ...rosoftThreatIntelligenceDataConnector.json | 59 + ...MicrosoftThreatProtectionDataConnetor.json | 81 + .../CreateOffice365ProjectDataConnetor.json | 57 + .../CreateOfficeDataConnetor.json | 75 + .../CreateOfficePowerBIDataConnector.json | 57 + ...CreateThreatIntelligenceDataConnector.json | 59 + ...eThreatIntelligenceTaxiiDataConnector.json | 81 + .../dataConnectors/DeleteAPIPolling.json | 13 + .../dataConnectors/DeleteGenericUI.json | 13 + ...viewInformationProtectionDataConnetor.json | 13 + ...rosoftThreatIntelligenceDataConnector.json | 13 + .../DeleteOffice365ProjectDataConnetor.json | 13 + .../DeleteOfficeDataConnetor.json | 13 + .../DeleteOfficePowerBIDataConnetor.json | 13 + .../dataConnectors/DisconnectAPIPolling.json | 13 + .../dataConnectors/GetAPIPolling.json | 133 + .../GetAmazonWebServicesCloudTrailById.json | 28 + .../GetAmazonWebServicesS3ById.json | 32 + .../GetAzureActiveDirectoryById.json | 28 + .../GetAzureAdvancedThreatProtectionById.json | 28 + .../GetAzureSecurityCenterById.json | 28 + .../dataConnectors/GetDataConnectors.json | 508 +++ .../GetDynamics365DataConnectorById.json | 28 + .../examples/dataConnectors/GetGenericUI.json | 156 + .../examples/dataConnectors/GetIoTById.json | 28 + .../GetMicrosoftCloudAppSecurityById.json | 31 + ...tDefenderAdvancedThreatProtectionById.json | 28 + ...GetMicrosoftInsiderRiskManagementById.json | 28 + ...InformationProtectionDataConnetorById.json | 28 + .../GetMicrosoftThreatIntelligenceById.json | 29 + .../GetMicrosoftThreatProtectionById.json | 36 + ...Office365AdvancedThreatProtectionById.json | 28 + .../GetOffice365ProjectDataConnetorById.json | 28 + .../GetOfficeDataConnetorById.json | 34 + .../GetOfficePowerBIDataConnetorById.json | 28 + .../GetThreatIntelligenceById.json | 29 + .../GetThreatIntelligenceTaxiiById.json | 36 + .../examples/enrichment/GetGeodataByIp.json | 31 + .../enrichment/GetWhoisByDomainName.json | 87 + .../entities/GetAccountEntityById.json | 32 + .../entities/GetAzureResourceEntityById.json | 24 + .../GetCloudApplicationEntityById.json | 25 + .../examples/entities/GetDnsEntityById.json | 26 + .../examples/entities/GetEntities.json | 63 + .../examples/entities/GetFileEntityById.json | 24 + .../entities/GetFileHashEntityById.json | 24 + .../examples/entities/GetHostEntityById.json | 31 + .../entities/GetIoTDeviceEntityById.json | 45 + .../examples/entities/GetIpEntityById.json | 23 + .../entities/GetMailClusterEntityById.json | 44 + .../entities/GetMailMessageEntityById.json | 48 + .../entities/GetMailboxEntityById.json | 26 + .../entities/GetMalwareEntityById.json | 24 + .../entities/GetProcessEntityById.json | 25 + .../examples/entities/GetQueries.json | 456 +++ .../entities/GetRegistryKeyEntityById.json | 24 + .../entities/GetRegistryValueEntityById.json | 26 + .../entities/GetSecurityAlertEntityById.json | 51 + .../entities/GetSecurityGroupEntityById.json | 25 + .../entities/GetSubmissionMailEntityById.json | 29 + .../examples/entities/GetUrlEntityById.json | 23 + .../entities/expand/PostExpandEntity.json | 52 + .../entities/insights/PostGetInsights.json | 100 + .../relations/GetAllEntityRelations.json | 28 + .../relations/GetEntityRelationByName.json | 25 + .../entities/timeline/PostTimelineEntity.json | 92 + .../CreateEntityQueryActivity.json | 133 + .../entityQueries/DeleteEntityQuery.json | 13 + .../GetActivityEntityQueryById.json | 54 + .../entityQueries/GetEntityQueries.json | 59 + .../GetExpansionEntityQueryById.json | 34 + .../GetActivityEntityQueryTemplateById.json | 57 + .../GetEntityQueryTemplates.json | 105 + .../fileImports/CreateFileImport.json | 49 + .../fileImports/DeleteFileImport.json | 41 + .../fileImports/GetFileImportById.json | 37 + .../examples/fileImports/GetFileImports.json | 42 + .../IncidentAlerts/Incidents_ListAlerts.json | 50 + .../Incidents_ListBookmarks.json | 47 + .../IncidentComments_CreateOrUpdate.json | 55 + .../IncidentComments_Delete.json | 14 + .../IncidentComments_Get.json | 31 + .../IncidentComments_List.json | 34 + .../Incidents_ListEntities.json | 34 + .../IncidentTasks_CreateOrUpdate.json | 73 + .../IncidentTasks/IncidentTasks_Delete.json | 14 + .../IncidentTasks/IncidentTasks_Get.json | 39 + .../IncidentTasks/IncidentTasks_List.json | 42 + .../IncidentTeam/Incidents_CreateTeam.json | 26 + .../incidents/Incidents_CreateOrUpdate.json | 136 + .../examples/incidents/Incidents_Delete.json | 13 + .../examples/incidents/Incidents_Get.json | 63 + .../examples/incidents/Incidents_List.json | 68 + .../relations/CreateIncidentRelation.json | 43 + .../relations/DeleteIncidentRelation.json | 14 + .../relations/GetAllIncidentRelations.json | 40 + .../relations/GetIncidentRelationByName.json | 25 + .../manualTrigger/Entities_RunPlaybook.json | 17 + .../manualTrigger/Incidents_RunPlaybook.json | 18 + .../examples/metadata/DeleteMetadata.json | 13 + .../examples/metadata/GetAllMetadata.json | 64 + .../metadata/GetAllMetadataOData.json | 52 + .../examples/metadata/GetMetadata.json | 104 + .../examples/metadata/PatchMetadata.json | 35 + .../examples/metadata/PutMetadata.json | 286 ++ .../examples/metadata/PutMetadataMinimal.json | 40 + .../officeConsents/DeleteOfficeConsents.json | 13 + .../officeConsents/GetOfficeConsents.json | 25 + .../officeConsents/GetOfficeConsentsById.json | 22 + .../CreateSentinelOnboardingState.json | 36 + .../DeleteSentinelOnboardingState.json | 13 + .../GetAllSentinelOnboardingStates.json | 24 + .../GetSentinelOnboardingState.json | 21 + .../examples/operations/ListOperations.json | 563 ++++ .../recommendations/GetRecommendation.json | 48 + .../recommendations/GetRecommendations.json | 51 + .../recommendations/PatchRecommendation.json | 56 + .../repositories/GetRepositories.json | 25 + ...eateAnomalySecurityMLAnalyticsSetting.json | 245 ++ .../DeleteSecurityMLAnalyticsSetting.json | 13 + .../GetAllSecurityMLAnalyticsSettings.json | 94 + .../GetAnomalySecurityMLAnalyticsSetting.json | 91 + .../settings/DeleteEyesOnSetting.json | 13 + .../examples/settings/GetAllSettings.json | 25 + .../examples/settings/GetEyesOnSetting.json | 22 + .../settings/UpdateEyesOnSetting.json | 28 + .../sourcecontrols/CreateSourceControl.json | 168 + .../sourcecontrols/DeleteSourceControl.json | 13 + .../sourcecontrols/GetSourceControlById.json | 76 + .../sourcecontrols/GetSourceControls.json | 79 + .../AppendTagsThreatIntelligence.json | 18 + .../CollectThreatIntelligenceMetrics.json | 43 + .../CreateThreatIntelligence.json | 100 + .../DeleteThreatIntelligence.json | 13 + .../GetThreatIntelligence.json | 76 + .../GetThreatIntelligenceById.json | 43 + .../QueryThreatIntelligence.json | 107 + .../ReplaceTagsThreatIntelligence.json | 52 + .../UpdateThreatIntelligence.json | 101 + .../triggerRuleRun_Post.json | 23 + .../triggeredAnalyticsRuleRun_Get.json | 29 + .../triggeredAnalyticsRuleRuns_Get.json | 48 + .../examples/watchlists/CreateWatchlist.json | 88 + .../CreateWatchlistAndWatchlistItems.json | 92 + .../watchlists/CreateWatchlistItem.json | 92 + .../examples/watchlists/DeleteWatchlist.json | 18 + .../watchlists/DeleteWatchlistItem.json | 15 + .../watchlists/GetWatchlistByAlias.json | 50 + .../watchlists/GetWatchlistItemById.json | 47 + .../watchlists/GetWatchlistItems.json | 50 + .../examples/watchlists/GetWatchlists.json | 53 + .../2023-04-01-preview/operations.json | 138 + 230 files changed, 35668 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AlertRules.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AutomationRules.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Bookmarks.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Enrichment.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueryTemplates.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/FileImports.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Metadata.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OfficeConsents.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OnboardingStates.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Recommendations.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SecurityMLAnalyticsSettings.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Settings.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SourceControls.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/AlertTypes.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/IncidentTypes.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/RelationTypes.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ThreatIntelligenceTypes.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/CreateActionOfAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/DeleteActionOfAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetActionOfAlertRuleById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetAllActionsByAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRuleWithFusionScenarioExclusion.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateNrtAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateScheduledAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/DeleteAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetAllAlertRules.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetFusionAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetNrtAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetScheduledAlertRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Delete.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Get.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_List.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/CreateBookmark.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/DeleteBookmark.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarkById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarks.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/expand/PostExpandBookmark.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/CreateBookmarkRelation.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/DeleteBookmarkRelation.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetAllBookmarkRelations.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetBookmarkRelationByName.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsDynamics365.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsIoT.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMdatp.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftPurviewInformationProtection.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOffice365Project.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeATP.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeIRM.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficePowerBI.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligence.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPolling.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPollingV2Logs.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateAPIPolling.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateGenericUI.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftPurviewInformationProtectionDataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatIntelligenceDataConnector.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatProtectionDataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOffice365ProjectDataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficePowerBIDataConnector.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteAPIPolling.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteGenericUI.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftPurviewInformationProtectionDataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftThreatIntelligenceDataConnector.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOffice365ProjectDataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficePowerBIDataConnetor.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DisconnectAPIPolling.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAPIPolling.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesS3ById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDataConnectors.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetGenericUI.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetIoTById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftInsiderRiskManagementById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftPurviewInformationProtectionDataConnetorById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365ProjectDataConnetorById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficePowerBIDataConnetorById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetGeodataByIp.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetWhoisByDomainName.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAccountEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAzureResourceEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetCloudApplicationEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetDnsEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetEntities.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileHashEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetHostEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIoTDeviceEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIpEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailClusterEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailMessageEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailboxEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMalwareEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetProcessEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetQueries.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryKeyEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryValueEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityAlertEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityGroupEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSubmissionMailEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetUrlEntityById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/expand/PostExpandEntity.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/insights/PostGetInsights.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetAllEntityRelations.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetEntityRelationByName.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/timeline/PostTimelineEntity.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/CreateEntityQueryActivity.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/DeleteEntityQuery.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetActivityEntityQueryById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetEntityQueries.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetExpansionEntityQueryById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetActivityEntityQueryTemplateById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetEntityQueryTemplates.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/CreateFileImport.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/DeleteFileImport.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImportById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImports.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Delete.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_CreateOrUpdate.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Delete.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Get.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_List.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/CreateIncidentRelation.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/DeleteIncidentRelation.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetAllIncidentRelations.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetIncidentRelationByName.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Entities_RunPlaybook.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Incidents_RunPlaybook.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/DeleteMetadata.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadata.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadataOData.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetMetadata.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PatchMetadata.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadata.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadataMinimal.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/DeleteOfficeConsents.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsents.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsentsById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/CreateSentinelOnboardingState.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/DeleteSentinelOnboardingState.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetAllSentinelOnboardingStates.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetSentinelOnboardingState.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/operations/ListOperations.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendation.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendations.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/PatchRecommendation.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/repositories/GetRepositories.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/CreateAnomalySecurityMLAnalyticsSetting.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/DeleteSecurityMLAnalyticsSetting.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAllSecurityMLAnalyticsSettings.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAnomalySecurityMLAnalyticsSetting.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/DeleteEyesOnSetting.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetAllSettings.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetEyesOnSetting.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/UpdateEyesOnSetting.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/CreateSourceControl.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/DeleteSourceControl.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControlById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControls.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CreateThreatIntelligence.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligence.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/QueryThreatIntelligence.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/UpdateThreatIntelligence.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggerRuleRun_Post.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRun_Get.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRuns_Get.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlist.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistAndWatchlistItems.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistItem.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlist.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlistItem.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistByAlias.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItemById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItems.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlists.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AlertRules.json new file mode 100644 index 000000000000..6344b6a09e0a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AlertRules.json @@ -0,0 +1,2543 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules": { + "get": { + "x-ms-examples": { + "Get all alert rules.": { + "$ref": "./examples/alertRules/GetAllAlertRules.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Gets all alert rules.", + "operationId": "AlertRules_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}": { + "get": { + "x-ms-examples": { + "Get a Scheduled alert rule.": { + "$ref": "./examples/alertRules/GetScheduledAlertRule.json" + }, + "Get an Nrt alert rule.": { + "$ref": "./examples/alertRules/GetNrtAlertRule.json" + }, + "Get a Fusion alert rule.": { + "$ref": "./examples/alertRules/GetFusionAlertRule.json" + }, + "Get a MicrosoftSecurityIncidentCreation rule.": { + "$ref": "./examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Gets the alert rule.", + "operationId": "AlertRules_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a Scheduled alert rule.": { + "$ref": "./examples/alertRules/CreateScheduledAlertRule.json" + }, + "Creates or updates a Nrt alert rule.": { + "$ref": "./examples/alertRules/CreateNrtAlertRule.json" + }, + "Creates or updates a Fusion alert rule.": { + "$ref": "./examples/alertRules/CreateFusionAlertRule.json" + }, + "Creates or updates a Fusion alert rule with scenario exclusion pattern.": { + "$ref": "./examples/alertRules/CreateFusionAlertRuleWithFusionScenarioExclusion.json" + }, + "Creates or updates a MicrosoftSecurityIncidentCreation rule.": { + "$ref": "./examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Creates or updates the alert rule.", + "operationId": "AlertRules_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/AlertRule" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/AlertRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an alert rule.": { + "$ref": "./examples/alertRules/DeleteAlertRule.json" + } + }, + "tags": [ + "Alert Rules" + ], + "description": "Delete the alert rule.", + "operationId": "AlertRules_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions": { + "get": { + "x-ms-examples": { + "Get all actions of alert rule.": { + "$ref": "./examples/actions/GetAllActionsByAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Gets all actions of alert rule.", + "operationId": "Actions_ListByAlertRule", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ActionsList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}": { + "get": { + "x-ms-examples": { + "Get an action of alert rule.": { + "$ref": "./examples/actions/GetActionOfAlertRuleById.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Gets the action of alert rule.", + "operationId": "Actions_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an action of alert rule.": { + "$ref": "./examples/actions/CreateActionOfAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Creates or updates the action of alert rule.", + "operationId": "Actions_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + }, + { + "$ref": "#/parameters/Action" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ActionResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an action of alert rule.": { + "$ref": "./examples/actions/DeleteActionOfAlertRule.json" + } + }, + "tags": [ + "Actions" + ], + "description": "Delete the action of alert rule.", + "operationId": "Actions_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/ActionId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates": { + "get": { + "x-ms-examples": { + "Get all alert rule templates.": { + "$ref": "./examples/alertRuleTemplates/GetAlertRuleTemplates.json" + } + }, + "tags": [ + "Alert Rule Templates" + ], + "description": "Gets all alert rule templates.", + "operationId": "AlertRuleTemplates_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertRuleTemplatesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRuleTemplates/{alertRuleTemplateId}": { + "get": { + "x-ms-examples": { + "Get alert rule template by Id.": { + "$ref": "./examples/alertRuleTemplates/GetAlertRuleTemplateById.json" + } + }, + "tags": [ + "Alert Rule Templates" + ], + "description": "Gets the alert rule template.", + "operationId": "AlertRuleTemplates_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AlertRuleTemplateId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertRuleTemplate" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "Action": { + "description": "The action", + "in": "body", + "name": "action", + "required": true, + "schema": { + "$ref": "#/definitions/ActionRequest" + }, + "x-ms-parameter-location": "method" + }, + "ActionId": { + "description": "Action ID", + "in": "path", + "name": "actionId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "AlertRule": { + "description": "The alert rule", + "in": "body", + "name": "alertRule", + "required": true, + "schema": { + "$ref": "#/definitions/AlertRule" + }, + "x-ms-parameter-location": "method" + }, + "AlertRuleTemplateId": { + "description": "Alert rule template ID", + "in": "path", + "name": "alertRuleTemplateId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "RuleId": { + "description": "Alert rule ID", + "in": "path", + "name": "ruleId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "AlertRule": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Alert rule.", + "properties": { + "kind": { + "$ref": "#/definitions/AlertRuleKindEnum", + "description": "The kind of the alert rule" + } + }, + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "AlertRuleKindEnum": { + "description": "The kind of the alert rule", + "enum": [ + "Scheduled", + "MicrosoftSecurityIncidentCreation", + "Fusion", + "MLBehaviorAnalytics", + "ThreatIntelligence", + "NRT" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertRuleKind", + "values": [ + { + "value": "Scheduled" + }, + { + "value": "MicrosoftSecurityIncidentCreation" + }, + { + "value": "Fusion" + }, + { + "value": "MLBehaviorAnalytics" + }, + { + "value": "ThreatIntelligence" + }, + { + "value": "NRT" + } + ] + } + }, + "AlertRuleTemplate": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/Resource" + } + ], + "description": "Alert rule template.", + "discriminator": "kind", + "type": "object", + "properties": { + "kind": { + "$ref": "#/definitions/AlertRuleKindEnum", + "description": "The kind of the alert rule" + } + }, + "required": [ + "kind" + ] + }, + "AlertRuleTemplateDataSource": { + "description": "alert rule template data sources", + "properties": { + "connectorId": { + "description": "The connector id that provides the following data types", + "type": "string" + }, + "dataTypes": { + "description": "The data types used by the alert rule template", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "AlertRuleTemplatePropertiesBase": { + "description": "Base alert rule template property bag.", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "type": "integer", + "format": "int32" + }, + "lastUpdatedDateUTC": { + "description": "The last time that this alert rule template has been updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data sources for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "x-ms-identifiers": [ + "connectorId" + ], + "type": "array" + }, + "status": { + "$ref": "#/definitions/AlertRuleTemplateStatus", + "description": "The alert rule template status." + } + }, + "type": "object" + }, + "AlertRuleTemplateStatus": { + "description": "The alert rule template status.", + "enum": [ + "Installed", + "Available", + "NotAvailable" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TemplateStatus", + "values": [ + { + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" + } + ] + } + }, + "AlertRuleTemplateWithMitreProperties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + } + ], + "description": "Alert rule template with MITRE property bag.", + "properties": { + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "type": "array" + }, + "techniques": { + "description": "The techniques of the alert rule", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "QueryBasedAlertRuleTemplateProperties": { + "description": "Query based alert rule template base property bag.", + "properties": { + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." + }, + "version": { + "description": "The version of this template - in format , where all are numbers. For example <1.0.2>.", + "type": "string" + }, + "customDetails": { + "description": "Dictionary of string key-value pairs of columns to be attached to the alert", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappings", + "description": "Array of the entity mappings of the alert rule" + }, + "alertDetailsOverride": { + "type": "object", + "$ref": "#/definitions/AlertDetailsOverride", + "description": "The alert details override settings" + }, + "eventGroupingSettings": { + "$ref": "#/definitions/EventGroupingSettings", + "description": "The event grouping settings." + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" + } + }, + "type": "object" + }, + "AlertRuleTemplatesList": { + "description": "List all the alert rule templates.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rule templates.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rule templates.", + "items": { + "$ref": "#/definitions/AlertRuleTemplate" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "AlertRuleTriggerOperator": { + "description": "The operation against the threshold that triggers alert rule.", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "TriggerOperator" + } + }, + "AlertRulesList": { + "description": "List all the alert rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rules.", + "items": { + "$ref": "#/definitions/AlertRule" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "MLBehaviorAnalyticsAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents MLBehaviorAnalytics alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/MLBehaviorAnalyticsAlertRuleProperties", + "description": "MLBehaviorAnalytics alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MLBehaviorAnalytics" + }, + "MLBehaviorAnalyticsAlertRuleProperties": { + "description": "MLBehaviorAnalytics alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + }, + "techniques": { + "description": "The techniques of the alert rule", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "MLBehaviorAnalyticsAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MLBehaviorAnalytics alert rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplateWithMitreProperties" + } + ], + "description": "MLBehaviorAnalytics alert rule template properties.", + "properties": { + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." + } + }, + "type": "object", + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MLBehaviorAnalytics" + }, + "FusionAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents Fusion alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/FusionAlertRuleProperties", + "description": "Fusion alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "FusionAlertRuleProperties": { + "description": "Fusion alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "sourceSettings": { + "description": "Configuration for all supported source signals in fusion detection.", + "items": { + "$ref": "#/definitions/FusionSourceSettings" + }, + "x-ms-identifiers": [], + "type": "array" + }, + "scenarioExclusionPatterns": { + "description": "Configuration to exclude scenarios in fusion detection.", + "items": { + "$ref": "#/definitions/FusionScenarioExclusionPattern" + }, + "x-ms-identifiers": [], + "type": "array" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + }, + "techniques": { + "description": "The techniques of the alert rule", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "FusionSourceSettings": { + "description": "Represents a supported source signal configuration in Fusion detection.", + "properties": { + "enabled": { + "description": "Determines whether this source signal is enabled or disabled in Fusion detection.", + "type": "boolean" + }, + "sourceName": { + "description": "Name of the Fusion source signal. Refer to Fusion alert rule template for supported values.", + "type": "string" + }, + "sourceSubTypes": { + "description": "Configuration for all source subtypes under this source signal consumed in fusion detection.", + "items": { + "$ref": "#/definitions/FusionSourceSubTypeSetting" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "required": [ + "enabled", + "sourceName" + ], + "type": "object" + }, + "FusionSourceSubTypeSetting": { + "description": "Represents a supported source subtype configuration under a source signal in Fusion detection.", + "properties": { + "enabled": { + "description": "Determines whether this source subtype under source signal is enabled or disabled in Fusion detection.", + "type": "boolean" + }, + "sourceSubTypeName": { + "description": "The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values.", + "type": "string" + }, + "sourceSubTypeDisplayName": { + "description": "The display name of source subtype under a source signal consumed in Fusion detection.", + "type": "string", + "readOnly": true + }, + "severityFilters": { + "description": "Severity configuration for a source subtype consumed in fusion detection.", + "$ref": "#/definitions/FusionSubTypeSeverityFilter", + "type": "object" + } + }, + "required": [ + "enabled", + "sourceSubTypeName", + "severityFilters" + ], + "type": "object" + }, + "FusionSubTypeSeverityFilter": { + "description": "Represents severity configuration for a source subtype consumed in Fusion detection.", + "properties": { + "isSupported": { + "description": "Determines whether this source subtype supports severity configuration or not.", + "type": "boolean", + "readOnly": true + }, + "filters": { + "description": "Individual Severity configuration settings for a given source subtype consumed in Fusion detection.", + "items": { + "$ref": "#/definitions/FusionSubTypeSeverityFiltersItem" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "type": "object" + }, + "FusionSubTypeSeverityFiltersItem": { + "description": "Represents a Severity filter setting for a given source subtype consumed in Fusion detection.", + "properties": { + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The Severity for a given source subtype consumed in Fusion detection." + }, + "enabled": { + "description": "Determines whether this severity is enabled or disabled for this source subtype consumed in Fusion detection.", + "type": "boolean" + } + }, + "required": [ + "severity", + "enabled" + ], + "type": "object" + }, + "FusionScenarioExclusionPattern": { + "description": "Represents a Fusion scenario exclusion patterns in Fusion detection.", + "properties": { + "exclusionPattern": { + "description": "Scenario exclusion pattern.", + "type": "string" + }, + "dateAddedInUTC": { + "description": "DateTime when scenario exclusion pattern is added in UTC.", + "type": "string" + } + }, + "required": [ + "exclusionPattern", + "dateAddedInUTC" + ], + "type": "object" + }, + "FusionAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents Fusion alert rule template.", + "properties": { + "properties": { + "$ref": "#/definitions/FusionAlertRuleTemplateProperties", + "description": "Fusion alert rule template properties", + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "FusionAlertRuleTemplateProperties": { + "description": "Fusion alert rule template properties", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "format": "int32", + "type": "integer" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "lastUpdatedDateUTC": { + "description": "The time that this alert rule template was last updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data connectors for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "status": { + "$ref": "#/definitions/AlertRuleTemplateStatus", + "description": "The alert rule template status.", + "type": "string" + }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "techniques": { + "description": "The techniques of the alert rule", + "items": { + "type": "string" + }, + "type": "array" + }, + "sourceSettings": { + "description": "All supported source signal configurations consumed in fusion detection.", + "items": { + "$ref": "#/definitions/FusionTemplateSourceSetting" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "type": "object", + "x-ms-client-flatten": true + }, + "FusionTemplateSourceSetting": { + "description": "Represents a source signal consumed in Fusion detection.", + "properties": { + "sourceName": { + "description": "The name of a source signal consumed in Fusion detection.", + "type": "string" + }, + "sourceSubTypes": { + "description": "All supported source subtypes under this source signal consumed in fusion detection.", + "items": { + "$ref": "#/definitions/FusionTemplateSourceSubType" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "required": [ + "sourceName" + ], + "type": "object" + }, + "FusionTemplateSourceSubType": { + "description": "Represents a source subtype under a source signal consumed in Fusion detection.", + "properties": { + "sourceSubTypeName": { + "description": "The name of source subtype under a source signal consumed in Fusion detection.", + "type": "string" + }, + "sourceSubTypeDisplayName": { + "description": "The display name of source subtype under a source signal consumed in Fusion detection.", + "type": "string", + "readOnly": true + }, + "severityFilter": { + "description": "Severity configuration available for a source subtype consumed in fusion detection.", + "$ref": "#/definitions/FusionTemplateSubTypeSeverityFilter", + "type": "object" + } + }, + "required": [ + "sourceSubTypeName", + "severityFilter" + ], + "type": "object" + }, + "FusionTemplateSubTypeSeverityFilter": { + "description": "Represents severity configurations available for a source subtype consumed in Fusion detection.", + "properties": { + "isSupported": { + "description": "Determines whether severity configuration is supported for this source subtype consumed in Fusion detection.", + "type": "boolean" + }, + "severityFilters": { + "description": "List of all supported severities for this source subtype consumed in Fusion detection.", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "required": [ + "isSupported" + ], + "type": "object" + }, + "ThreatIntelligenceAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents Threat Intelligence alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ThreatIntelligenceAlertRuleProperties", + "description": "Threat Intelligence alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "ThreatIntelligenceAlertRuleProperties": { + "description": "Threat Intelligence alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + }, + "techniques": { + "description": "The techniques of the alert rule", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "ThreatIntelligenceAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents Threat Intelligence alert rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplateWithMitreProperties" + } + ], + "description": "Threat Intelligence alert rule template properties", + "properties": { + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." + } + }, + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "type": "object", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", + "description": "MicrosoftSecurityIncidentCreation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { + "description": "MicrosoftSecurityIncidentCreation rule common property bag.", + "properties": { + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "displayNamesExcludeFilter": { + "description": "the alerts' displayNames on which the cases will not be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "productFilter": { + "$ref": "#/definitions/MicrosoftSecurityProductName", + "description": "The alerts' productName on which the cases will be generated" + }, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum" + }, + "type": "array" + } + }, + "required": [ + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityProductName": { + "description": "The alerts' productName on which the cases will be generated", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT", + "Office 365 Advanced Threat Protection", + "Microsoft Defender Advanced Threat Protection" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MicrosoftSecurityProductName" + } + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule template.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties", + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "required": [ + "displayName", + "description", + "createdDateUTC", + "status", + "alertRulesCreatedByTemplateCount", + "productFilter" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "MicrosoftSecurityIncidentCreationAlertRuleTemplateProperties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "properties": { + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "displayNamesExcludeFilter": { + "description": "the alerts' displayNames on which the cases will not be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "productFilter": { + "$ref": "#/definitions/MicrosoftSecurityProductName", + "description": "The alerts' productName on which the cases will be generated" + }, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum" + }, + "type": "array" + } + }, + "type": "object", + "x-ms-client-flatten": true + }, + "ScheduledAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + } + ], + "description": "Scheduled alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "templateVersion": { + "description": "The version of the alert rule template used to create this rule - in format , where all are numbers, for example 0 <1.0.2>", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "suppressionDuration": { + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + "format": "duration", + "type": "string" + }, + "suppressionEnabled": { + "description": "Determines whether the suppression for this alert rule is enabled or disabled.", + "type": "boolean" + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "type": "array" + }, + "techniques": { + "description": "The techniques of the alert rule", + "items": { + "type": "string" + }, + "type": "array" + }, + "incidentConfiguration": { + "$ref": "#/definitions/IncidentConfiguration", + "description": "The settings of the incidents that created from alerts triggered by this analytics rule" + } + }, + "required": [ + "displayName", + "enabled", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold", + "suppressionEnabled", + "suppressionDuration" + ], + "type": "object", + "x-ms-client-flatten": true + }, + "NrtAlertRuleProperties": { + "description": "Nrt alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "templateVersion": { + "description": "The version of the alert rule template used to create this rule - in format , where all are numbers, for example 0 <1.0.2>", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "type": "array" + }, + "techniques": { + "description": "The techniques of the alert rule", + "items": { + "type": "string" + }, + "type": "array" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "suppressionDuration": { + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + "format": "duration", + "type": "string" + }, + "suppressionEnabled": { + "description": "Determines whether the suppression for this alert rule is enabled or disabled.", + "type": "boolean" + }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." + }, + "incidentConfiguration": { + "$ref": "#/definitions/IncidentConfiguration", + "description": "The settings of the incidents that created from alerts triggered by this analytics rule" + }, + "customDetails": { + "description": "Dictionary of string key-value pairs of columns to be attached to the alert", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappings", + "description": "Array of the entity mappings of the alert rule" + }, + "alertDetailsOverride": { + "type": "object", + "$ref": "#/definitions/AlertDetailsOverride", + "description": "The alert details override settings" + }, + "eventGroupingSettings": { + "$ref": "#/definitions/EventGroupingSettings", + "description": "The event grouping settings." + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" + } + }, + "required": [ + "displayName", + "enabled", + "severity", + "query", + "suppressionEnabled", + "suppressionDuration" + ], + "type": "object", + "x-ms-client-flatten": true + }, + "ScheduledAlertRuleTemplateProperties": { + "description": "Scheduled alert rule template properties", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "format": "int32", + "type": "integer" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "lastUpdatedDateUTC": { + "description": "The time that this alert rule template was last updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data connectors for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "status": { + "$ref": "#/definitions/AlertRuleTemplateStatus", + "description": "The alert rule template status.", + "type": "string" + }, + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "queryFrequency": { + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", + "format": "duration", + "type": "string" + }, + "queryPeriod": { + "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", + "format": "duration", + "type": "string" + }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." + }, + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "format": "int32", + "type": "integer" + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "techniques": { + "description": "The techniques of the alert rule", + "items": { + "type": "string" + }, + "type": "array" + }, + "version": { + "description": "The version of this template - in format , where all are numbers. For example <1.0.2>.", + "type": "string" + }, + "eventGroupingSettings": { + "$ref": "#/definitions/EventGroupingSettings", + "description": "The event grouping settings." + }, + "customDetails": { + "description": "Dictionary of string key-value pairs of columns to be attached to the alert", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappings", + "description": "Array of the entity mappings of the alert rule" + }, + "alertDetailsOverride": { + "type": "object", + "$ref": "#/definitions/AlertDetailsOverride", + "description": "The alert details override settings" + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" + } + }, + "type": "object" + }, + "ScheduledAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents scheduled alert rule template.", + "properties": { + "properties": { + "$ref": "#/definitions/ScheduledAlertRuleTemplateProperties", + "description": "Scheduled alert rule template properties", + "required": [ + "displayName", + "description", + "status", + "alertRulesCreatedByTemplateCount", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold", + "version" + ], + "type": "object", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" + }, + "NrtAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents NRT alert rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplateWithMitreProperties" + }, + { + "$ref": "#/definitions/QueryBasedAlertRuleTemplateProperties" + } + ], + "description": "NRT alert rule template properties", + "required": [ + "displayName", + "description", + "status", + "alertRulesCreatedByTemplateCount", + "severity", + "query", + "version" + ], + "type": "object", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "NRT" + }, + "EventGroupingSettings": { + "description": "Event grouping settings property bag.", + "properties": { + "aggregationKind": { + "$ref": "#/definitions/EventGroupingAggregationKind" + } + }, + "type": "object" + }, + "EventGroupingAggregationKind": { + "description": "The event grouping aggregation kinds", + "enum": [ + "SingleAlert", + "AlertPerResult" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EventGroupingAggregationKind" + } + }, + "ScheduledAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents scheduled alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ScheduledAlertRuleProperties", + "description": "Scheduled alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" + }, + "NrtAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents NRT alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/NrtAlertRuleProperties", + "description": "NRT alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "NRT" + }, + "ScheduledAlertRuleCommonProperties": { + "description": "Scheduled alert rule template property bag.", + "properties": { + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "queryFrequency": { + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", + "format": "duration", + "type": "string" + }, + "queryPeriod": { + "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", + "format": "duration", + "type": "string" + }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity for alerts created by this alert rule." + }, + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "type": "integer", + "format": "int32" + }, + "eventGroupingSettings": { + "$ref": "#/definitions/EventGroupingSettings", + "description": "The event grouping settings." + }, + "customDetails": { + "description": "Dictionary of string key-value pairs of columns to be attached to the alert", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappings", + "description": "Array of the entity mappings of the alert rule" + }, + "alertDetailsOverride": { + "type": "object", + "$ref": "#/definitions/AlertDetailsOverride", + "description": "The alert details override settings" + }, + "sentinelEntitiesMappings": { + "$ref": "#/definitions/SentinelEntitiesMappings", + "description": "Array of the sentinel entity mappings of the alert rule" + } + }, + "type": "object" + }, + "EntityMappings": { + "description": "List of entity mappings of the alert rule", + "type": "array", + "items": { + "$ref": "#/definitions/EntityMapping" + }, + "x-ms-identifiers": [] + }, + "EntityMapping": { + "description": "Single entity mapping for the alert rule", + "properties": { + "entityType": { + "$ref": "#/definitions/EntityMappingType" + }, + "fieldMappings": { + "description": "array of field mappings for the given entity mapping", + "type": "array", + "items": { + "$ref": "#/definitions/FieldMapping" + }, + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "FieldMapping": { + "description": "A single field mapping of the mapped entity", + "properties": { + "identifier": { + "description": "the V3 identifier of the entity", + "type": "string" + }, + "columnName": { + "description": "the column name to be mapped to the identifier", + "type": "string" + } + }, + "type": "object" + }, + "SentinelEntitiesMappings": { + "description": "List of sentinel entity mappings of the alert rule", + "type": "array", + "items": { + "$ref": "#/definitions/SentinelEntityMapping" + }, + "x-ms-identifiers": [] + }, + "SentinelEntityMapping": { + "description": "A single sentinel entity mapping", + "properties": { + "columnName": { + "description": "the column name to be mapped to the SentinelEntities", + "type": "string" + } + }, + "type": "object" + }, + "AlertDetailsOverride": { + "description": "Settings for how to dynamically override alert static details", + "properties": { + "alertDisplayNameFormat": { + "description": "the format containing columns name(s) to override the alert name", + "type": "string" + }, + "alertDescriptionFormat": { + "description": "the format containing columns name(s) to override the alert description", + "type": "string" + }, + "alertTacticsColumnName": { + "description": "the column name to take the alert tactics from", + "type": "string" + }, + "alertSeverityColumnName": { + "description": "the column name to take the alert severity from", + "type": "string" + }, + "alertDynamicProperties": { + "description": "List of additional dynamic properties to override", + "type": "array", + "items": { + "$ref": "#/definitions/AlertPropertyMapping" + }, + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "AlertPropertyMapping": { + "description": "A single alert property mapping to override", + "properties": { + "alertProperty": { + "$ref": "#/definitions/AlertProperty" + }, + "value": { + "description": "the column name to use to override this property", + "type": "string" + } + }, + "type": "object" + }, + "IncidentConfiguration": { + "description": "Incident Configuration property bag.", + "properties": { + "createIncident": { + "description": "Create incidents from alerts triggered by this analytics rule", + "type": "boolean" + }, + "groupingConfiguration": { + "$ref": "#/definitions/GroupingConfiguration", + "description": "Set how the alerts that are triggered by this analytics rule, are grouped into incidents" + } + }, + "type": "object", + "required": [ + "createIncident" + ] + }, + "GroupingConfiguration": { + "description": "Grouping configuration property bag.", + "properties": { + "enabled": { + "description": "Grouping enabled", + "type": "boolean" + }, + "reopenClosedIncident": { + "description": "Re-open closed matching incidents", + "type": "boolean" + }, + "lookbackDuration": { + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "matchingMethod": { + "description": "Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.", + "enum": [ + "AllEntities", + "AnyAlert", + "Selected" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MatchingMethod", + "values": [ + { + "description": "Grouping alerts into a single incident if all the entities match", + "value": "AllEntities" + }, + { + "description": "Grouping any alerts triggered by this rule into a single incident", + "value": "AnyAlert" + }, + { + "description": "Grouping alerts into a single incident if the selected entities, custom details and alert details match", + "value": "Selected" + } + ] + } + }, + "groupByEntities": { + "description": "A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used.", + "items": { + "$ref": "#/definitions/EntityMappingType" + }, + "type": "array" + }, + "groupByAlertDetails": { + "description": "A list of alert details to group by (when matchingMethod is Selected)", + "items": { + "description": "Alert detail", + "enum": [ + "DisplayName", + "Severity" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertDetail", + "values": [ + { + "description": "Alert display name", + "value": "DisplayName" + }, + { + "description": "Alert severity", + "value": "Severity" + } + ] + } + }, + "type": "array" + }, + "groupByCustomDetails": { + "description": "A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "enabled", + "reopenClosedIncident", + "lookbackDuration", + "matchingMethod" + ] + }, + "ActionRequest": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Action for alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ActionRequestProperties", + "description": "Action properties for put request", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "ActionPropertiesBase": { + "description": "Action property bag base.", + "properties": { + "logicAppResourceId": { + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", + "type": "string" + } + }, + "required": [ + "logicAppResourceId" + ], + "type": "object" + }, + "ActionRequestProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "triggerUri": { + "description": "Logic App Callback URL for this specific workflow.", + "type": "string", + "x-ms-secret": true + } + }, + "required": [ + "triggerUri" + ], + "type": "object" + }, + "ActionResponse": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Action for alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ActionResponseProperties", + "description": "Action properties for get request", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "ActionResponseProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "workflowId": { + "description": "The name of the logic app's workflow.", + "type": "string" + } + }, + "type": "object" + }, + "ActionsList": { + "description": "List all the actions.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of actions.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of actions.", + "items": { + "$ref": "#/definitions/ActionResponse" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "EntityMappingType": { + "description": "The V3 type of the mapped entity", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityMappingType", + "values": [ + { + "description": "User account entity type", + "value": "Account" + }, + { + "description": "Host entity type", + "value": "Host" + }, + { + "description": "IP address entity type", + "value": "IP" + }, + { + "description": "Malware entity type", + "value": "Malware" + }, + { + "description": "System file entity type", + "value": "File" + }, + { + "description": "Process entity type", + "value": "Process" + }, + { + "description": "Cloud app entity type", + "value": "CloudApplication" + }, + { + "description": "DNS entity type", + "value": "DNS" + }, + { + "description": "Azure resource entity type", + "value": "AzureResource" + }, + { + "description": "File-hash entity type", + "value": "FileHash" + }, + { + "description": "Registry key entity type", + "value": "RegistryKey" + }, + { + "description": "Registry value entity type", + "value": "RegistryValue" + }, + { + "description": "Security group entity type", + "value": "SecurityGroup" + }, + { + "description": "URL entity type", + "value": "URL" + }, + { + "description": "Mailbox entity type", + "value": "Mailbox" + }, + { + "description": "Mail cluster entity type", + "value": "MailCluster" + }, + { + "description": "Mail message entity type", + "value": "MailMessage" + }, + { + "description": "Submission mail entity type", + "value": "SubmissionMail" + } + ] + } + }, + "AlertProperty": { + "description": "The V3 alert property", + "enum": [ + "AlertLink", + "ConfidenceLevel", + "ConfidenceScore", + "ExtendedLinks", + "ProductName", + "ProviderName", + "ProductComponentName", + "RemediationSteps", + "Techniques" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertProperty", + "values": [ + { + "description": "Alert's link", + "value": "AlertLink" + }, + { + "description": "Confidence level property", + "value": "ConfidenceLevel" + }, + { + "description": "Confidence score", + "value": "ConfidenceScore" + }, + { + "description": "Extended links to the alert", + "value": "ExtendedLinks" + }, + { + "description": "Product name alert property", + "value": "ProductName" + }, + { + "description": "Provider name alert property", + "value": "ProviderName" + }, + { + "description": "Product component name alert property", + "value": "ProductComponentName" + }, + { + "description": "Remediation steps alert property", + "value": "RemediationSteps" + }, + { + "description": "Techniques alert property", + "value": "Techniques" + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AutomationRules.json new file mode 100644 index 000000000000..100a75d6d720 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AutomationRules.json @@ -0,0 +1,1495 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}": { + "get": { + "tags": [ + "automationRules" + ], + "description": "Gets the automation rule.", + "operationId": "AutomationRules_Get", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + } + ], + "responses": { + "200": { + "description": "Ok", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "AutomationRules_Get": { + "$ref": "./examples/automationRules/AutomationRules_Get.json" + } + } + }, + "put": { + "tags": [ + "automationRules" + ], + "description": "Creates or updates the automation rule.", + "operationId": "AutomationRules_CreateOrUpdate", + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + }, + { + "in": "body", + "name": "automationRuleToUpsert", + "description": "The automation rule", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + } + ], + "responses": { + "200": { + "description": "Ok", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "AutomationRules_CreateOrUpdate": { + "$ref": "./examples/automationRules/AutomationRules_CreateOrUpdate.json" + } + } + }, + "delete": { + "tags": [ + "automationRules" + ], + "description": "Delete the automation rule.", + "operationId": "AutomationRules_Delete", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + } + ], + "responses": { + "200": { + "description": "Ok", + "schema": { + "type": "object" + } + }, + "204": { + "description": "No Content", + "schema": { + "type": "object" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "AutomationRules_Delete": { + "$ref": "./examples/automationRules/AutomationRules_Delete.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules": { + "get": { + "tags": [ + "automationRules" + ], + "description": "Gets all automation rules.", + "operationId": "AutomationRules_List", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "Ok", + "schema": { + "$ref": "#/definitions/AutomationRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "AutomationRules_List": { + "$ref": "./examples/automationRules/AutomationRules_List.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityIdentifier}/runPlaybook": { + "post": { + "tags": [ + "manualTrigger" + ], + "description": "Triggers playbook on a specific entity.", + "operationId": "Entities_RunPlaybook", + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "in": "path", + "name": "entityIdentifier", + "description": "Entity identifier.", + "required": true, + "type": "string" + }, + { + "in": "body", + "name": "requestBody", + "description": "Describes the request body for triggering a playbook on an entity.", + "schema": { + "$ref": "#/definitions/EntityManualTriggerRequestBody" + } + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "Entities_RunPlaybook": { + "$ref": "./examples/manualTrigger/Entities_RunPlaybook.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentIdentifier}/runPlaybook": { + "post": { + "tags": [ + "manualTrigger" + ], + "description": "Triggers playbook on a specific incident", + "operationId": "Incidents_RunPlaybook", + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "in": "path", + "name": "incidentIdentifier", + "required": true, + "type": "string" + }, + { + "in": "body", + "name": "requestBody", + "schema": { + "$ref": "#/definitions/ManualTriggerRequestBody" + } + } + ], + "responses": { + "204": { + "description": "Success", + "schema": { + "type": "object" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "Incidents_RunPlaybook": { + "$ref": "./examples/manualTrigger/Incidents_RunPlaybook.json" + } + } + } + } + }, + "definitions": { + "ActionType": { + "description": "The type of the automation rule action.", + "enum": [ + "ModifyProperties", + "RunPlaybook", + "AddIncidentTask" + ], + "type": "string", + "example": "ModifyProperties", + "x-ms-enum": { + "name": "ActionType", + "modelAsString": true, + "values": [ + { + "value": "ModifyProperties", + "description": "Modify an object's properties" + }, + { + "value": "RunPlaybook", + "description": "Run a playbook on an object" + }, + { + "value": "AddIncidentTask", + "description": "Add a task to an incident object" + } + ] + } + }, + "AddIncidentTaskActionProperties": { + "required": [ + "title" + ], + "type": "object", + "properties": { + "title": { + "description": "The title of the task.", + "type": "string" + }, + "description": { + "description": "The description of the task.", + "type": "string" + } + } + }, + "AutomationRule": { + "required": [ + "properties" + ], + "type": "object", + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "properties": { + "properties": { + "type": "object", + "$ref": "#/definitions/AutomationRuleProperties", + "x-ms-client-flatten": true + } + } + }, + "AutomationRuleAction": { + "description": "Describes an automation rule action.", + "required": [ + "actionType", + "order" + ], + "type": "object", + "properties": { + "order": { + "format": "int32", + "type": "integer" + }, + "actionType": { + "$ref": "#/definitions/ActionType" + } + }, + "discriminator": "actionType" + }, + "AutomationRuleAddIncidentTaskAction": { + "description": "Describes an automation rule action to add a task to an incident", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } + ], + "properties": { + "actionConfiguration": { + "type": "object", + "$ref": "#/definitions/AddIncidentTaskActionProperties" + } + }, + "x-ms-discriminator-value": "AddIncidentTask", + "x-ms-client-flatten": true + }, + "AutomationRuleBooleanCondition": { + "type": "object", + "properties": { + "operator": { + "$ref": "#/definitions/AutomationRuleBooleanConditionSupportedOperator" + }, + "innerConditions": { + "type": "array", + "items": { + "$ref": "#/definitions/AutomationRuleCondition" + }, + "x-ms-identifiers": [], + "minItems": 2, + "maxItems": 10 + } + } + }, + "AutomationRuleBooleanConditionSupportedOperator": { + "enum": [ + "And", + "Or" + ], + "type": "string", + "example": "And", + "x-ms-enum": { + "name": "AutomationRuleBooleanConditionSupportedOperator", + "modelAsString": true, + "values": [ + { + "value": "And", + "description": "Evaluates as true if all the item conditions are evaluated as true" + }, + { + "value": "Or", + "description": "Evaluates as true if at least one of the item conditions are evaluated as true" + } + ] + } + }, + "AutomationRuleCondition": { + "description": "Describes an automation rule condition.", + "required": [ + "conditionType" + ], + "type": "object", + "properties": { + "conditionType": { + "$ref": "#/definitions/ConditionType" + } + }, + "discriminator": "conditionType" + }, + "AutomationRuleModifyPropertiesAction": { + "description": "Describes an automation rule action to modify an object's properties", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } + ], + "properties": { + "actionConfiguration": { + "type": "object", + "$ref": "#/definitions/IncidentPropertiesAction" + } + }, + "x-ms-discriminator-value": "ModifyProperties", + "x-ms-client-flatten": true + }, + "AutomationRuleProperties": { + "description": "Automation rule properties", + "required": [ + "actions", + "displayName", + "order", + "triggeringLogic" + ], + "type": "object", + "properties": { + "displayName": { + "description": "The display name of the automation rule.", + "type": "string", + "maxLength": 500 + }, + "order": { + "format": "int32", + "description": "The order of execution of the automation rule.", + "type": "integer", + "minimum": 1, + "maximum": 1000 + }, + "triggeringLogic": { + "$ref": "#/definitions/AutomationRuleTriggeringLogic" + }, + "actions": { + "description": "The actions to execute when the automation rule is triggered.", + "type": "array", + "items": { + "$ref": "#/definitions/AutomationRuleAction" + }, + "x-ms-identifiers": [], + "maxItems": 20 + }, + "lastModifiedTimeUtc": { + "format": "date-time", + "description": "The last time the automation rule was updated.", + "type": "string", + "readOnly": true + }, + "createdTimeUtc": { + "format": "date-time", + "description": "The time the automation rule was created.", + "type": "string", + "readOnly": true + }, + "lastModifiedBy": { + "readOnly": true, + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo" + }, + "createdBy": { + "readOnly": true, + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo" + } + } + }, + "AutomationRulePropertyArrayChangedConditionSupportedArrayType": { + "enum": [ + "Alerts", + "Labels", + "Tactics", + "Comments" + ], + "type": "string", + "example": "Alerts", + "x-ms-enum": { + "name": "AutomationRulePropertyArrayChangedConditionSupportedArrayType", + "modelAsString": true, + "values": [ + { + "value": "Alerts", + "description": "Evaluate the condition on the alerts" + }, + { + "value": "Labels", + "description": "Evaluate the condition on the labels" + }, + { + "value": "Tactics", + "description": "Evaluate the condition on the tactics" + }, + { + "value": "Comments", + "description": "Evaluate the condition on the comments" + } + ] + } + }, + "AutomationRulePropertyArrayChangedConditionSupportedChangeType": { + "enum": [ + "Added" + ], + "type": "string", + "example": "Added", + "x-ms-enum": { + "name": "AutomationRulePropertyArrayChangedConditionSupportedChangeType", + "modelAsString": true, + "values": [ + { + "value": "Added", + "description": "Evaluate the condition on items added to the array" + } + ] + } + }, + "AutomationRulePropertyArrayChangedValuesCondition": { + "type": "object", + "properties": { + "arrayType": { + "$ref": "#/definitions/AutomationRulePropertyArrayChangedConditionSupportedArrayType" + }, + "changeType": { + "$ref": "#/definitions/AutomationRulePropertyArrayChangedConditionSupportedChangeType" + } + } + }, + "AutomationRulePropertyArrayConditionSupportedArrayConditionType": { + "enum": [ + "AnyItem" + ], + "type": "string", + "example": "AnyItem", + "x-ms-enum": { + "name": "AutomationRulePropertyArrayConditionSupportedArrayConditionType", + "modelAsString": true, + "values": [ + { + "value": "AnyItem", + "description": "Evaluate the condition as true if any item fulfills it" + } + ] + } + }, + "AutomationRulePropertyArrayConditionSupportedArrayType": { + "enum": [ + "CustomDetails", + "CustomDetailValues" + ], + "type": "string", + "example": "CustomDetails", + "x-ms-enum": { + "name": "AutomationRulePropertyArrayConditionSupportedArrayType", + "modelAsString": true, + "values": [ + { + "value": "CustomDetails", + "description": "Evaluate the condition on the custom detail keys" + }, + { + "value": "CustomDetailValues", + "description": "Evaluate the condition on a custom detail's values" + } + ] + } + }, + "AutomationRulePropertyArrayValuesCondition": { + "type": "object", + "properties": { + "arrayType": { + "$ref": "#/definitions/AutomationRulePropertyArrayConditionSupportedArrayType" + }, + "arrayConditionType": { + "$ref": "#/definitions/AutomationRulePropertyArrayConditionSupportedArrayConditionType" + }, + "itemConditions": { + "type": "array", + "items": { + "$ref": "#/definitions/AutomationRuleCondition" + }, + "x-ms-identifiers": [], + "maxItems": 10 + } + } + }, + "AutomationRulePropertyChangedConditionSupportedChangedType": { + "enum": [ + "ChangedFrom", + "ChangedTo" + ], + "type": "string", + "example": "ChangedFrom", + "x-ms-enum": { + "name": "AutomationRulePropertyChangedConditionSupportedChangedType", + "modelAsString": true, + "values": [ + { + "value": "ChangedFrom", + "description": "Evaluate the condition on the previous value of the property" + }, + { + "value": "ChangedTo", + "description": "Evaluate the condition on the updated value of the property" + } + ] + } + }, + "AutomationRulePropertyChangedConditionSupportedPropertyType": { + "enum": [ + "IncidentSeverity", + "IncidentStatus", + "IncidentOwner" + ], + "type": "string", + "example": "IncidentSeverity", + "x-ms-enum": { + "name": "AutomationRulePropertyChangedConditionSupportedPropertyType", + "modelAsString": true, + "values": [ + { + "value": "IncidentSeverity", + "description": "Evaluate the condition on the incident severity" + }, + { + "value": "IncidentStatus", + "description": "Evaluate the condition on the incident status" + }, + { + "value": "IncidentOwner", + "description": "Evaluate the condition on the incident owner" + } + ] + } + }, + "AutomationRulePropertyConditionSupportedOperator": { + "enum": [ + "Equals", + "NotEquals", + "Contains", + "NotContains", + "StartsWith", + "NotStartsWith", + "EndsWith", + "NotEndsWith" + ], + "type": "string", + "example": "Equals", + "x-ms-enum": { + "name": "AutomationRulePropertyConditionSupportedOperator", + "modelAsString": true, + "values": [ + { + "value": "Equals", + "description": "Evaluates if the property equals at least one of the condition values" + }, + { + "value": "NotEquals", + "description": "Evaluates if the property does not equal any of the condition values" + }, + { + "value": "Contains", + "description": "Evaluates if the property contains at least one of the condition values" + }, + { + "value": "NotContains", + "description": "Evaluates if the property does not contain any of the condition values" + }, + { + "value": "StartsWith", + "description": "Evaluates if the property starts with any of the condition values" + }, + { + "value": "NotStartsWith", + "description": "Evaluates if the property does not start with any of the condition values" + }, + { + "value": "EndsWith", + "description": "Evaluates if the property ends with any of the condition values" + }, + { + "value": "NotEndsWith", + "description": "Evaluates if the property does not end with any of the condition values" + } + ] + } + }, + "AutomationRulePropertyConditionSupportedProperty": { + "description": "The property to evaluate in an automation rule property condition.", + "enum": [ + "IncidentTitle", + "IncidentDescription", + "IncidentSeverity", + "IncidentStatus", + "IncidentRelatedAnalyticRuleIds", + "IncidentTactics", + "IncidentLabel", + "IncidentProviderName", + "IncidentUpdatedBySource", + "IncidentCustomDetailsKey", + "IncidentCustomDetailsValue", + "AccountAadTenantId", + "AccountAadUserId", + "AccountName", + "AccountNTDomain", + "AccountPUID", + "AccountSid", + "AccountObjectGuid", + "AccountUPNSuffix", + "AlertProductNames", + "AlertAnalyticRuleIds", + "AzureResourceResourceId", + "AzureResourceSubscriptionId", + "CloudApplicationAppId", + "CloudApplicationAppName", + "DNSDomainName", + "FileDirectory", + "FileName", + "FileHashValue", + "HostAzureID", + "HostName", + "HostNetBiosName", + "HostNTDomain", + "HostOSVersion", + "IoTDeviceId", + "IoTDeviceName", + "IoTDeviceType", + "IoTDeviceVendor", + "IoTDeviceModel", + "IoTDeviceOperatingSystem", + "IPAddress", + "MailboxDisplayName", + "MailboxPrimaryAddress", + "MailboxUPN", + "MailMessageDeliveryAction", + "MailMessageDeliveryLocation", + "MailMessageRecipient", + "MailMessageSenderIP", + "MailMessageSubject", + "MailMessageP1Sender", + "MailMessageP2Sender", + "MalwareCategory", + "MalwareName", + "ProcessCommandLine", + "ProcessId", + "RegistryKey", + "RegistryValueData", + "Url" + ], + "type": "string", + "example": "IncidentTitle", + "x-ms-enum": { + "name": "AutomationRulePropertyConditionSupportedProperty", + "modelAsString": true, + "values": [ + { + "value": "IncidentTitle", + "description": "The title of the incident" + }, + { + "value": "IncidentDescription", + "description": "The description of the incident" + }, + { + "value": "IncidentSeverity", + "description": "The severity of the incident" + }, + { + "value": "IncidentStatus", + "description": "The status of the incident" + }, + { + "value": "IncidentRelatedAnalyticRuleIds", + "description": "The related Analytic rule ids of the incident" + }, + { + "value": "IncidentTactics", + "description": "The tactics of the incident" + }, + { + "value": "IncidentLabel", + "description": "The labels of the incident" + }, + { + "value": "IncidentProviderName", + "description": "The provider name of the incident" + }, + { + "value": "IncidentUpdatedBySource", + "description": "The update source of the incident" + }, + { + "value": "IncidentCustomDetailsKey", + "description": "The incident custom detail key" + }, + { + "value": "IncidentCustomDetailsValue", + "description": "The incident custom detail value" + }, + { + "value": "AccountAadTenantId", + "description": "The account Azure Active Directory tenant id" + }, + { + "value": "AccountAadUserId", + "description": "The account Azure Active Directory user id" + }, + { + "value": "AccountName", + "description": "The account name" + }, + { + "value": "AccountNTDomain", + "description": "The account NetBIOS domain name" + }, + { + "value": "AccountPUID", + "description": "The account Azure Active Directory Passport User ID" + }, + { + "value": "AccountSid", + "description": "The account security identifier" + }, + { + "value": "AccountObjectGuid", + "description": "The account unique identifier" + }, + { + "value": "AccountUPNSuffix", + "description": "The account user principal name suffix" + }, + { + "value": "AlertProductNames", + "description": "The name of the product of the alert" + }, + { + "value": "AlertAnalyticRuleIds", + "description": "The analytic rule ids of the alert" + }, + { + "value": "AzureResourceResourceId", + "description": "The Azure resource id" + }, + { + "value": "AzureResourceSubscriptionId", + "description": "The Azure resource subscription id" + }, + { + "value": "CloudApplicationAppId", + "description": "The cloud application identifier" + }, + { + "value": "CloudApplicationAppName", + "description": "The cloud application name" + }, + { + "value": "DNSDomainName", + "description": "The dns record domain name" + }, + { + "value": "FileDirectory", + "description": "The file directory full path" + }, + { + "value": "FileName", + "description": "The file name without path" + }, + { + "value": "FileHashValue", + "description": "The file hash value" + }, + { + "value": "HostAzureID", + "description": "The host Azure resource id" + }, + { + "value": "HostName", + "description": "The host name without domain" + }, + { + "value": "HostNetBiosName", + "description": "The host NetBIOS name" + }, + { + "value": "HostNTDomain", + "description": "The host NT domain" + }, + { + "value": "HostOSVersion", + "description": "The host operating system" + }, + { + "value": "IoTDeviceId", + "description": "\"The IoT device id" + }, + { + "value": "IoTDeviceName", + "description": "The IoT device name" + }, + { + "value": "IoTDeviceType", + "description": "The IoT device type" + }, + { + "value": "IoTDeviceVendor", + "description": "The IoT device vendor" + }, + { + "value": "IoTDeviceModel", + "description": "The IoT device model" + }, + { + "value": "IoTDeviceOperatingSystem", + "description": "The IoT device operating system" + }, + { + "value": "IPAddress", + "description": "The IP address" + }, + { + "value": "MailboxDisplayName", + "description": "The mailbox display name" + }, + { + "value": "MailboxPrimaryAddress", + "description": "The mailbox primary address" + }, + { + "value": "MailboxUPN", + "description": "The mailbox user principal name" + }, + { + "value": "MailMessageDeliveryAction", + "description": "The mail message delivery action" + }, + { + "value": "MailMessageDeliveryLocation", + "description": "The mail message delivery location" + }, + { + "value": "MailMessageRecipient", + "description": "The mail message recipient" + }, + { + "value": "MailMessageSenderIP", + "description": "The mail message sender IP address" + }, + { + "value": "MailMessageSubject", + "description": "The mail message subject" + }, + { + "value": "MailMessageP1Sender", + "description": "The mail message P1 sender" + }, + { + "value": "MailMessageP2Sender", + "description": "The mail message P2 sender" + }, + { + "value": "MalwareCategory", + "description": "The malware category" + }, + { + "value": "MalwareName", + "description": "The malware name" + }, + { + "value": "ProcessCommandLine", + "description": "The process execution command line" + }, + { + "value": "ProcessId", + "description": "The process id" + }, + { + "value": "RegistryKey", + "description": "The registry key path" + }, + { + "value": "RegistryValueData", + "description": "The registry key value in string formatted representation" + }, + { + "value": "Url", + "description": "The url" + } + ] + } + }, + "AutomationRulePropertyValuesChangedCondition": { + "type": "object", + "properties": { + "propertyName": { + "$ref": "#/definitions/AutomationRulePropertyChangedConditionSupportedPropertyType" + }, + "changeType": { + "$ref": "#/definitions/AutomationRulePropertyChangedConditionSupportedChangedType" + }, + "operator": { + "$ref": "#/definitions/AutomationRulePropertyConditionSupportedOperator" + }, + "propertyValues": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "AutomationRulePropertyValuesCondition": { + "type": "object", + "properties": { + "propertyName": { + "$ref": "#/definitions/AutomationRulePropertyConditionSupportedProperty" + }, + "operator": { + "$ref": "#/definitions/AutomationRulePropertyConditionSupportedOperator" + }, + "propertyValues": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "AutomationRuleRunPlaybookAction": { + "description": "Describes an automation rule action to run a playbook", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } + ], + "properties": { + "actionConfiguration": { + "type": "object", + "$ref": "#/definitions/PlaybookActionProperties" + } + }, + "x-ms-discriminator-value": "RunPlaybook", + "x-ms-client-flatten": true + }, + "AutomationRulesList": { + "type": "object", + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/AutomationRule" + } + }, + "nextLink": { + "type": "string" + } + } + }, + "AutomationRuleTriggeringLogic": { + "description": "Describes automation rule triggering logic.", + "required": [ + "isEnabled", + "triggersOn", + "triggersWhen" + ], + "type": "object", + "properties": { + "isEnabled": { + "description": "Determines whether the automation rule is enabled or disabled.", + "type": "boolean" + }, + "expirationTimeUtc": { + "format": "date-time", + "description": "Determines when the automation rule should automatically expire and be disabled.", + "type": "string" + }, + "triggersOn": { + "$ref": "#/definitions/triggersOn" + }, + "triggersWhen": { + "$ref": "#/definitions/triggersWhen" + }, + "conditions": { + "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object.", + "type": "array", + "maxItems": 50, + "items": { + "$ref": "#/definitions/AutomationRuleCondition" + }, + "x-ms-identifiers": [ + "conditionType" + ] + } + } + }, + "BooleanConditionProperties": { + "description": "Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "type": "object", + "$ref": "#/definitions/AutomationRuleBooleanCondition" + } + }, + "x-ms-discriminator-value": "Boolean", + "x-ms-client-flatten": true + }, + "ConditionType": { + "enum": [ + "Property", + "PropertyArray", + "PropertyChanged", + "PropertyArrayChanged", + "Boolean" + ], + "type": "string", + "example": "Property", + "x-ms-enum": { + "name": "ConditionType", + "modelAsString": true, + "values": [ + { + "value": "Property", + "description": "Evaluate an object property value" + }, + { + "value": "PropertyArray", + "description": "Evaluate an object array property value" + }, + { + "value": "PropertyChanged", + "description": "Evaluate an object property changed value" + }, + { + "value": "PropertyArrayChanged", + "description": "Evaluate an object array property changed value" + }, + { + "value": "Boolean", + "description": "Apply a boolean operator (e.g AND, OR) to conditions" + } + ] + } + }, + "EntityManualTriggerRequestBody": { + "type": "object", + "description": "Describes the request body for triggering a playbook on an entity.", + "required": [ + "logicAppsResourceId" + ], + "properties": { + "incidentArmId": { + "type": "string", + "description": "Incident ARM id." + }, + "tenantId": { + "format": "uuid", + "type": "string", + "description": "The tenant id of the playbook resource." + }, + "logicAppsResourceId": { + "type": "string", + "description": "The resource id of the playbook resource." + } + } + }, + "IncidentPropertiesAction": { + "type": "object", + "properties": { + "severity": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentSeverityEnum" + }, + "status": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentStatusEnum" + }, + "classification": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationEnum" + }, + "classificationReason": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationReasonEnum" + }, + "classificationComment": { + "description": "Describes the reason the incident was closed.", + "type": "string" + }, + "owner": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentOwnerInfo" + }, + "labels": { + "description": "List of labels to add to the incident.", + "type": "array", + "x-ms-identifiers": [ + "labelName" + ], + "items": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentLabel" + } + } + } + }, + "ManualTriggerRequestBody": { + "type": "object", + "required": [ + "logicAppsResourceId" + ], + "properties": { + "tenantId": { + "format": "uuid", + "type": "string" + }, + "logicAppsResourceId": { + "type": "string" + } + } + }, + "PlaybookActionProperties": { + "type": "object", + "required": [ + "logicAppResourceId" + ], + "properties": { + "logicAppResourceId": { + "description": "The resource id of the playbook resource.", + "type": "string" + }, + "tenantId": { + "format": "uuid", + "description": "The tenant id of the playbook resource.", + "type": "string" + } + } + }, + "PropertyArrayChangedConditionProperties": { + "description": "Describes an automation rule condition that evaluates an array property's value change", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "type": "object", + "$ref": "#/definitions/AutomationRulePropertyArrayChangedValuesCondition" + } + }, + "x-ms-discriminator-value": "PropertyArrayChanged", + "x-ms-client-flatten": true + }, + "PropertyArrayConditionProperties": { + "description": "Describes an automation rule condition that evaluates an array property's value", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "type": "object", + "$ref": "#/definitions/AutomationRulePropertyArrayValuesCondition" + } + }, + "x-ms-discriminator-value": "PropertyArray", + "x-ms-client-flatten": true + }, + "PropertyChangedConditionProperties": { + "description": "Describes an automation rule condition that evaluates a property's value change", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "type": "object", + "$ref": "#/definitions/AutomationRulePropertyValuesChangedCondition" + } + }, + "x-ms-discriminator-value": "PropertyChanged", + "x-ms-client-flatten": true + }, + "PropertyConditionProperties": { + "description": "Describes an automation rule condition that evaluates a property's value", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "type": "object", + "$ref": "#/definitions/AutomationRulePropertyValuesCondition" + } + }, + "x-ms-discriminator-value": "Property", + "x-ms-client-flatten": true + }, + "triggersOn": { + "enum": [ + "Incidents", + "Alerts" + ], + "type": "string", + "example": "Incidents", + "x-ms-enum": { + "name": "triggersOn", + "modelAsString": true, + "values": [ + { + "value": "Incidents", + "description": "Trigger on Incidents" + }, + { + "value": "Alerts", + "description": "Trigger on Alerts" + } + ] + } + }, + "triggersWhen": { + "enum": [ + "Created", + "Updated" + ], + "type": "string", + "example": "Created", + "x-ms-enum": { + "name": "triggersWhen", + "modelAsString": true, + "values": [ + { + "value": "Created", + "description": "Trigger on created objects" + }, + { + "value": "Updated", + "description": "Trigger on updated objects" + } + ] + } + } + }, + "parameters": { + "AutomationRule": { + "name": "automationRule", + "description": "The automation rule", + "required": true, + "in": "body", + "x-ms-parameter-location": "method", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "AutomationRuleId": { + "in": "path", + "name": "automationRuleId", + "description": "Automation rule ID", + "required": true, + "x-ms-parameter-location": "method", + "type": "string" + } + }, + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "flow": "implicit", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "scopes": { + "user_impersonation": "impersonate your user account" + }, + "description": "Azure Active Directory OAuth2 Flow" + } + }, + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "host": "management.azure.com", + "schemes": [ + "https" + ], + "produces": [ + "application/json" + ], + "consumes": [ + "application/json" + ] +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Bookmarks.json new file mode 100644 index 000000000000..2ad050d54c59 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Bookmarks.json @@ -0,0 +1,751 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { + "get": { + "x-ms-examples": { + "Get all bookmarks.": { + "$ref": "./examples/bookmarks/GetBookmarks.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Gets all bookmarks.", + "operationId": "Bookmarks_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/BookmarkList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}": { + "get": { + "x-ms-examples": { + "Get a bookmark.": { + "$ref": "./examples/bookmarks/GetBookmarkById.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Gets a bookmark.", + "operationId": "Bookmarks_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a bookmark.": { + "$ref": "./examples/bookmarks/CreateBookmark.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Creates or updates the bookmark.", + "operationId": "Bookmarks_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/Bookmark" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a bookmark.": { + "$ref": "./examples/bookmarks/DeleteBookmark.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Delete the bookmark.", + "operationId": "Bookmarks_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations": { + "get": { + "x-ms-examples": { + "Get all bookmark relations.": { + "$ref": "./examples/bookmarks/relations/GetAllBookmarkRelations.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Gets all bookmark relations.", + "operationId": "BookmarkRelations_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./common/RelationTypes.json#/definitions/RelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-odata": "./common/RelationTypes.json#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/expand": { + "post": { + "x-ms-examples": { + "Expand an bookmark": { + "$ref": "./examples/bookmarks/expand/PostExpandBookmark.json" + } + }, + "description": "Expand an bookmark", + "operationId": "Bookmark_Expand", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/BookmarkExpandRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/BookmarkExpandResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "tags": [ + "Bookmark" + ] + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get a bookmark relation.": { + "$ref": "./examples/bookmarks/relations/GetBookmarkRelationByName.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Gets a bookmark relation.", + "operationId": "BookmarkRelations_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "./common/RelationTypes.json#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./common/RelationTypes.json#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a bookmark relation.": { + "$ref": "./examples/bookmarks/relations/CreateBookmarkRelation.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Creates the bookmark relation.", + "operationId": "BookmarkRelations_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "./common/RelationTypes.json#/parameters/RelationName" + }, + { + "$ref": "./common/RelationTypes.json#/parameters/Relation" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./common/RelationTypes.json#/definitions/Relation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "./common/RelationTypes.json#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete the bookmark relation.": { + "$ref": "./examples/bookmarks/relations/DeleteBookmarkRelation.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Delete the bookmark relation.", + "operationId": "BookmarkRelations_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "./common/RelationTypes.json#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "Bookmark": { + "description": "The bookmark", + "in": "body", + "name": "bookmark", + "required": true, + "schema": { + "$ref": "#/definitions/Bookmark" + }, + "x-ms-parameter-location": "method" + }, + "BookmarkExpandRequestBody": { + "description": "The parameters required to execute an expand operation on the given bookmark.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/BookmarkExpandParameters" + }, + "x-ms-parameter-location": "method" + }, + "BookmarkId": { + "description": "Bookmark ID", + "in": "path", + "name": "bookmarkId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "Bookmark": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a bookmark in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/BookmarkProperties", + "description": "Bookmark properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "BookmarkExpandParameters": { + "description": "The parameters required to execute an expand operation on the given bookmark.", + "properties": { + "endTime": { + "description": "The end date filter, so the only expansion results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "expansionId": { + "description": "The Id of the expansion to perform.", + "format": "uuid", + "type": "string" + }, + "startTime": { + "description": "The start date filter, so the only expansion results returned are after this date.", + "format": "date-time", + "type": "string" + } + }, + "type": "object" + }, + "BookmarkExpandResponse": { + "description": "The entity expansion result operation response.", + "properties": { + "metaData": { + "$ref": "./common/EntityTypes.json#/definitions/ExpansionResultsMetadata", + "description": "The metadata from the expansion operation results." + }, + "value": { + "description": "The expansion result values.", + "properties": { + "entities": { + "description": "Array of the expansion result entities.", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/Entity" + }, + "type": "array" + }, + "edges": { + "description": "Array of expansion result connected entities", + "items": { + "$ref": "#/definitions/ConnectedEntity" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "BookmarkList": { + "description": "List all the bookmarks.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of bookmarks.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of bookmarks.", + "items": { + "$ref": "#/definitions/Bookmark" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "BookmarkProperties": { + "description": "Describes bookmark properties", + "properties": { + "created": { + "description": "The time the bookmark was created", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "displayName": { + "description": "The display name of the bookmark", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "../../../common/2.0/types.json#/definitions/Label" + }, + "type": "array" + }, + "notes": { + "description": "The notes of the bookmark", + "type": "string" + }, + "query": { + "description": "The query of the bookmark.", + "type": "string" + }, + "queryResult": { + "description": "The query result of the bookmark.", + "type": "string" + }, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "eventTime": { + "description": "The bookmark event time", + "format": "date-time", + "type": "string" + }, + "queryStartTime": { + "description": "The start time for the query", + "format": "date-time", + "type": "string" + }, + "queryEndTime": { + "description": "The end time for the query", + "format": "date-time", + "type": "string" + }, + "incidentInfo": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappingsList", + "description": "Describes the entity mappings of the bookmark", + "type": "object" + }, + "tactics": { + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "description": "A list of relevant mitre attacks", + "type": "array" + }, + "techniques": { + "items": { + "$ref": "#/definitions/AttackTechnique" + }, + "description": "A list of relevant mitre techniques", + "type": "array" + } + }, + "required": [ + "displayName", + "query" + ], + "type": "object" + }, + "ConnectedEntity": { + "description": "Expansion result connected entities", + "properties": { + "targetEntityId": { + "description": "Entity Id of the connected entity", + "type": "string" + }, + "additionalData": { + "description": "key-value pairs for a connected entity mapping", + "type": "object" + } + }, + "type": "object" + }, + "EntityMappingsList": { + "description": "Describes the entity mappings of the bookmark", + "items": { + "$ref": "#/definitions/BookmarkEntityMappings" + }, + "x-ms-identifiers": [], + "type": "array" + }, + "BookmarkEntityMappings": { + "description": "Describes the entity mappings of a single entity", + "properties": { + "entityType": { + "description": "The entity type", + "type": "string" + }, + "fieldMappings": { + "description": "Array of fields mapping for that entity type", + "items": { + "$ref": "#/definitions/EntityFieldMapping" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "type": "object" + }, + "EntityFieldMapping": { + "description": "Map identifiers of a single entity", + "properties": { + "identifier": { + "description": "Alert V3 identifier", + "type": "string" + }, + "value": { + "description": "The value of the identifier", + "type": "string" + } + }, + "type": "object" + }, + "AttackTechnique": { + "description": "Mitre technique (https://attack.mitre.org/matrices/enterprise/)", + "type": "string" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Enrichment.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Enrichment.json new file mode 100644 index 000000000000..73eef9ce1e00 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Enrichment.json @@ -0,0 +1,381 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/": { + "get": { + "x-ms-examples": { + "Get geodata for a single IP address": { + "$ref": "./examples/enrichment/GetGeodataByIp.json" + } + }, + "tags": [ + "Enrichment" + ], + "description": "Get geodata for a single IP address", + "operationId": "IPGeodata_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "#/parameters/EnrichmentIpAddress" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EnrichmentIpGeodata" + } + }, + "default": { + "description": "Error response describing why the operation failed to enrich this ip.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/domain/whois/": { + "get": { + "x-ms-examples": { + "Get whois information for a single domain name": { + "$ref": "./examples/enrichment/GetWhoisByDomainName.json" + } + }, + "tags": [ + "Enrichment" + ], + "description": "Get whois information for a single domain name", + "operationId": "DomainWhois_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "#/parameters/EnrichmentDomain" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EnrichmentDomainWhois" + } + }, + "default": { + "description": "Error response describing why the operation failed to enrich this domain.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "EnrichmentIpAddress": { + "description": "IP address (v4 or v6) to be enriched", + "in": "query", + "name": "ipAddress", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EnrichmentDomain": { + "description": "Domain name to be enriched", + "in": "query", + "name": "domain", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "EnrichmentDomainWhois": { + "description": "Whois information for a given domain and associated metadata", + "properties": { + "domain": { + "description": "The domain for this whois record", + "type": "string" + }, + "server": { + "description": "The hostname of this registrar's whois server", + "type": "string" + }, + "created": { + "description": "The timestamp at which this record was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The timestamp at which this record was last updated", + "format": "date-time", + "type": "string" + }, + "expires": { + "description": "The timestamp at which this record will expire", + "format": "date-time", + "type": "string" + }, + "parsedWhois": { + "description": "The whois record for a given domain", + "$ref": "#/definitions/EnrichmentDomainWhoisDetails" + } + }, + "type": "object" + }, + "EnrichmentDomainWhoisDetails": { + "description": "The whois record for a given domain", + "properties": { + "registrar": { + "description": "The registrar associated with this domain", + "$ref": "#/definitions/EnrichmentDomainWhoisRegistrarDetails" + }, + "contacts": { + "description": "The set of contacts associated with this domain", + "$ref": "#/definitions/EnrichmentDomainWhoisContacts" + }, + "nameServers": { + "description": "A list of name servers associated with this domain", + "type": "array", + "items": { + "type": "string" + } + }, + "statuses": { + "description": "The set of status flags for this whois record", + "type": "array", + "items": { + "type": "string" + } + } + }, + "type": "object" + }, + "EnrichmentDomainWhoisRegistrarDetails": { + "description": "The registrar associated with this domain", + "properties": { + "name": { + "description": "The name of this registrar", + "type": "string" + }, + "abuseContactEmail": { + "description": "This registrar's abuse contact email", + "type": "string" + }, + "abuseContactPhone": { + "description": "This registrar's abuse contact phone number", + "type": "string" + }, + "ianaId": { + "description": "This registrar's Internet Assigned Numbers Authority id", + "type": "string" + }, + "url": { + "description": "This registrar's URL", + "type": "string" + }, + "whoisServer": { + "description": "The hostname of this registrar's whois server", + "type": "string" + } + }, + "type": "object" + }, + "EnrichmentDomainWhoisContacts": { + "description": "The set of contacts associated with this domain", + "properties": { + "admin": { + "description": "The admin contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + }, + "billing": { + "description": "The billing contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + }, + "registrant": { + "description": "The registrant contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + }, + "tech": { + "description": "The technical contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + } + }, + "type": "object" + }, + "EnrichmentDomainWhoisContact": { + "description": "An individual contact associated with this domain", + "properties": { + "name": { + "description": "The name of this contact", + "type": "string" + }, + "org": { + "description": "The organization for this contact", + "type": "string" + }, + "street": { + "description": "A list describing the street address for this contact", + "type": "array", + "items": { + "type": "string" + } + }, + "city": { + "description": "The city for this contact", + "type": "string" + }, + "state": { + "description": "The state for this contact", + "type": "string" + }, + "postal": { + "description": "The postal code for this contact", + "type": "string" + }, + "country": { + "description": "The country for this contact", + "type": "string" + }, + "phone": { + "description": "The phone number for this contact", + "type": "string" + }, + "fax": { + "description": "The fax number for this contact", + "type": "string" + }, + "email": { + "description": "The email address for this contact", + "type": "string" + } + }, + "type": "object" + }, + "EnrichmentIpGeodata": { + "description": "Geodata information for a given IP address", + "properties": { + "asn": { + "description": "The autonomous system number associated with this IP address", + "type": "string" + }, + "carrier": { + "description": "The name of the carrier for this IP address", + "type": "string" + }, + "city": { + "description": "The city this IP address is located in", + "type": "string" + }, + "cityCf": { + "description": "A numeric rating of confidence that the value in the 'city' field is correct, on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "continent": { + "description": "The continent this IP address is located on", + "type": "string" + }, + "country": { + "description": "The county this IP address is located in", + "type": "string" + }, + "countryCf": { + "description": "A numeric rating of confidence that the value in the 'country' field is correct on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "ipAddr": { + "description": "The dotted-decimal or colon-separated string representation of the IP address", + "type": "string" + }, + "ipRoutingType": { + "description": "A description of the connection type of this IP address", + "type": "string" + }, + "latitude": { + "description": "The latitude of this IP address", + "type": "string" + }, + "longitude": { + "description": "The longitude of this IP address", + "type": "string" + }, + "organization": { + "description": "The name of the organization for this IP address", + "type": "string" + }, + "organizationType": { + "description": "The type of the organization for this IP address", + "type": "string" + }, + "region": { + "description": "The geographic region this IP address is located in", + "type": "string" + }, + "state": { + "description": "The state this IP address is located in", + "type": "string" + }, + "stateCf": { + "description": "A numeric rating of confidence that the value in the 'state' field is correct on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "stateCode": { + "description": "The abbreviated name for the state this IP address is located in", + "type": "string" + } + }, + "type": "object" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json new file mode 100644 index 000000000000..d7d3ae106837 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json @@ -0,0 +1,1556 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities": { + "get": { + "x-ms-examples": { + "Get all entities.": { + "$ref": "./examples/entities/GetEntities.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Gets all entities.", + "operationId": "Entities_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}": { + "get": { + "x-ms-examples": { + "Get an account entity.": { + "$ref": "./examples/entities/GetAccountEntityById.json" + }, + "Get a host entity.": { + "$ref": "./examples/entities/GetHostEntityById.json" + }, + "Get a file entity.": { + "$ref": "./examples/entities/GetFileEntityById.json" + }, + "Get a security alert entity.": { + "$ref": "./examples/entities/GetSecurityAlertEntityById.json" + }, + "Get a file hash entity.": { + "$ref": "./examples/entities/GetFileHashEntityById.json" + }, + "Get a malware entity.": { + "$ref": "./examples/entities/GetMalwareEntityById.json" + }, + "Get a security group entity.": { + "$ref": "./examples/entities/GetSecurityGroupEntityById.json" + }, + "Get an azure resource entity.": { + "$ref": "./examples/entities/GetAzureResourceEntityById.json" + }, + "Get a cloud application entity.": { + "$ref": "./examples/entities/GetCloudApplicationEntityById.json" + }, + "Get a process entity.": { + "$ref": "./examples/entities/GetProcessEntityById.json" + }, + "Get a dns entity.": { + "$ref": "./examples/entities/GetDnsEntityById.json" + }, + "Get an ip entity.": { + "$ref": "./examples/entities/GetIpEntityById.json" + }, + "Get a registry key entity.": { + "$ref": "./examples/entities/GetRegistryKeyEntityById.json" + }, + "Get a registry value entity.": { + "$ref": "./examples/entities/GetRegistryValueEntityById.json" + }, + "Get a url entity.": { + "$ref": "./examples/entities/GetUrlEntityById.json" + }, + "Get an IoT device entity.": { + "$ref": "./examples/entities/GetIoTDeviceEntityById.json" + }, + "Get a mailCluster entity.": { + "$ref": "./examples/entities/GetMailClusterEntityById.json" + }, + "Get a mailbox entity.": { + "$ref": "./examples/entities/GetMailboxEntityById.json" + }, + "Get a mailMessage entity.": { + "$ref": "./examples/entities/GetMailMessageEntityById.json" + }, + "Get a submissionMail entity.": { + "$ref": "./examples/entities/GetSubmissionMailEntityById.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Gets an entity.", + "operationId": "Entities_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./common/EntityTypes.json#/definitions/Entity" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/expand": { + "post": { + "x-ms-examples": { + "Expand an entity": { + "$ref": "./examples/entities/expand/PostExpandEntity.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Expands an entity.", + "operationId": "Entities_Expand", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityExpandRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityExpandResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getTimeline": { + "post": { + "x-ms-examples": { + "Entity timeline": { + "$ref": "./examples/entities/timeline/PostTimelineEntity.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Timeline for an entity.", + "operationId": "EntitiesGetTimeline_list", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityTimelineRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityTimelineResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/queries": { + "get": { + "x-ms-examples": { + "Get Entity Query": { + "$ref": "./examples/entities/GetQueries.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Get Insights and Activities for an entity.", + "operationId": "Entities_Queries", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityQueryKindParam" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/GetQueriesResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getInsights": { + "post": { + "x-ms-examples": { + "Entity Insight": { + "$ref": "./examples/entities/insights/PostGetInsights.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Execute Insights for an entity.", + "operationId": "Entities_GetInsights", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/GetInsightsEntityQueriesRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityGetInsightsResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations": { + "get": { + "x-ms-examples": { + "Get all relations of an entity.": { + "$ref": "./examples/entities/relations/GetAllEntityRelations.json" + } + }, + "tags": [ + "EntityRelations" + ], + "description": "Gets all relations of an entity.", + "operationId": "EntitiesRelations_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./common/RelationTypes.json#/definitions/RelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-odata": "./common/RelationTypes.json#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get an entity relation.": { + "$ref": "./examples/entities/relations/GetEntityRelationByName.json" + } + }, + "tags": [ + "EntityRelations" + ], + "description": "Gets an entity relation.", + "operationId": "EntityRelations_GetRelation", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "./common/RelationTypes.json#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./common/RelationTypes.json#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "EntityExpandRequestBody": { + "description": "The parameters required to execute an expand operation on the given entity.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/EntityExpandParameters" + }, + "x-ms-parameter-location": "method" + }, + "EntityId": { + "description": "entity ID", + "in": "path", + "name": "entityId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityTimelineRequestBody": { + "description": "The parameters required to execute an timeline operation on the given entity.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/EntityTimelineParameters" + }, + "x-ms-parameter-location": "method" + }, + "EntityQueryKindParam": { + "description": "The Kind parameter for queries", + "in": "query", + "name": "kind", + "required": true, + "type": "string", + "enum": [ + "Insight" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "EntityItemQueryKind", + "values": [ + { + "description": "insight", + "value": "Insight" + } + ] + }, + "x-ms-parameter-location": "method" + }, + "GetInsightsEntityQueriesRequestBody": { + "description": "The parameters required to execute insights on the given entity.", + "name": "parameters", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/EntityGetInsightsParameters" + }, + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "ActivityTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents Activity timeline item.", + "properties": { + "queryId": { + "type": "string", + "description": "The activity query id." + }, + "bucketStartTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The grouping bucket start time." + }, + "bucketEndTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The grouping bucket end time." + }, + "firstActivityTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The time of the first activity in the grouping bucket." + }, + "lastActivityTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The time of the last activity in the grouping bucket." + }, + "content": { + "type": "string", + "description": "The activity timeline content." + }, + "title": { + "type": "string", + "description": "The activity timeline title." + } + }, + "required": [ + "queryId", + "bucketStartTimeUTC", + "bucketEndTimeUTC", + "firstActivityTimeUTC", + "lastActivityTimeUTC", + "content", + "title" + ], + "type": "object", + "x-ms-discriminator-value": "Activity" + }, + "BookmarkTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents bookmark timeline item.", + "properties": { + "azureResourceId": { + "type": "string", + "description": "The bookmark azure resource id." + }, + "displayName": { + "type": "string", + "description": "The bookmark display name." + }, + "notes": { + "type": "string", + "description": "The notes of the bookmark" + }, + "endTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The bookmark end time." + }, + "startTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The bookmark start time." + }, + "eventTime": { + "format": "date-time", + "type": "string", + "description": "The bookmark event time." + }, + "createdBy": { + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that created the bookmark" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "../../../common/2.0/types.json#/definitions/Label" + }, + "type": "array" + } + }, + "required": [ + "azureResourceId" + ], + "type": "object", + "x-ms-discriminator-value": "Bookmark" + }, + "AnomalyTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents anomaly timeline item.", + "properties": { + "azureResourceId": { + "type": "string", + "description": "The anomaly azure resource id." + }, + "productName": { + "type": "string", + "description": "The anomaly product name." + }, + "description": { + "type": "string", + "description": "The anomaly description." + }, + "displayName": { + "type": "string", + "description": "The anomaly name." + }, + "endTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The anomaly end time." + }, + "startTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The anomaly start time." + }, + "timeGenerated": { + "format": "date-time", + "type": "string", + "description": "The anomaly generated time." + }, + "vendor": { + "type": "string", + "description": "The name of the anomaly vendor." + }, + "intent": { + "type": "string", + "description": "The intent of the anomaly." + }, + "techniques": { + "type": "array", + "items": { + "type": "string", + "description": "technique of the anomaly" + }, + "description": "The techniques of the anomaly." + }, + "reasons": { + "type": "array", + "items": { + "type": "string", + "description": "Reason of the anomaly" + }, + "description": "The reasons that cause the anomaly." + } + }, + "required": [ + "azureResourceId", + "displayName", + "endTimeUtc", + "startTimeUtc", + "timeGenerated" + ], + "type": "object", + "x-ms-discriminator-value": "Anomaly" + }, + "EntityGetInsightsParameters": { + "description": "The parameters required to execute insights operation on the given entity.", + "type": "object", + "properties": { + "startTime": { + "description": "The start timeline date, so the results returned are after this date.", + "format": "date-time", + "type": "string" + }, + "endTime": { + "description": "The end timeline date, so the results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "addDefaultExtendedTimeRange": { + "description": "Indicates if query time range should be extended with default time range of the query. Default value is false", + "type": "boolean" + }, + "insightQueryIds": { + "description": "List of Insights Query Id. If empty, default value is all insights of this entity", + "type": "array", + "items": { + "description": "Insight Query Id (GUID)", + "format": "uuid", + "type": "string" + } + } + }, + "required": [ + "startTime", + "endTime" + ] + }, + "EntityGetInsightsResponse": { + "description": "The Get Insights result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/GetInsightsResultsMetadata", + "description": "The metadata from the get insights operation results." + }, + "value": { + "description": "The insights result values.", + "items": { + "$ref": "#/definitions/EntityInsightItem" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "EntityEdges": { + "description": "The edge that connects the entity to the other entity.", + "properties": { + "targetEntityId": { + "description": "The target entity Id.", + "type": "string" + }, + "additionalData": { + "additionalProperties": true, + "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "type": "object" + } + }, + "type": "object" + }, + "EntityExpandParameters": { + "description": "The parameters required to execute an expand operation on the given entity.", + "properties": { + "endTime": { + "description": "The end date filter, so the only expansion results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "expansionId": { + "description": "The Id of the expansion to perform.", + "format": "uuid", + "type": "string" + }, + "startTime": { + "description": "The start date filter, so the only expansion results returned are after this date.", + "format": "date-time", + "type": "string" + } + }, + "type": "object" + }, + "EntityExpandResponse": { + "description": "The entity expansion result operation response.", + "properties": { + "metaData": { + "$ref": "./common/EntityTypes.json#/definitions/ExpansionResultsMetadata", + "description": "The metadata from the expansion operation results." + }, + "value": { + "description": "The expansion result values.", + "properties": { + "entities": { + "description": "Array of the expansion result entities.", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/Entity" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "edges": { + "description": "Array of edges that connects the entity to the list of entities.", + "items": { + "$ref": "#/definitions/EntityEdges" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "EntityInsightItem": { + "description": "Entity insight Item.", + "type": "object", + "properties": { + "queryId": { + "type": "string", + "description": "The query id of the insight" + }, + "queryTimeInterval": { + "type": "object", + "description": "The Time interval that the query actually executed on.", + "properties": { + "startTime": { + "format": "date-time", + "type": "string", + "description": "Insight query start time" + }, + "endTime": { + "format": "date-time", + "type": "string", + "description": "Insight query end time" + } + } + }, + "tableQueryResults": { + "$ref": "#/definitions/InsightsTableResult", + "description": "Query results for table insights query." + }, + "chartQueryResults": { + "type": "array", + "description": "Query results for table insights query.", + "items": { + "$ref": "#/definitions/InsightsTableResult", + "description": "Query results for table insights query." + }, + "x-ms-identifiers": [] + } + } + }, + "EntityList": { + "description": "List of all the entities.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of entities.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of entities.", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/Entity" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "EntityTimelineItem": { + "description": "Entity timeline Item.", + "discriminator": "kind", + "type": "object", + "properties": { + "kind": { + "$ref": "#/definitions/EntityTimelineKind", + "description": "The entity query kind type." + } + }, + "required": [ + "kind" + ] + }, + "EntityTimelineResponse": { + "description": "The entity timeline result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/TimelineResultsMetadata", + "description": "The metadata from the timeline operation results." + }, + "value": { + "description": "The timeline result values.", + "items": { + "$ref": "#/definitions/EntityTimelineItem" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "EntityTimelineKind": { + "description": "The entity query kind", + "enum": [ + "Activity", + "Bookmark", + "SecurityAlert", + "Anomaly" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityTimelineKind", + "values": [ + { + "description": "activity", + "value": "Activity" + }, + { + "description": "bookmarks", + "value": "Bookmark" + }, + { + "description": "security alerts", + "value": "SecurityAlert" + }, + { + "description": "anomaly", + "value": "Anomaly" + } + ] + } + }, + "EntityTimelineParameters": { + "description": "The parameters required to execute s timeline operation on the given entity.", + "properties": { + "kinds": { + "description": "Array of timeline Item kinds.", + "items": { + "$ref": "#/definitions/EntityTimelineKind" + }, + "type": "array" + }, + "startTime": { + "description": "The start timeline date, so the results returned are after this date.", + "format": "date-time", + "type": "string" + }, + "endTime": { + "description": "The end timeline date, so the results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "numberOfBucket": { + "description": "The number of bucket for timeline queries aggregation.", + "type": "integer", + "format": "int32" + } + }, + "type": "object", + "required": [ + "startTime", + "endTime" + ] + }, + "EntityQueryItem": { + "description": "An abstract Query item for entity", + "type": "object", + "discriminator": "kind", + "properties": { + "id": { + "description": "Query Template ARM ID", + "type": "string", + "readOnly": true + }, + "name": { + "description": "Query Template ARM Name", + "type": "string" + }, + "type": { + "description": "ARM Type", + "type": "string" + }, + "kind": { + "$ref": "./common/EntityTypes.json#/definitions/EntityQueryKind", + "description": "The kind of the entity query" + } + }, + "required": [ + "kind" + ] + }, + "EntityQueryItemProperties": { + "description": "An properties abstract Query item for entity", + "type": "object", + "properties": { + "dataTypes": { + "description": "Data types for template", + "type": "array", + "items": { + "properties": { + "dataType": { + "description": "Data type name", + "type": "string" + } + }, + "type": "object" + }, + "x-ms-identifiers": [] + }, + "inputEntityType": { + "description": "The type of the entity", + "$ref": "./common/EntityTypes.json#/definitions/EntityInnerType" + }, + "requiredInputFieldsSets": { + "description": "Data types for template", + "type": "array", + "items": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "entitiesFilter": { + "description": "The query applied only to entities matching to all filters", + "type": "object" + } + } + }, + "InsightsTableResult": { + "type": "object", + "description": "Query results for table insights query.", + "properties": { + "columns": { + "type": "array", + "description": "Columns Metadata of the table", + "items": { + "properties": { + "type": { + "type": "string", + "description": "the type of the colum" + }, + "name": { + "type": "string", + "description": "the name of the colum" + } + }, + "type": "object" + }, + "x-ms-identifiers": [] + }, + "rows": { + "type": "array", + "description": "Rows data of the table", + "items": { + "type": "array", + "description": "Single row of data", + "items": { + "type": "string", + "description": "Cell in the table" + } + } + } + } + }, + "InsightQueryItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityQueryItem" + } + ], + "description": "Represents Insight Query.", + "properties": { + "properties": { + "description": "Properties bag for InsightQueryItem", + "$ref": "#/definitions/InsightQueryItemProperties" + } + }, + "type": "object", + "x-ms-discriminator-value": "Insight" + }, + "InsightQueryItemProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityQueryItemProperties" + } + ], + "description": "Represents Insight Query.", + "properties": { + "displayName": { + "type": "string", + "description": "The insight display name." + }, + "description": { + "type": "string", + "description": "The insight description." + }, + "baseQuery": { + "type": "string", + "description": "The base query of the insight." + }, + "tableQuery": { + "type": "object", + "description": "The insight table query.", + "properties": { + "columnsDefinitions": { + "type": "array", + "description": "List of insight column definitions.", + "items": { + "properties": { + "header": { + "type": "string", + "description": "Insight column header." + }, + "outputType": { + "type": "string", + "description": "Insights Column type.", + "enum": [ + "Number", + "String", + "Date", + "Entity" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "outputType" + } + }, + "supportDeepLink": { + "type": "boolean", + "description": "Is query supports deep-link." + } + }, + "type": "object" + }, + "x-ms-identifiers": [] + }, + "queriesDefinitions": { + "type": "array", + "description": "List of insight queries definitions.", + "x-ms-identifiers": [], + "items": { + "properties": { + "filter": { + "type": "string", + "description": "Insight column header." + }, + "summarize": { + "type": "string", + "description": "Insight column header." + }, + "project": { + "type": "string", + "description": "Insight column header." + }, + "linkColumnsDefinitions": { + "type": "array", + "description": "Insight column header.", + "x-ms-identifiers": [], + "items": { + "properties": { + "projectedName": { + "type": "string", + "description": "Insight Link Definition Projected Name." + }, + "Query": { + "type": "string", + "description": "Insight Link Definition Query." + } + }, + "type": "object" + } + } + }, + "type": "object" + } + } + } + }, + "chartQuery": { + "type": "object", + "description": "The insight chart query." + }, + "additionalQuery": { + "type": "object", + "description": "The activity query definitions.", + "properties": { + "query": { + "type": "string", + "description": "The insight query." + }, + "text": { + "type": "string", + "description": "The insight text." + } + } + }, + "defaultTimeRange": { + "type": "object", + "description": "The insight chart query.", + "properties": { + "beforeRange": { + "type": "string", + "description": "The padding for the start time of the query." + }, + "afterRange": { + "type": "string", + "description": "The padding for the end time of the query." + } + } + }, + "referenceTimeRange": { + "type": "object", + "description": "The insight chart query.", + "properties": { + "beforeRange": { + "type": "string", + "description": "Additional query time for looking back." + } + } + } + }, + "type": "object" + }, + "GetInsightsResultsMetadata": { + "description": "Get Insights result metadata.", + "properties": { + "totalCount": { + "description": "the total items found for the insights request", + "type": "integer", + "format": "int32" + }, + "errors": { + "description": "information about the failed queries", + "items": { + "$ref": "#/definitions/GetInsightsErrorKind" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "required": [ + "totalCount" + ], + "type": "object" + }, + "GetInsightsErrorKind": { + "description": "GetInsights Query Errors.", + "properties": { + "kind": { + "description": "the query kind", + "type": "string", + "enum": [ + "Insight" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "GetInsightsError", + "values": [ + { + "value": "Insight" + } + ] + } + }, + "queryId": { + "description": "the query id", + "type": "string" + }, + "errorMessage": { + "description": "the error message", + "type": "string" + } + }, + "required": [ + "kind", + "errorMessage" + ], + "type": "object" + }, + "GetQueriesResponse": { + "description": "Retrieve queries for entity result operation response.", + "properties": { + "value": { + "description": "The query result values.", + "items": { + "$ref": "#/definitions/EntityQueryItem" + }, + "type": "array" + } + }, + "type": "object" + }, + "SecurityAlertTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents security alert timeline item.", + "properties": { + "azureResourceId": { + "type": "string", + "description": "The alert azure resource id." + }, + "productName": { + "type": "string", + "description": "The alert product name." + }, + "description": { + "type": "string", + "description": "The alert description." + }, + "displayName": { + "type": "string", + "description": "The alert name." + }, + "severity": { + "$ref": "./common/AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The alert severity." + }, + "endTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The alert end time." + }, + "startTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The alert start time." + }, + "timeGenerated": { + "format": "date-time", + "type": "string", + "description": "The alert generated time." + }, + "alertType": { + "type": "string", + "description": "The name of the alert type." + }, + "intent": { + "type": "string", + "description": "The intent of the alert.", + "enum": [ + "Unknown", + "Probing", + "Exploitation", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Execution", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "KillChainIntent", + "values": [ + { + "description": "The default value.", + "value": "Unknown" + }, + { + "description": "Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.", + "value": "Probing" + }, + { + "description": "Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.", + "value": "Exploitation" + }, + { + "description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.", + "value": "Persistence" + }, + { + "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.", + "value": "PrivilegeEscalation" + }, + { + "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ", + "value": "DefenseEvasion" + }, + { + "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.", + "value": "CredentialAccess" + }, + { + "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", + "value": "Discovery" + }, + { + "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.", + "value": "LateralMovement" + }, + { + "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.", + "value": "Execution" + }, + { + "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Collection" + }, + { + "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Exfiltration" + }, + { + "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network.", + "value": "CommandAndControl" + }, + { + "description": "The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.", + "value": "Impact" + } + ] + } + }, + "techniques": { + "type": "array", + "items": { + "type": "string", + "description": "technique of the alert" + }, + "description": "The techniques of the alert." + } + }, + "required": [ + "azureResourceId", + "displayName", + "severity", + "endTimeUtc", + "startTimeUtc", + "timeGenerated", + "alertType" + ], + "type": "object", + "x-ms-discriminator-value": "SecurityAlert" + }, + "TimelineError": { + "description": "Timeline Query Errors.", + "properties": { + "kind": { + "description": "the query kind", + "$ref": "#/definitions/EntityTimelineKind" + }, + "queryId": { + "description": "the query id", + "type": "string" + }, + "errorMessage": { + "description": "the error message", + "type": "string" + } + }, + "required": [ + "kind", + "errorMessage" + ], + "type": "object" + }, + "TimelineResultsMetadata": { + "description": "Expansion result metadata.", + "properties": { + "totalCount": { + "description": "the total items found for the timeline request", + "type": "integer", + "format": "int32" + }, + "aggregations": { + "description": "timeline aggregation per kind", + "items": { + "$ref": "#/definitions/TimelineAggregation" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "errors": { + "description": "information about the failure queries", + "items": { + "$ref": "#/definitions/TimelineError" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "required": [ + "totalCount", + "aggregations" + ], + "type": "object" + }, + "TimelineAggregation": { + "description": "timeline aggregation information per kind", + "properties": { + "count": { + "description": "the total items found for a kind", + "type": "integer", + "format": "int32" + }, + "kind": { + "description": "the query kind", + "$ref": "#/definitions/EntityTimelineKind" + } + }, + "required": [ + "kind", + "count" + ], + "type": "object" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json new file mode 100644 index 000000000000..c858ce70c4e6 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json @@ -0,0 +1,507 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries": { + "get": { + "x-ms-examples": { + "Get all entity queries.": { + "$ref": "./examples/entityQueries/GetEntityQueries.json" + } + }, + "tags": [ + "EntityQueries" + ], + "description": "Gets all entity queries.", + "operationId": "EntityQueries_List", + "parameters": [ + { + "$ref": "#/parameters/EntityQueryKind" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityQueryList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}": { + "get": { + "x-ms-examples": { + "Get an Expansion entity query.": { + "$ref": "./examples/entityQueries/GetExpansionEntityQueryById.json" + }, + "Get an Activity entity query.": { + "$ref": "./examples/entityQueries/GetActivityEntityQueryById.json" + } + }, + "tags": [ + "EntityQueries" + ], + "description": "Gets an entity query.", + "operationId": "EntityQueries_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityQueryId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityQuery" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an Activity entity query.": { + "$ref": "./examples/entityQueries/CreateEntityQueryActivity.json" + } + }, + "tags": [ + "EntityQueries" + ], + "description": "Creates or updates the entity query.", + "operationId": "EntityQueries_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityQueryId" + }, + { + "$ref": "#/parameters/CustomEntityQuery" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityQuery" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/EntityQuery" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an entity query.": { + "$ref": "./examples/entityQueries/DeleteEntityQuery.json" + } + }, + "tags": [ + "EntityQueries" + ], + "description": "Delete the entity query.", + "operationId": "EntityQueries_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityQueryId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "CustomEntityQueryKind": { + "description": "The kind of the entity query that supports put request.", + "enum": [ + "Activity" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CustomEntityQueryKind", + "values": [ + { + "value": "Activity" + } + ] + } + }, + "EntityQueryList": { + "description": "List of all the entity queries.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of entity queries.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of entity queries.", + "items": { + "$ref": "#/definitions/EntityQuery" + }, + "type": "array" + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "EntityQuery": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Specific entity query.", + "discriminator": "kind", + "properties": { + "kind": { + "$ref": "./common/EntityTypes.json#/definitions/EntityQueryKind", + "description": "the entity query kind" + } + }, + "type": "object", + "required": [ + "kind" + ] + }, + "CustomEntityQuery": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Specific entity query that supports put requests.", + "discriminator": "kind", + "properties": { + "kind": { + "$ref": "#/definitions/CustomEntityQueryKind", + "description": "the entity query kind" + } + }, + "type": "object", + "required": [ + "kind" + ] + }, + "ExpansionEntityQuery": { + "description": "Represents Expansion entity query.", + "allOf": [ + { + "$ref": "#/definitions/EntityQuery" + } + ], + "properties": { + "properties": { + "$ref": "#/definitions/ExpansionEntityQueriesProperties", + "description": "Expansion entity query properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Expansion" + }, + "ExpansionEntityQueriesProperties": { + "description": "Describes expansion entity query properties", + "properties": { + "dataSources": { + "description": "List of the data sources that are required to run the query", + "items": { + "description": "data source", + "type": "string" + }, + "type": "array" + }, + "displayName": { + "description": "The query display name", + "type": "string" + }, + "inputEntityType": { + "$ref": "./common/EntityTypes.json#/definitions/EntityInnerType", + "description": "The type of the query's source entity" + }, + "inputFields": { + "description": "List of the fields of the source entity that are required to run the query", + "items": { + "description": "input field", + "type": "string" + }, + "type": "array" + }, + "outputEntityTypes": { + "description": "List of the desired output types to be constructed from the result", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/EntityInnerType", + "description": "output entity type" + }, + "type": "array" + }, + "queryTemplate": { + "description": "The template query string to be parsed and formatted", + "type": "string" + } + }, + "type": "object" + }, + "ActivityEntityQuery": { + "description": "Represents Activity entity query.", + "allOf": [ + { + "$ref": "#/definitions/EntityQuery" + } + ], + "properties": { + "properties": { + "$ref": "#/definitions/ActivityEntityQueriesProperties", + "description": "Activity entity query properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Activity" + }, + "ActivityCustomEntityQuery": { + "description": "Represents Activity entity query.", + "allOf": [ + { + "$ref": "#/definitions/CustomEntityQuery" + } + ], + "properties": { + "properties": { + "$ref": "#/definitions/ActivityEntityQueriesProperties", + "description": "Activity entity query properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Activity" + }, + "ActivityEntityQueriesProperties": { + "description": "Describes activity entity query properties", + "properties": { + "title": { + "description": "The entity query title", + "type": "string" + }, + "content": { + "description": "The entity query content to display in timeline", + "type": "string" + }, + "description": { + "description": "The entity query description", + "type": "string" + }, + "queryDefinitions": { + "description": "The Activity query definitions", + "properties": { + "query": { + "description": "The Activity query to run on a given entity", + "type": "string" + } + }, + "type": "object" + }, + "inputEntityType": { + "$ref": "./common/EntityTypes.json#/definitions/EntityInnerType", + "description": "The type of the query's source entity" + }, + "requiredInputFieldsSets": { + "description": "List of the fields of the source entity that are required to run the query", + "items": { + "description": "Sub sets of the field of the source entity that are required to run the query", + "items": { + "description": "Required input field name", + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "entitiesFilter": { + "description": "The query applied only to entities matching to all filters", + "type": "object", + "additionalProperties": { + "description": "Filter field name", + "items": { + "description": "Filter field values", + "type": "string" + }, + "type": "array" + } + }, + "templateName": { + "description": "The template id this activity was created from", + "type": "string" + }, + "enabled": { + "description": "Determines whether this activity is enabled or disabled.", + "type": "boolean" + }, + "createdTimeUtc": { + "description": "The time the activity was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "lastModifiedTimeUtc": { + "description": "The last time the activity was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + } + }, + "parameters": { + "EntityQueryId": { + "description": "entity query ID", + "in": "path", + "name": "entityQueryId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityQueryKind": { + "description": "The entity query kind we want to fetch", + "in": "query", + "name": "kind", + "required": false, + "enum": [ + "Expansion", + "Activity" + ], + "type": "string", + "x-ms-parameter-location": "method" + }, + "CustomEntityQuery": { + "description": "The entity query we want to create or update", + "in": "body", + "name": "entityQuery", + "required": true, + "schema": { + "$ref": "#/definitions/CustomEntityQuery" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueryTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueryTemplates.json new file mode 100644 index 000000000000..7fdacb007a4e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueryTemplates.json @@ -0,0 +1,304 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueryTemplates": { + "get": { + "x-ms-examples": { + "Get all entity query templates.": { + "$ref": "./examples/entityQueryTemplates/GetEntityQueryTemplates.json" + } + }, + "tags": [ + "EntityQueries" + ], + "description": "Gets all entity query templates.", + "operationId": "EntityQueryTemplates_List", + "parameters": [ + { + "$ref": "#/parameters/EntityQueryTemplateKind" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityQueryTemplateList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueryTemplates/{entityQueryTemplateId}": { + "get": { + "x-ms-examples": { + "Get an Activity entity query template.": { + "$ref": "./examples/entityQueryTemplates/GetActivityEntityQueryTemplateById.json" + } + }, + "tags": [ + "EntityQueries" + ], + "description": "Gets an entity query.", + "operationId": "EntityQueryTemplates_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityQueryTemplateId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityQueryTemplate" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "EntityQueryTemplateKind": { + "description": "The kind of the entity query template.", + "enum": [ + "Activity" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityQueryTemplateKind", + "values": [ + { + "value": "Activity" + } + ] + } + }, + "EntityQueryTemplateList": { + "description": "List of all the entity query templates.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of entity query templates.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of entity query templates.", + "items": { + "$ref": "#/definitions/EntityQueryTemplate" + }, + "type": "array" + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "EntityQueryTemplate": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/Resource" + } + ], + "description": "Specific entity query template.", + "discriminator": "kind", + "properties": { + "kind": { + "$ref": "#/definitions/EntityQueryTemplateKind", + "description": "the entity query template kind" + } + }, + "type": "object", + "required": [ + "kind" + ] + }, + "ActivityEntityQueryTemplate": { + "description": "Represents Activity entity query.", + "allOf": [ + { + "$ref": "#/definitions/EntityQueryTemplate" + } + ], + "properties": { + "properties": { + "$ref": "#/definitions/ActivityEntityQueryTemplateProperties", + "description": "Activity entity query properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Activity" + }, + "ActivityEntityQueryTemplateProperties": { + "description": "Describes activity entity query properties", + "properties": { + "title": { + "description": "The entity query title", + "type": "string" + }, + "content": { + "description": "The entity query content to display in timeline", + "type": "string" + }, + "description": { + "description": "The entity query description", + "type": "string" + }, + "queryDefinitions": { + "description": "The Activity query definitions", + "properties": { + "query": { + "description": "The Activity query to run on a given entity", + "type": "string" + }, + "summarizeBy": { + "description": "The dimensions we want to summarize the timeline results on, this is comma separated list", + "type": "string" + } + }, + "type": "object" + }, + "dataTypes": { + "description": "List of required data types for the given entity query template", + "items": { + "$ref": "#/definitions/DataTypeDefinitions" + }, + "type": "array" + }, + "inputEntityType": { + "$ref": "./common/EntityTypes.json#/definitions/EntityInnerType", + "description": "The type of the query's source entity" + }, + "requiredInputFieldsSets": { + "description": "List of the fields of the source entity that are required to run the query", + "items": { + "description": "Sub sets of the field of the source entity that are required to run the query", + "items": { + "description": "Required input field name", + "type": "string" + }, + "type": "array" + }, + "type": "array" + }, + "entitiesFilter": { + "description": "The query applied only to entities matching to all filters", + "type": "object", + "additionalProperties": { + "description": "Filter field name", + "items": { + "description": "Filter field values", + "type": "string" + }, + "type": "array" + } + } + }, + "type": "object" + }, + "DataTypeDefinitions": { + "description": "The data type definition", + "properties": { + "dataType": { + "description": "The data type name", + "type": "string" + } + }, + "type": "object" + } + }, + "parameters": { + "EntityQueryTemplateId": { + "description": "entity query template ID", + "in": "path", + "name": "entityQueryTemplateId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityQueryTemplateKind": { + "description": "The entity template query kind we want to fetch", + "in": "query", + "name": "kind", + "required": false, + "enum": [ + "Activity" + ], + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/FileImports.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/FileImports.json new file mode 100644 index 000000000000..593dfbd7a08d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/FileImports.json @@ -0,0 +1,564 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/fileImports": { + "get": { + "x-ms-examples": { + "Get all file imports.": { + "$ref": "./examples/fileImports/GetFileImports.json" + } + }, + "tags": [ + "FileImports" + ], + "description": "Gets all file imports.", + "operationId": "FileImports_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/FileImportList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/fileImports/{fileImportId}": { + "get": { + "x-ms-examples": { + "Get a file import.": { + "$ref": "./examples/fileImports/GetFileImportById.json" + } + }, + "tags": [ + "FileImports" + ], + "description": "Gets a file import.", + "operationId": "FileImports_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/FileImportId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/FileImport" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Create a file import.": { + "$ref": "./examples/fileImports/CreateFileImport.json" + } + }, + "tags": [ + "FileImports" + ], + "description": "Creates the file import.", + "operationId": "FileImports_Create", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/FileImportId" + }, + { + "$ref": "#/parameters/FileImport" + } + ], + "responses": { + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/FileImport" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a file import.": { + "$ref": "./examples/fileImports/DeleteFileImport.json" + } + }, + "tags": [ + "FileImports" + ], + "description": "Delete the file import.", + "operationId": "FileImports_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/FileImportId" + } + ], + "responses": { + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/FileImport" + } + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-long-running-operation": true, + "x-ms-long-running-operation-options": { + "final-state-via": "location" + } + } + } + }, + "definitions": { + "FileMetadata": { + "description": "Represents a file.", + "properties": { + "fileFormat": { + "description": "The format of the file", + "enum": [ + "CSV", + "JSON", + "Unspecified" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "fileFormat", + "values": [ + { + "description": "A CSV file.", + "value": "CSV" + }, + { + "description": "A JSON file.", + "value": "JSON" + }, + { + "description": "A file of other format.", + "value": "Unspecified" + } + ] + } + }, + "fileName": { + "description": "The name of the file.", + "type": "string" + }, + "fileSize": { + "description": "The size of the file.", + "format": "int32", + "type": "integer" + }, + "fileContentUri": { + "description": "A URI with a valid SAS token to allow uploading / downloading the file.", + "type": "string", + "readOnly": true + }, + "deleteStatus": { + "description": "Indicates whether the file was deleted from the storage account.", + "enum": [ + "Deleted", + "NotDeleted", + "Unspecified" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DeleteStatus", + "values": [ + { + "description": "The file was deleted.", + "value": "Deleted" + }, + { + "description": "The file was not deleted.", + "value": "NotDeleted" + }, + { + "description": "Unspecified", + "value": "Unspecified" + } + ] + }, + "readOnly": true + } + }, + "type": "object" + }, + "FileImport": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/Resource" + } + ], + "description": "Represents a file import in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/FileImportProperties", + "description": "File import properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "FileImportList": { + "description": "List all the file imports.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of file imports.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of file imports.", + "items": { + "$ref": "#/definitions/FileImport" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "FileImportProperties": { + "description": "Describes the FileImport's properties", + "properties": { + "ingestionMode": { + "description": "Describes how to ingest the records in the file.", + "enum": [ + "IngestOnlyIfAllAreValid", + "IngestAnyValidRecords", + "Unspecified" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IngestionMode", + "values": [ + { + "description": "No records should be ingested when invalid records are detected.", + "value": "IngestOnlyIfAllAreValid" + }, + { + "description": "Valid records should still be ingested when invalid records are detected.", + "value": "IngestAnyValidRecords" + }, + { + "description": "Unspecified", + "value": "Unspecified" + } + ] + } + }, + "contentType": { + "description": "The content type of this file.", + "enum": [ + "BasicIndicator", + "StixIndicator", + "Unspecified" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "FileImportContentType", + "values": [ + { + "description": "File containing records with the core fields of an indicator, plus the observables to construct the STIX pattern.", + "value": "BasicIndicator" + }, + { + "description": "File containing STIX indicators.", + "value": "StixIndicator" + }, + { + "description": "File containing other records.", + "value": "Unspecified" + } + ] + } + }, + "createdTimeUTC": { + "description": "The time the file was imported.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "errorFile": { + "description": "Represents the error file (if the import was ingested with errors or failed the validation).", + "$ref": "#/definitions/FileMetadata", + "readOnly": true, + "type": "object" + }, + "errorsPreview": { + "description": "An ordered list of some of the errors that were encountered during validation.", + "items": { + "description": "An error that were encountered during validation.", + "$ref": "#/definitions/ValidationError" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "importFile": { + "description": "Represents the imported file.", + "$ref": "#/definitions/FileMetadata", + "type": "object" + }, + "ingestedRecordCount": { + "description": "The number of records that have been successfully ingested.", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "source": { + "description": "The source for the data in the file.", + "type": "string" + }, + "state": { + "description": "The state of the file import.", + "enum": [ + "FatalError", + "Ingested", + "IngestedWithErrors", + "InProgress", + "Invalid", + "WaitingForUpload", + "Unspecified" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "FileImportState", + "values": [ + { + "description": "A fatal error has occurred while ingesting the file.", + "value": "FatalError" + }, + { + "description": "The file has been ingested.", + "value": "Ingested" + }, + { + "description": "The file has been ingested with errors.", + "value": "IngestedWithErrors" + }, + { + "description": "The file ingestion is in progress.", + "value": "InProgress" + }, + { + "description": "The file is invalid.", + "value": "Invalid" + }, + { + "description": "Waiting for the file to be uploaded.", + "value": "WaitingForUpload" + }, + { + "description": "Unspecified state.", + "value": "Unspecified" + } + ] + } + }, + "totalRecordCount": { + "description": "The number of records in the file.", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "validRecordCount": { + "description": "The number of records that have passed validation.", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "filesValidUntilTimeUTC": { + "description": "The time the files associated with this import are deleted from the storage account.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "importValidUntilTimeUTC": { + "description": "The time the file import record is soft deleted from the database and history.", + "format": "date-time", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "ingestionMode", + "contentType", + "importFile", + "source" + ], + "type": "object" + }, + "ValidationError": { + "description": "Describes an error encountered in the file during validation.", + "properties": { + "recordIndex": { + "description": "The number of the record that has the error.", + "type": "integer", + "format": "int32" + }, + "errorMessages": { + "description": "A list of descriptions of the error.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + } + }, + "parameters": { + "FileImportId": { + "description": "File import ID", + "in": "path", + "name": "fileImportId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "FileImport": { + "description": "The file import", + "in": "body", + "name": "fileImport", + "required": true, + "schema": { + "$ref": "#/definitions/FileImport" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json new file mode 100644 index 000000000000..af9619904225 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json @@ -0,0 +1,1657 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { + "get": { + "tags": [ + "Incidents" + ], + "description": "Gets all incidents.", + "operationId": "Incidents_List", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "Incidents_List": { + "$ref": "./examples/incidents/Incidents_List.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { + "get": { + "tags": [ + "Incidents" + ], + "description": "Gets an incident.", + "operationId": "Incidents_Get", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "Incidents_Get": { + "$ref": "./examples/incidents/Incidents_Get.json" + } + } + }, + "put": { + "tags": [ + "Incidents" + ], + "description": "Creates or updates the incident.", + "operationId": "Incidents_CreateOrUpdate", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/Incident" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "Incidents_CreateOrUpdate": { + "$ref": "./examples/incidents/Incidents_CreateOrUpdate.json" + } + } + }, + "delete": { + "tags": [ + "Incidents" + ], + "description": "Delete the incident.", + "operationId": "Incidents_Delete", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "Incidents_Delete": { + "$ref": "./examples/incidents/Incidents_Delete.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/createTeam": { + "post": { + "tags": [ + "IncidentTeam" + ], + "description": "Creates a Microsoft team to investigate the incident by sharing information and insights between participants.", + "operationId": "Incidents_CreateTeam", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/TeamProperties" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/TeamInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "Incidents_CreateTeam": { + "$ref": "./examples/incidents/IncidentTeam/Incidents_CreateTeam.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts": { + "post": { + "tags": [ + "IncidentAlerts" + ], + "description": "Gets all incident alerts.", + "operationId": "Incidents_ListAlerts", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentAlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "Incidents_ListAlerts": { + "$ref": "./examples/incidents/IncidentAlerts/Incidents_ListAlerts.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks": { + "post": { + "tags": [ + "IncidentBookmarks" + ], + "description": "Gets all incident bookmarks.", + "operationId": "Incidents_ListBookmarks", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentBookmarkList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "Incidents_ListBookmarks": { + "$ref": "./examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { + "get": { + "tags": [ + "IncidentComments" + ], + "description": "Gets all incident comments.", + "operationId": "IncidentComments_List", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentCommentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "IncidentComments_List": { + "$ref": "./examples/incidents/IncidentComments/IncidentComments_List.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { + "get": { + "tags": [ + "IncidentComments" + ], + "description": "Gets an incident comment.", + "operationId": "IncidentComments_Get", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "IncidentComments_Get": { + "$ref": "./examples/incidents/IncidentComments/IncidentComments_Get.json" + } + } + }, + "put": { + "tags": [ + "IncidentComments" + ], + "description": "Creates or updates the incident comment.", + "operationId": "IncidentComments_CreateOrUpdate", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" + }, + { + "$ref": "#/parameters/IncidentComment" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "IncidentComments_CreateOrUpdate": { + "$ref": "./examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json" + } + } + }, + "delete": { + "tags": [ + "IncidentComments" + ], + "description": "Delete the incident comment.", + "operationId": "IncidentComments_Delete", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "IncidentComments_Delete": { + "$ref": "./examples/incidents/IncidentComments/IncidentComments_Delete.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities": { + "post": { + "tags": [ + "IncidentEntities" + ], + "description": "Gets all incident related entities.", + "operationId": "Incidents_ListEntities", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentEntitiesResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "Incidents_ListEntities": { + "$ref": "./examples/incidents/IncidentEntities/Incidents_ListEntities.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations": { + "get": { + "x-ms-examples": { + "Get all incident relations.": { + "$ref": "./examples/incidents/relations/GetAllIncidentRelations.json" + } + }, + "tags": [ + "IncidentRelations" + ], + "description": "Gets all incident relations.", + "operationId": "IncidentRelations_List", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./common/RelationTypes.json#/definitions/RelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-odata": "./common/RelationTypes.json#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get an incident relation.": { + "$ref": "./examples/incidents/relations/GetIncidentRelationByName.json" + } + }, + "tags": [ + "IncidentRelations" + ], + "description": "Gets an incident relation.", + "operationId": "IncidentRelations_Get", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "./common/RelationTypes.json#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./common/RelationTypes.json#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an incident relation.": { + "$ref": "./examples/incidents/relations/CreateIncidentRelation.json" + } + }, + "tags": [ + "IncidentRelations" + ], + "description": "Creates or updates the incident relation.", + "operationId": "IncidentRelations_CreateOrUpdate", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "./common/RelationTypes.json#/parameters/RelationName" + }, + { + "$ref": "./common/RelationTypes.json#/parameters/Relation" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "./common/RelationTypes.json#/definitions/Relation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "./common/RelationTypes.json#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete the incident relation.": { + "$ref": "./examples/incidents/relations/DeleteIncidentRelation.json" + } + }, + "tags": [ + "IncidentRelations" + ], + "description": "Delete the incident relation.", + "operationId": "IncidentRelations_Delete", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "./common/RelationTypes.json#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/tasks": { + "get": { + "tags": [ + "IncidentTasks" + ], + "description": "Gets all incident tasks.", + "operationId": "IncidentTasks_List", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentTaskList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "IncidentTasks_List": { + "$ref": "./examples/incidents/IncidentTasks/IncidentTasks_List.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/tasks/{incidentTaskId}": { + "get": { + "tags": [ + "IncidentTasks" + ], + "description": "Gets an incident task.", + "operationId": "IncidentTasks_Get", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentTaskId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentTask" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "IncidentTasks_Get": { + "$ref": "./examples/incidents/IncidentTasks/IncidentTasks_Get.json" + } + } + }, + "put": { + "tags": [ + "IncidentTasks" + ], + "description": "Creates or updates the incident task.", + "operationId": "IncidentTasks_CreateOrUpdate", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentTaskId" + }, + { + "$ref": "#/parameters/IncidentTask" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentTask" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/IncidentTask" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "IncidentTasks_CreateOrUpdate": { + "$ref": "./examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json" + } + } + }, + "delete": { + "tags": [ + "IncidentTasks" + ], + "description": "Delete the incident task.", + "operationId": "IncidentTasks_Delete", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentTaskId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "IncidentTasks_Delete": { + "$ref": "./examples/incidents/IncidentTasks/IncidentTasks_Delete.json" + } + } + } + } + }, + "definitions": { + "Incident": { + "type": "object", + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "properties": { + "properties": { + "type": "object", + "$ref": "#/definitions/IncidentProperties", + "x-ms-client-flatten": true + } + } + }, + "IncidentAdditionalData": { + "description": "Incident additional data property bag.", + "type": "object", + "properties": { + "alertsCount": { + "format": "int32", + "description": "The number of alerts in the incident", + "type": "integer", + "readOnly": true + }, + "bookmarksCount": { + "format": "int32", + "description": "The number of bookmarks in the incident", + "type": "integer", + "readOnly": true + }, + "commentsCount": { + "format": "int32", + "description": "The number of comments in the incident", + "type": "integer", + "readOnly": true + }, + "alertProductNames": { + "description": "List of product names of alerts in the incident", + "type": "array", + "items": { + "description": "Alert product name", + "type": "string" + }, + "readOnly": true + }, + "tactics": { + "description": "The tactics associated with incident", + "type": "array", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "readOnly": true + }, + "techniques": { + "description": "The techniques associated with incident's tactics", + "type": "array", + "items": { + "type": "string" + }, + "readOnly": true + }, + "providerIncidentUrl": { + "description": "The provider incident url to the incident in Microsoft 365 Defender portal", + "type": "string", + "readOnly": true + } + } + }, + "IncidentAlertList": { + "description": "List of incident alerts.", + "type": "object", + "properties": { + "value": { + "description": "Array of incident alerts.", + "type": "array", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/SecurityAlert" + } + } + }, + "required": [ + "value" + ] + }, + "IncidentBookmarkList": { + "description": "List of incident bookmarks.", + "type": "object", + "properties": { + "value": { + "description": "Array of incident bookmarks.", + "type": "array", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/HuntingBookmark" + } + } + }, + "required": [ + "value" + ] + }, + "IncidentComment": { + "type": "object", + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents an incident comment", + "properties": { + "properties": { + "type": "object", + "$ref": "#/definitions/IncidentCommentProperties", + "description": "Incident comment properties", + "x-ms-client-flatten": true + } + } + }, + "IncidentCommentList": { + "type": "object", + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/IncidentComment" + } + }, + "nextLink": { + "type": "string", + "readOnly": true + } + }, + "required": [ + "value" + ] + }, + "IncidentCommentProperties": { + "description": "Incident comment property bag.", + "required": [ + "message" + ], + "type": "object", + "properties": { + "message": { + "description": "The comment message", + "type": "string" + }, + "createdTimeUtc": { + "format": "date-time", + "description": "The time the comment was created", + "type": "string", + "readOnly": true + }, + "lastModifiedTimeUtc": { + "format": "date-time", + "description": "The time the comment was updated", + "type": "string", + "readOnly": true + }, + "author": { + "type": "object", + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo", + "description": "Describes the client that created the comment", + "readOnly": true + } + } + }, + "IncidentEntitiesResponse": { + "description": "The incident related entities response.", + "type": "object", + "properties": { + "entities": { + "description": "Array of the incident related entities.", + "type": "array", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/Entity" + } + }, + "metaData": { + "description": "The metadata from the incident related entities results.", + "type": "array", + "items": { + "$ref": "#/definitions/IncidentEntitiesResultsMetadata" + } + } + } + }, + "IncidentEntitiesResultsMetadata": { + "description": "Information of a specific aggregation in the incident related entities result.", + "required": [ + "count", + "entityKind" + ], + "type": "object", + "properties": { + "entityKind": { + "description": "The kind of the aggregated entity.", + "$ref": "./common/EntityTypes.json#/definitions/EntityInnerKind" + }, + "count": { + "format": "int32", + "description": "Total number of aggregations of the given kind in the incident related entities result.", + "type": "integer" + } + } + }, + "IncidentList": { + "required": [ + "value" + ], + "description": "List all the incidents.", + "type": "object", + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/Incident" + } + }, + "nextLink": { + "description": "URL to fetch the next set of incidents.", + "type": "string", + "readOnly": true + } + } + }, + "IncidentProperties": { + "required": [ + "severity", + "status", + "title" + ], + "type": "object", + "properties": { + "title": { + "description": "The title of the incident", + "type": "string" + }, + "description": { + "description": "The description of the incident", + "type": "string" + }, + "severity": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentSeverityEnum" + }, + "status": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentStatusEnum" + }, + "classification": { + "description": "The reason the incident was closed", + "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationEnum" + }, + "classificationReason": { + "description": "The classification reason the incident was closed with", + "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationReasonEnum" + }, + "classificationComment": { + "description": "Describes the reason the incident was closed", + "type": "string" + }, + "owner": { + "type": "object", + "description": "Describes a user that the incident is assigned to", + "$ref": "./common/IncidentTypes.json#/definitions/IncidentOwnerInfo" + }, + "labels": { + "description": "List of labels relevant to this incident", + "type": "array", + "items": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentLabel" + } + }, + "firstActivityTimeUtc": { + "format": "date-time", + "description": "The time of the first activity in the incident", + "type": "string" + }, + "lastActivityTimeUtc": { + "format": "date-time", + "description": "The time of the last activity in the incident", + "type": "string" + }, + "lastModifiedTimeUtc": { + "format": "date-time", + "description": "The last time the incident was updated", + "type": "string", + "readOnly": true + }, + "createdTimeUtc": { + "format": "date-time", + "description": "The time the incident was created", + "type": "string", + "readOnly": true + }, + "incidentNumber": { + "format": "int32", + "description": "A sequential number", + "type": "integer", + "readOnly": true + }, + "additionalData": { + "$ref": "#/definitions/IncidentAdditionalData", + "description": "Additional data on the incident", + "readOnly": true, + "type": "object" + }, + "relatedAnalyticRuleIds": { + "description": "List of resource ids of Analytic rules related to the incident", + "type": "array", + "items": { + "description": "Related Analytic rule resource id", + "type": "string" + }, + "readOnly": true + }, + "incidentUrl": { + "description": "The deep-link url to the incident in Azure portal", + "type": "string", + "readOnly": true + }, + "providerName": { + "description": "The name of the source provider that generated the incident", + "type": "string" + }, + "providerIncidentId": { + "description": "The incident ID assigned by the incident provider", + "type": "string", + "readOnly": true + }, + "teamInformation": { + "$ref": "#/definitions/TeamInformation", + "description": "Describes a team for the incident", + "type": "object" + } + } + }, + "IncidentTask": { + "required": [ + "properties" + ], + "type": "object", + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "properties": { + "properties": { + "type": "object", + "$ref": "#/definitions/IncidentTaskProperties", + "x-ms-client-flatten": true + } + } + }, + "IncidentTaskList": { + "type": "object", + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/IncidentTask" + } + }, + "nextLink": { + "type": "string" + } + } + }, + "IncidentTaskProperties": { + "required": [ + "status", + "title" + ], + "type": "object", + "properties": { + "title": { + "description": "The title of the task", + "type": "string" + }, + "description": { + "description": "The description of the task", + "type": "string" + }, + "status": { + "$ref": "#/definitions/IncidentTaskStatus" + }, + "createdTimeUtc": { + "format": "date-time", + "description": "The time the task was created", + "type": "string", + "readOnly": true + }, + "lastModifiedTimeUtc": { + "format": "date-time", + "description": "The last time the task was updated", + "type": "string", + "readOnly": true + }, + "createdBy": { + "type": "object", + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo" + }, + "lastModifiedBy": { + "type": "object", + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo" + } + } + }, + "IncidentTaskStatus": { + "enum": [ + "New", + "Completed" + ], + "type": "string", + "example": "New", + "x-ms-enum": { + "name": "IncidentTaskStatus", + "modelAsString": true, + "values": [ + { + "value": "New", + "description": "A new task" + }, + { + "value": "Completed", + "description": "A completed task" + } + ] + } + }, + "TeamInformation": { + "description": "Describes team information", + "type": "object", + "properties": { + "teamId": { + "description": "Team ID", + "type": "string", + "readOnly": true + }, + "primaryChannelUrl": { + "description": "The primary channel URL of the team", + "type": "string", + "readOnly": true + }, + "teamCreationTimeUtc": { + "format": "date-time", + "description": "The time the team was created", + "type": "string", + "readOnly": true + }, + "name": { + "description": "The name of the team", + "type": "string", + "readOnly": true + }, + "description": { + "description": "The description of the team", + "type": "string", + "readOnly": true + } + } + }, + "TeamProperties": { + "description": "Describes team properties", + "required": [ + "teamName" + ], + "type": "object", + "properties": { + "teamName": { + "description": "The name of the team", + "type": "string" + }, + "teamDescription": { + "description": "The description of the team", + "type": "string" + }, + "groupIds": { + "description": "List of group IDs to add their members to the team", + "type": "array", + "items": { + "format": "uuid", + "type": "string" + } + }, + "memberIds": { + "description": "List of member IDs to add to the team", + "type": "array", + "items": { + "format": "uuid", + "type": "string" + } + } + } + } + }, + "parameters": { + "Incident": { + "name": "incident", + "description": "The incident", + "required": true, + "in": "body", + "x-ms-parameter-location": "method", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "IncidentId": { + "in": "path", + "name": "incidentId", + "description": "Incident ID", + "required": true, + "x-ms-parameter-location": "method", + "type": "string" + }, + "IncidentComment": { + "name": "incidentComment", + "description": "The incident comment", + "required": true, + "in": "body", + "x-ms-parameter-location": "method", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "IncidentCommentId": { + "in": "path", + "name": "incidentCommentId", + "description": "Incident comment ID", + "required": true, + "x-ms-parameter-location": "method", + "type": "string" + }, + "TeamProperties": { + "name": "teamProperties", + "description": "Team properties", + "required": true, + "in": "body", + "x-ms-parameter-location": "method", + "schema": { + "$ref": "#/definitions/TeamInformation" + } + }, + "IncidentTask": { + "name": "incidentTask", + "description": "The incident task", + "required": true, + "in": "body", + "x-ms-parameter-location": "method", + "schema": { + "$ref": "#/definitions/IncidentTask" + } + }, + "IncidentTaskId": { + "in": "path", + "name": "incidentTaskId", + "description": "Incident task ID", + "required": true, + "x-ms-parameter-location": "method", + "type": "string" + } + }, + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "flow": "implicit", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "scopes": { + "user_impersonation": "impersonate your user account" + }, + "description": "Azure Active Directory OAuth2 Flow" + } + }, + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "host": "management.azure.com", + "schemes": [ + "https" + ], + "produces": [ + "application/json" + ], + "consumes": [ + "application/json" + ] +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Metadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Metadata.json new file mode 100644 index 000000000000..e303e780b4e4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Metadata.json @@ -0,0 +1,824 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/metadata": { + "get": { + "x-ms-examples": { + "Get all metadata.": { + "$ref": "./examples/metadata/GetAllMetadata.json" + }, + "Get all metadata with OData filter/orderby/skip/top": { + "$ref": "./examples/metadata/GetAllMetadataOData.json" + } + }, + "tags": [ + "Metadata" + ], + "description": "List of all metadata", + "operationId": "Metadata_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkip" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/MetadataList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/metadata/{metadataName}": { + "get": { + "x-ms-examples": { + "Get single metadata by name": { + "$ref": "./examples/metadata/GetMetadata.json" + } + }, + "tags": [ + "Metadata" + ], + "description": "Get a Metadata.", + "operationId": "Metadata_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/MetadataName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/MetadataModel" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete metadata.": { + "$ref": "./examples/metadata/DeleteMetadata.json" + } + }, + "tags": [ + "Metadata" + ], + "description": "Delete a Metadata.", + "operationId": "Metadata_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/MetadataName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Create/update full metadata.": { + "$ref": "./examples/metadata/PutMetadata.json" + }, + "Create/update minimal metadata.": { + "$ref": "./examples/metadata/PutMetadataMinimal.json" + } + }, + "tags": [ + "Metadata" + ], + "description": "Create a Metadata.", + "operationId": "Metadata_Create", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/MetadataName" + }, + { + "$ref": "#/parameters/Metadata" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/MetadataModel" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/MetadataModel" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "patch": { + "x-ms-examples": { + "Update metadata.": { + "$ref": "./examples/metadata/PatchMetadata.json" + } + }, + "tags": [ + "Metadata" + ], + "description": "Update an existing Metadata.", + "operationId": "Metadata_Update", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/MetadataName" + }, + { + "$ref": "#/parameters/MetadataPatch" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/MetadataModel" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "MetadataList": { + "description": "List of all the metadata.", + "type": "object", + "properties": { + "value": { + "description": "Array of metadata.", + "items": { + "$ref": "#/definitions/MetadataModel" + }, + "type": "array" + }, + "nextLink": { + "description": "URL to fetch the next page of metadata.", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "value" + ] + }, + "MetadataModel": { + "type": "object", + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Metadata resource definition.", + "properties": { + "properties": { + "$ref": "#/definitions/metadataProperties", + "description": "Metadata properties", + "x-ms-client-flatten": true + } + } + }, + "metadataPatch": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Metadata patch request body.", + "type": "object", + "properties": { + "properties": { + "$ref": "#/definitions/metadataPropertiesPatch", + "description": "Metadata patch request body", + "x-ms-client-flatten": true + } + } + }, + "metadataContentId": { + "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Can be optionally set for user created content to define dependencies. If an active content item is made from a template, both will have the same contentId.", + "type": "string" + }, + "metadataParentId": { + "description": "Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group)", + "type": "string" + }, + "metadataVersion": { + "description": "Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks", + "type": "string" + }, + "metadataKind": { + "type": "string", + "description": "The kind of content the metadata is for." + }, + "metadataSource": { + "description": "The original source of the content item, where it comes from.", + "type": "object", + "required": [ + "kind" + ], + "properties": { + "kind": { + "description": "Source type of the content", + "type": "string", + "enum": [ + "LocalWorkspace", + "Community", + "Solution", + "SourceRepository" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "sourceKind", + "values": [ + { + "value": "LocalWorkspace" + }, + { + "value": "Community" + }, + { + "value": "Solution" + }, + { + "value": "SourceRepository" + } + ] + } + }, + "name": { + "description": "Name of the content source. The repo name, solution name, LA workspace name etc.", + "type": "string" + }, + "sourceId": { + "description": "ID of the content source. The solution ID, workspace ID, etc", + "type": "string" + } + } + }, + "metadataAuthor": { + "type": "object", + "description": "Publisher or creator of the content item.", + "properties": { + "name": { + "description": "Name of the author. Company or person.", + "type": "string" + }, + "email": { + "description": "Email of author contact", + "type": "string" + }, + "link": { + "description": "Link for author/vendor page", + "type": "string" + } + } + }, + "metadataSupport": { + "type": "object", + "description": "Support information for the content item.", + "required": [ + "tier" + ], + "properties": { + "tier": { + "description": "Type of support for content item", + "type": "string", + "enum": [ + "Microsoft", + "Partner", + "Community" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "supportTier", + "values": [ + { + "value": "Microsoft" + }, + { + "value": "Partner" + }, + { + "value": "Community" + } + ] + } + }, + "name": { + "description": "Name of the support contact. Company or person.", + "type": "string" + }, + "email": { + "description": "Email of support contact", + "type": "string" + }, + "link": { + "description": "Link for support help, like to support page to open a ticket etc.", + "type": "string" + } + } + }, + "metadataDependencies": { + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies.", + "type": "object", + "properties": { + "contentId": { + "description": "Id of the content item we depend on", + "$ref": "#/definitions/metadataContentId" + }, + "kind": { + "description": "Type of the content item we depend on", + "$ref": "#/definitions/metadataKind" + }, + "version": { + "description": "Version of the the content item we depend on. Can be blank, * or missing to indicate any version fulfills the dependency. If version does not match our defined numeric format then an exact match is required.", + "$ref": "#/definitions/metadataVersion" + }, + "name": { + "description": "Name of the content item", + "type": "string" + }, + "operator": { + "description": "Operator used for list of dependencies in criteria array.", + "type": "string", + "enum": [ + "AND", + "OR" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "operator", + "values": [ + { + "value": "AND" + }, + { + "value": "OR" + } + ] + } + }, + "criteria": { + "description": "This is the list of dependencies we must fulfill, according to the AND/OR operator", + "type": "array", + "items": { + "$ref": "#/definitions/metadataDependencies", + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats." + } + } + } + }, + "metadataCategories": { + "type": "object", + "description": "ies for the solution content item", + "properties": { + "domains": { + "description": "domain for the solution content item", + "type": "array", + "example": [ + "str1", + "str2", + "str3" + ], + "items": { + "type": "string" + } + }, + "verticals": { + "description": "Industry verticals for the solution content item", + "type": "array", + "items": { + "type": "string" + }, + "example": [ + "str1", + "str2", + "str3" + ] + } + } + }, + "metadataProviders": { + "description": "Providers for the solution content item", + "type": "array", + "example": [ + "str1", + "str2", + "str3" + ], + "items": { + "type": "string" + } + }, + "firstPublishDate": { + "description": "first publish date of solution content item", + "type": "string", + "format": "date" + }, + "lastPublishDate": { + "description": "last publish date of solution content item", + "type": "string", + "format": "date" + }, + "metadataCustomVersion": { + "description": "The custom version of the content. A optional free text", + "type": "string" + }, + "metadataContentSchemaVersion": { + "description": "Schema version of the content. Can be used to distinguish between different flow based on the schema version", + "type": "string" + }, + "metadataIcon": { + "description": "the icon identifier. this id can later be fetched from the solution template", + "type": "string" + }, + "metadataThreatAnalysisTactics": { + "description": "the tactics the resource covers", + "type": "array", + "example": [ + "reconnaissance", + "exfiltration" + ], + "items": { + "type": "string" + } + }, + "metadataThreatAnalysisTechniques": { + "description": "the techniques the resource covers, these have to be aligned with the tactics being used", + "type": "array", + "example": [ + "T1548", + "T1548.001", + "T1134.003" + ], + "items": { + "type": "string" + } + }, + "metadataPreviewImages": { + "description": "preview image file names. These will be taken from the solution artifacts", + "type": "array", + "example": [ + "example.png", + "example2.jpeg" + ], + "items": { + "type": "string" + } + }, + "metadataPreviewImagesDark": { + "description": "preview image file names. These will be taken from the solution artifacts. used for dark theme support", + "type": "array", + "example": [ + "example.png", + "example2.jpeg" + ], + "items": { + "type": "string" + } + }, + "metadataProperties": { + "description": "Metadata property bag.", + "required": [ + "parentId", + "kind" + ], + "type": "object", + "properties": { + "contentId": { + "$ref": "#/definitions/metadataContentId", + "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name" + }, + "parentId": { + "$ref": "#/definitions/metadataParentId", + "description": "Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group)" + }, + "version": { + "$ref": "#/definitions/metadataVersion", + "description": "Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks" + }, + "kind": { + "$ref": "#/definitions/metadataKind", + "description": "The kind of content the metadata is for." + }, + "source": { + "$ref": "#/definitions/metadataSource", + "description": "Source of the content. This is where/how it was created." + }, + "author": { + "$ref": "#/definitions/metadataAuthor", + "description": "The creator of the content item." + }, + "support": { + "$ref": "#/definitions/metadataSupport", + "description": "Support information for the metadata - type, name, contact information" + }, + "dependencies": { + "$ref": "#/definitions/metadataDependencies", + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats." + }, + "categories": { + "$ref": "#/definitions/metadataCategories", + "description": "Categories for the solution content item" + }, + "providers": { + "$ref": "#/definitions/metadataProviders", + "description": "Providers for the solution content item" + }, + "firstPublishDate": { + "$ref": "#/definitions/firstPublishDate", + "description": "first publish date solution content item" + }, + "lastPublishDate": { + "$ref": "#/definitions/lastPublishDate", + "description": "last publish date for the solution content item" + }, + "customVersion": { + "$ref": "#/definitions/metadataCustomVersion", + "description": "The custom version of the content. A optional free text" + }, + "contentSchemaVersion": { + "$ref": "#/definitions/metadataContentSchemaVersion", + "description": "Schema version of the content. Can be used to distinguish between different flow based on the schema version" + }, + "icon": { + "$ref": "#/definitions/metadataIcon", + "description": "the icon identifier. this id can later be fetched from the solution template" + }, + "threatAnalysisTactics": { + "$ref": "#/definitions/metadataThreatAnalysisTactics", + "description": "the tactics the resource covers" + }, + "threatAnalysisTechniques": { + "$ref": "#/definitions/metadataThreatAnalysisTechniques", + "description": "the techniques the resource covers, these have to be aligned with the tactics being used" + }, + "previewImages": { + "$ref": "#/definitions/metadataPreviewImages", + "description": "preview image file names. These will be taken from the solution artifacts" + }, + "previewImagesDark": { + "$ref": "#/definitions/metadataPreviewImagesDark", + "description": "preview image file names. These will be taken from the solution artifacts. used for dark theme support" + } + } + }, + "metadataPropertiesPatch": { + "description": "Metadata property bag for patch requests. This is the same as the MetadataProperties, but with nothing required", + "type": "object", + "properties": { + "contentId": { + "$ref": "#/definitions/metadataContentId", + "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name" + }, + "parentId": { + "$ref": "#/definitions/metadataParentId", + "description": "Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group)" + }, + "version": { + "$ref": "#/definitions/metadataVersion", + "description": "Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks" + }, + "kind": { + "$ref": "#/definitions/metadataKind", + "description": "The kind of content the metadata is for." + }, + "source": { + "$ref": "#/definitions/metadataSource", + "description": "Source of the content. This is where/how it was created." + }, + "author": { + "$ref": "#/definitions/metadataAuthor", + "description": "The creator of the content item." + }, + "support": { + "$ref": "#/definitions/metadataSupport", + "description": "Support information for the metadata - type, name, contact information" + }, + "dependencies": { + "$ref": "#/definitions/metadataDependencies", + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats." + }, + "categories": { + "$ref": "#/definitions/metadataCategories", + "description": "Categories for the solution content item" + }, + "providers": { + "$ref": "#/definitions/metadataProviders", + "description": "Providers for the solution content item" + }, + "firstPublishDate": { + "$ref": "#/definitions/firstPublishDate", + "description": "first publish date solution content item" + }, + "lastPublishDate": { + "$ref": "#/definitions/lastPublishDate", + "description": "last publish date for the solution content item" + }, + "customVersion": { + "$ref": "#/definitions/metadataCustomVersion", + "description": "The custom version of the content. A optional free text" + }, + "contentSchemaVersion": { + "$ref": "#/definitions/metadataContentSchemaVersion", + "description": "Schema version of the content. Can be used to distinguish between different flow based on the schema version" + }, + "icon": { + "$ref": "#/definitions/metadataIcon", + "description": "the icon identifier. this id can later be fetched from the solution template" + }, + "threatAnalysisTactics": { + "$ref": "#/definitions/metadataThreatAnalysisTactics", + "description": "the tactics the resource covers" + }, + "threatAnalysisTechniques": { + "$ref": "#/definitions/metadataThreatAnalysisTechniques", + "description": "the techniques the resource covers, these have to be aligned with the tactics being used" + }, + "previewImages": { + "$ref": "#/definitions/metadataPreviewImages", + "description": "preview image file names. These will be taken from the solution artifacts" + }, + "previewImagesDark": { + "$ref": "#/definitions/metadataPreviewImagesDark", + "description": "preview image file names. These will be taken from the solution artifacts. used for dark theme support" + } + } + } + }, + "parameters": { + "Metadata": { + "description": "Metadata resource.", + "in": "body", + "name": "metadata", + "required": true, + "schema": { + "$ref": "#/definitions/MetadataModel" + }, + "x-ms-parameter-location": "method" + }, + "MetadataPatch": { + "description": "Partial metadata request.", + "in": "body", + "name": "metadataPatch", + "required": true, + "schema": { + "$ref": "#/definitions/metadataPatch" + }, + "x-ms-parameter-location": "method" + }, + "MetadataName": { + "description": "The Metadata name.", + "in": "path", + "name": "metadataName", + "required": true, + "pattern": "^\\S+$", + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OfficeConsents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OfficeConsents.json new file mode 100644 index 000000000000..5e321ee38837 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OfficeConsents.json @@ -0,0 +1,234 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents": { + "get": { + "x-ms-examples": { + "Get all office consents.": { + "$ref": "./examples/officeConsents/GetOfficeConsents.json" + } + }, + "tags": [ + "Office Consents" + ], + "description": "Gets all office365 consents.", + "operationId": "OfficeConsents_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/OfficeConsentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents/{consentId}": { + "get": { + "x-ms-examples": { + "Get an office consent.": { + "$ref": "./examples/officeConsents/GetOfficeConsentsById.json" + } + }, + "tags": [ + "Office Consents" + ], + "description": "Gets an office365 consent.", + "operationId": "OfficeConsents_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ConsentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/OfficeConsent" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an office consent.": { + "$ref": "./examples/officeConsents/DeleteOfficeConsents.json" + } + }, + "tags": [ + "Office Consents" + ], + "description": "Delete the office365 consent.", + "operationId": "OfficeConsents_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ConsentId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "ConsentId": { + "description": "consent ID", + "in": "path", + "name": "consentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "OfficeConsent": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/Resource" + } + ], + "description": "Consent for Office365 tenant that already made.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeConsentProperties", + "description": "Office consent properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "OfficeConsentList": { + "description": "List of all the office365 consents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of office consents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of the consents.", + "items": { + "$ref": "#/definitions/OfficeConsent" + }, + "type": "array" + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "OfficeConsentProperties": { + "description": "Consent property bag.", + "properties": { + "tenantId": { + "description": "The tenantId of the Office365 with the consent.", + "type": "string" + }, + "consentId": { + "description": "Help to easily cascade among the data layers.", + "type": "string" + } + }, + "type": "object" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OnboardingStates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OnboardingStates.json new file mode 100644 index 000000000000..47032ee9ea73 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OnboardingStates.json @@ -0,0 +1,284 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/onboardingStates/{sentinelOnboardingStateName}": { + "get": { + "x-ms-examples": { + "Get Sentinel onboarding state": { + "$ref": "./examples/onboardingStates/GetSentinelOnboardingState.json" + } + }, + "tags": [ + "SentinelOnboardingStates" + ], + "description": "Get Sentinel onboarding state", + "operationId": "SentinelOnboardingStates_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SentinelOnboardingStateName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SentinelOnboardingState" + } + }, + "default": { + "description": "Error in getting the Sentinel onboarding state", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Create Sentinel onboarding state": { + "$ref": "./examples/onboardingStates/CreateSentinelOnboardingState.json" + } + }, + "tags": [ + "SentinelOnboardingStates" + ], + "description": "Create Sentinel onboarding state", + "operationId": "SentinelOnboardingStates_Create", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SentinelOnboardingStateName" + }, + { + "$ref": "#/parameters/SentinelOnboardingStateParameter" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SentinelOnboardingState" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/SentinelOnboardingState" + } + }, + "default": { + "description": "Error in creating the Sentinel onboarding state", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete Sentinel onboarding state": { + "$ref": "./examples/onboardingStates/DeleteSentinelOnboardingState.json" + } + }, + "tags": [ + "SentinelOnboardingStates" + ], + "description": "Delete Sentinel onboarding state", + "operationId": "SentinelOnboardingStates_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SentinelOnboardingStateName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error in deleting the Sentinel onboarding state", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/onboardingStates": { + "get": { + "x-ms-examples": { + "Get all Sentinel onboarding states": { + "$ref": "./examples/onboardingStates/GetAllSentinelOnboardingStates.json" + } + }, + "tags": [ + "SentinelOnboardingStates" + ], + "description": "Gets all Sentinel onboarding states", + "operationId": "SentinelOnboardingStates_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SentinelOnboardingStatesList" + } + }, + "default": { + "description": "Error in listing the Sentinel onboarding states", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "SentinelOnboardingStateProperties": { + "description": "The Sentinel onboarding state properties", + "type": "object", + "properties": { + "customerManagedKey": { + "description": "Flag that indicates the status of the CMK setting", + "type": "boolean" + } + } + }, + "SentinelOnboardingState": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Sentinel onboarding state", + "properties": { + "properties": { + "$ref": "#/definitions/SentinelOnboardingStateProperties", + "description": "The Sentinel onboarding state object", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "SentinelOnboardingStatesList": { + "description": "List of the Sentinel onboarding states", + "properties": { + "value": { + "description": "Array of Sentinel onboarding states", + "items": { + "$ref": "#/definitions/SentinelOnboardingState" + }, + "type": "array" + } + }, + "required": [ + "value" + ], + "type": "object" + } + }, + "parameters": { + "SentinelOnboardingStateName": { + "description": "The Sentinel onboarding state name. Supports - default", + "in": "path", + "name": "sentinelOnboardingStateName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "SentinelOnboardingStateParameter": { + "description": "The Sentinel onboarding state parameter", + "in": "body", + "name": "sentinelOnboardingStateParameter", + "required": false, + "schema": { + "$ref": "#/definitions/SentinelOnboardingState" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Recommendations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Recommendations.json new file mode 100644 index 000000000000..4a5201c23345 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Recommendations.json @@ -0,0 +1,564 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations": { + "get": { + "x-ms-examples": { + "Get Recommendations list.": { + "$ref": "./examples/recommendations/GetRecommendations.json" + } + }, + "tags": [ + "recommendations" + ], + "description": "Gets a list of all recommendations.", + "operationId": "GetRecommendations_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/RecommendationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations/{recommendationId}": { + "get": { + "x-ms-examples": { + "Get a recommendation.": { + "$ref": "./examples/recommendations/GetRecommendation.json" + } + }, + "tags": [ + "recommendations" + ], + "description": "Gets a recommendation by its id.", + "operationId": "Get_SingleRecommendation", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RecommendationId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Recommendation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "patch": { + "x-ms-examples": { + "Creates a recommendation.": { + "$ref": "./examples/recommendations/PatchRecommendation.json" + } + }, + "tags": [ + "recommendations" + ], + "description": "Patch a recommendation.", + "operationId": "Update_Recommendation", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RecommendationId" + }, + { + "$ref": "#/parameters/RecommendationPatch" + } + ], + "x-ms-long-running-operation": true, + "responses": { + "202": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Recommendation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "Recommendation": { + "description": "Recommendation object.", + "properties": { + "id": { + "description": "id of recommendation.", + "type": "string", + "format": "uuid" + }, + "instructions": { + "description": "Instructions of the recommendation.", + "$ref": "#/definitions/Instructions" + }, + "content": { + "description": "Content of the recommendation.", + "$ref": "#/definitions/Content", + "x-nullable": true + }, + "resourceId": { + "description": "Id of the resource this recommendation refers to.", + "type": "string", + "x-nullable": true + }, + "additionalProperties": { + "description": "Collection of additional properties for the recommendation.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "x-nullable": true + }, + "title": { + "description": "Title of the recommendation.", + "type": "string" + }, + "description": { + "description": "Description of the recommendation.", + "type": "string" + }, + "recommendationTypeTitle": { + "description": "Title of the recommendation type.", + "type": "string" + }, + "recommendationTypeId": { + "description": "Id of the recommendation type.", + "type": "string" + }, + "category": { + "description": "Category of the recommendation.", + "$ref": "#/definitions/RecommendationCategory" + }, + "context": { + "description": "Context of the recommendation.", + "$ref": "#/definitions/RecommendationContext" + }, + "workspaceId": { + "description": "Id of the workspace this recommendation refers to.", + "type": "string", + "format": "uuid" + }, + "actions": { + "description": "List of actions to take for this recommendation.", + "type": "array", + "items": { + "$ref": "#/definitions/RecommendedAction" + }, + "x-ms-identifiers": [] + }, + "state": { + "description": "State of the recommendation.", + "$ref": "#/definitions/RecommendationState" + }, + "priority": { + "description": "Priority of the recommendation.", + "$ref": "#/definitions/RecommendationPriority" + }, + "lastEvaluatedTimeUtc": { + "description": "The time stamp (UTC) when the recommendation was last evaluated.", + "type": "string", + "format": "date-time" + }, + "hideUntilTimeUtc": { + "description": "The time stamp (UTC) when the recommendation should be displayed again.", + "type": "string", + "format": "date-time", + "x-nullable": true + }, + "displayUntilTimeUtc": { + "description": "The timestamp (UTC) after which the recommendation should not be displayed anymore.", + "type": "string", + "format": "date-time", + "x-nullable": true + }, + "visible": { + "description": "Value indicating if the recommendation should be displayed or not.", + "type": "boolean" + } + }, + "required": [ + "id", + "instructions", + "title", + "description", + "recommendationTypeTitle", + "recommendationTypeId", + "category", + "context", + "workspaceId", + "actions", + "state", + "priority", + "lastEvaluatedTimeUtc" + ], + "type": "object" + }, + "RecommendationList": { + "description": "A list of recommendations", + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/Recommendation" + }, + "description": "An list of recommendations" + } + }, + "type": "object" + }, + "Content": { + "description": "Content section of the recommendation.", + "properties": { + "title": { + "description": "Title of the content.", + "type": "string" + }, + "description": { + "description": "Description of the content.", + "type": "string" + } + }, + "required": [ + "title", + "description" + ], + "type": "object" + }, + "Instructions": { + "description": "Instructions section of a recommendation.", + "properties": { + "actionsToBePerformed": { + "description": "What actions should be taken to complete the recommendation.", + "type": "string" + }, + "recommendationImportance": { + "description": "Explains why the recommendation is important.", + "type": "string" + }, + "howToPerformActionDetails": { + "description": "How should the user complete the recommendation.", + "type": "string", + "x-nullable": true + } + }, + "required": [ + "actionsToBePerformed", + "recommendationImportance" + ], + "type": "object" + }, + "RecommendedAction": { + "description": "What actions should be taken to complete the recommendation.", + "properties": { + "linkText": { + "description": "Text of the link to complete the action.", + "type": "string" + }, + "linkUrl": { + "description": "The Link to complete the action.", + "type": "string" + }, + "state": { + "description": "The state of the action.", + "$ref": "#/definitions/ActionState" + } + }, + "required": [ + "linkText", + "linkUrl" + ], + "type": "object" + }, + "RecommendationPatch": { + "description": "Recommendation Fields to update.", + "properties": { + "state": { + "description": "State of the recommendation.", + "$ref": "#/definitions/RecommendationState" + }, + "hideUntilTimeUtc": { + "description": "The time stamp (UTC) when the recommendation should be displayed again.", + "type": "string", + "format": "date-time" + } + }, + "type": "object" + }, + "RecommendationCategory": { + "description": "Categories of recommendations.", + "type": "string", + "enum": [ + "Onboarding", + "NewFeature", + "SocEfficiency", + "CostOptimization", + "Demo" + ], + "x-ms-enum": { + "name": "Category", + "modelAsString": true, + "values": [ + { + "value": "Onboarding", + "description": "Onboarding recommendation." + }, + { + "value": "NewFeature", + "description": "New feature recommendation." + }, + { + "value": "SocEfficiency", + "description": "Soc Efficiency recommendation." + }, + { + "value": "CostOptimization", + "description": "Cost optimization recommendation." + }, + { + "value": "Demo", + "description": "Demo recommendation." + } + ] + } + }, + "RecommendationContext": { + "description": "Context of recommendation.", + "type": "string", + "enum": [ + "Analytics", + "Incidents", + "Overview", + "None" + ], + "x-ms-enum": { + "name": "Context", + "modelAsString": true, + "values": [ + { + "value": "Analytics", + "description": "Analytics context." + }, + { + "value": "Incidents", + "description": "Incidents context." + }, + { + "value": "Overview", + "description": "Overview context." + }, + { + "value": "None", + "description": "No context." + } + ] + } + }, + "RecommendationState": { + "description": "State of recommendation.", + "type": "string", + "enum": [ + "Active", + "Disabled", + "CompletedByUser", + "CompletedByAction", + "Hidden" + ], + "x-ms-enum": { + "name": "State", + "modelAsString": true, + "values": [ + { + "value": "Active", + "description": "Recommendation is active." + }, + { + "value": "Disabled", + "description": "Recommendation is disabled." + }, + { + "value": "CompletedByUser", + "description": "Recommendation has been completed by user." + }, + { + "value": "CompletedByAction", + "description": "Recommendation has been completed by action." + }, + { + "value": "Hidden", + "description": "Recommendation is hidden." + } + ] + } + }, + "RecommendationPriority": { + "description": "Priority of recommendation.", + "type": "string", + "enum": [ + "Low", + "Medium", + "High" + ], + "x-ms-enum": { + "name": "Priority", + "modelAsString": true, + "values": [ + { + "value": "Low", + "description": "Low priority for recommendation." + }, + { + "value": "Medium", + "description": "Medium priority for recommendation." + }, + { + "value": "High", + "description": "High priority for recommendation." + } + ] + } + }, + "ActionState": { + "description": "Represents the state the recommendation action is currently in.", + "type": "string", + "enum": [ + "Active", + "InProgress", + "Done" + ], + "x-ms-enum": { + "name": "Priority", + "modelAsString": true, + "values": [ + { + "value": "Active", + "description": "Default state of actions." + }, + { + "value": "InProgress", + "description": "State for when actions have been clicked on." + }, + { + "value": "Done", + "description": "State of completed actions." + } + ] + } + } + }, + "parameters": { + "RecommendationId": { + "description": "Recommendation Id.", + "in": "path", + "name": "recommendationId", + "required": true, + "type": "string", + "format": "uuid", + "x-ms-parameter-location": "method" + }, + "RecommendationPatch": { + "description": "Recommendation Fields to Update.", + "in": "body", + "name": "recommendationPatch", + "required": true, + "schema": { + "type": "array", + "items": { + "$ref": "#/definitions/RecommendationPatch" + }, + "x-ms-identifiers": [] + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SecurityMLAnalyticsSettings.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SecurityMLAnalyticsSettings.json new file mode 100644 index 000000000000..90a6b36036a3 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SecurityMLAnalyticsSettings.json @@ -0,0 +1,444 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings": { + "get": { + "x-ms-examples": { + "Get all Security ML Analytics Settings.": { + "$ref": "./examples/securityMLAnalyticsSettings/GetAllSecurityMLAnalyticsSettings.json" + } + }, + "tags": [ + "Security ML Analytics Settings" + ], + "description": "Gets all Security ML Analytics Settings.", + "operationId": "SecurityMLAnalyticsSettings_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SecurityMLAnalyticsSettingsList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/{settingsResourceName}": { + "get": { + "x-ms-examples": { + "Get a Anomaly Security ML Analytics Settings.": { + "$ref": "./examples/securityMLAnalyticsSettings/GetAnomalySecurityMLAnalyticsSetting.json" + } + }, + "tags": [ + "Security ML Analytics Settings" + ], + "description": "Gets the Security ML Analytics Settings.", + "operationId": "SecurityMLAnalyticsSettings_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsResourceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SecurityMLAnalyticsSetting" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a Anomaly Security ML Analytics Settings.": { + "$ref": "./examples/securityMLAnalyticsSettings/CreateAnomalySecurityMLAnalyticsSetting.json" + } + }, + "tags": [ + "Security ML Analytics Settings" + ], + "description": "Creates or updates the Security ML Analytics Settings.", + "operationId": "SecurityMLAnalyticsSettings_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsResourceName" + }, + { + "$ref": "#/parameters/SecurityMLAnalyticsSetting" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SecurityMLAnalyticsSetting" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/SecurityMLAnalyticsSetting" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a Security ML Analytics Settings.": { + "$ref": "./examples/securityMLAnalyticsSettings/DeleteSecurityMLAnalyticsSetting.json" + } + }, + "tags": [ + "Security ML Analytics Settings" + ], + "description": "Delete the Security ML Analytics Settings.", + "operationId": "SecurityMLAnalyticsSettings_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsResourceName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "SecurityMLAnalyticsSetting": { + "description": "The security ML Analytics setting", + "in": "body", + "name": "securityMLAnalyticsSetting", + "required": true, + "schema": { + "$ref": "#/definitions/SecurityMLAnalyticsSetting" + }, + "x-ms-parameter-location": "method" + }, + "SettingsResourceName": { + "description": "Security ML Analytics Settings resource name", + "in": "path", + "name": "settingsResourceName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "SecurityMLAnalyticsSetting": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Security ML Analytics Setting", + "properties": { + "kind": { + "$ref": "#/definitions/SecurityMLAnalyticsSettingsKindEnum", + "description": "The kind of security ML Analytics Settings" + } + }, + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "SecurityMLAnalyticsSettingsKindEnum": { + "description": "The kind of security ML analytics settings", + "enum": [ + "Anomaly" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "SecurityMLAnalyticsSettingsKind", + "values": [ + { + "value": "Anomaly" + } + ] + } + }, + "SecurityMLAnalyticsSettingsList": { + "description": "List all the SecurityMLAnalyticsSettings", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of SecurityMLAnalyticsSettings.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of SecurityMLAnalyticsSettings", + "items": { + "$ref": "#/definitions/SecurityMLAnalyticsSetting" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "AnomalySecurityMLAnalyticsSettings": { + "allOf": [ + { + "$ref": "#/definitions/SecurityMLAnalyticsSetting" + } + ], + "description": "Represents Anomaly Security ML Analytics Settings", + "properties": { + "properties": { + "$ref": "#/definitions/AnomalySecurityMLAnalyticsSettingsProperties", + "description": "Anomaly Security ML Analytics Settings properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Anomaly" + }, + "AnomalySecurityMLAnalyticsSettingsProperties": { + "description": "AnomalySecurityMLAnalytics settings base property bag.", + "properties": { + "description": { + "description": "The description of the SecurityMLAnalyticsSettings.", + "type": "string" + }, + "displayName": { + "description": "The display name for settings created by this SecurityMLAnalyticsSettings.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this settings is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this SecurityMLAnalyticsSettings has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data sources for this SecurityMLAnalyticsSettings", + "items": { + "$ref": "#/definitions/SecurityMLAnalyticsSettingsDataSource" + }, + "x-ms-identifiers": [ + "connectorId" + ], + "type": "array" + }, + "tactics": { + "description": "The tactics of the SecurityMLAnalyticsSettings", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "type": "array" + }, + "techniques": { + "description": "The techniques of the SecurityMLAnalyticsSettings", + "items": { + "type": "string" + }, + "type": "array" + }, + "anomalyVersion": { + "description": "The anomaly version of the AnomalySecurityMLAnalyticsSettings.", + "type": "string" + }, + "customizableObservations": { + "description": "The customizable observations of the AnomalySecurityMLAnalyticsSettings.", + "type": "object" + }, + "frequency": { + "description": "The frequency that this SecurityMLAnalyticsSettings will be run.", + "format": "duration", + "type": "string" + }, + "settingsStatus": { + "$ref": "#/definitions/AnomalySecurityMLAnalyticsSettingsStatus", + "description": "The anomaly SecurityMLAnalyticsSettings status" + }, + "isDefaultSettings": { + "description": "Determines whether this anomaly security ml analytics settings is a default settings", + "type": "boolean" + }, + "anomalySettingsVersion": { + "description": "The anomaly settings version of the Anomaly security ml analytics settings that dictates whether job version gets updated or not.", + "type": "integer", + "format": "int32" + }, + "settingsDefinitionId": { + "description": "The anomaly settings definition Id", + "format": "uuid", + "type": "string" + } + }, + "required": [ + "displayName", + "enabled", + "anomalyVersion", + "frequency", + "settingsStatus", + "isDefaultSettings" + ], + "type": "object" + }, + "SecurityMLAnalyticsSettingsDataSource": { + "description": "security ml analytics settings data sources", + "properties": { + "connectorId": { + "description": "The connector id that provides the following data types", + "type": "string" + }, + "dataTypes": { + "description": "The data types used by the security ml analytics settings", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "AnomalySecurityMLAnalyticsSettingsStatus": { + "description": "The anomaly SecurityMLAnalyticsSettings status", + "enum": [ + "Production", + "Flighting" + ], + "type": "string", + "x-ms-enum": { + "name": "SettingsStatus", + "modelAsString": true, + "values": [ + { + "description": "Anomaly settings status in Production mode", + "value": "Production" + }, + { + "description": "Anomaly settings status in Flighting mode", + "value": "Flighting" + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Settings.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Settings.json new file mode 100644 index 000000000000..cc7389676ab8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Settings.json @@ -0,0 +1,423 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings": { + "get": { + "x-ms-examples": { + "Get all settings.": { + "$ref": "./examples/settings/GetAllSettings.json" + } + }, + "tags": [ + "Settings" + ], + "description": "List of all the settings", + "operationId": "ProductSettings_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SettingList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}": { + "get": { + "x-ms-examples": { + "Get EyesOn settings.": { + "$ref": "./examples/settings/GetEyesOnSetting.json" + } + }, + "tags": [ + "Settings" + ], + "description": "Gets a setting.", + "operationId": "ProductSettings_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Settings" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete EyesOn settings.": { + "$ref": "./examples/settings/DeleteEyesOnSetting.json" + } + }, + "tags": [ + "Settings" + ], + "description": "Delete setting of the product.", + "operationId": "ProductSettings_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Update EyesOn settings.": { + "$ref": "./examples/settings/UpdateEyesOnSetting.json" + } + }, + "tags": [ + "Settings" + ], + "description": "Updates setting.", + "operationId": "ProductSettings_Update", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsName" + }, + { + "$ref": "#/parameters/Settings" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Settings" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "SettingList": { + "description": "List of all the settings.", + "properties": { + "value": { + "description": "Array of settings.", + "items": { + "$ref": "#/definitions/Settings" + }, + "type": "array" + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "Settings": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "The Setting.", + "properties": { + "kind": { + "description": "The kind of the setting", + "enum": [ + "Anomalies", + "EyesOn", + "EntityAnalytics", + "Ueba" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "SettingKind" + } + } + }, + "required": [ + "kind" + ], + "discriminator": "kind", + "type": "object" + }, + "Anomalies": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { + "properties": { + "$ref": "#/definitions/AnomaliesSettingsProperties", + "description": "Anomalies properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Anomalies" + }, + "AnomaliesSettingsProperties": { + "description": "Anomalies property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, + "type": "boolean" + } + }, + "type": "object" + }, + "EyesOn": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { + "properties": { + "$ref": "#/definitions/EyesOnSettingsProperties", + "description": "EyesOn properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "EyesOn" + }, + "EyesOnSettingsProperties": { + "description": "EyesOn property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, + "type": "boolean" + } + }, + "type": "object" + }, + "EntityAnalytics": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { + "properties": { + "$ref": "#/definitions/EntityAnalyticsProperties", + "description": "EntityAnalytics properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "EntityAnalytics" + }, + "EntityAnalyticsProperties": { + "description": "EntityAnalytics property bag.", + "properties": { + "entityProviders": { + "description": "The relevant entity providers that are synced", + "items": { + "$ref": "#/definitions/EntityProviders" + }, + "type": "array" + } + }, + "type": "object" + }, + "EntityProviders": { + "description": "The entity provider that is synced.", + "enum": [ + "ActiveDirectory", + "AzureActiveDirectory" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityProviders" + } + }, + "Ueba": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { + "properties": { + "$ref": "#/definitions/UebaProperties", + "description": "Ueba properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Ueba" + }, + "UebaProperties": { + "description": "Ueba property bag.", + "properties": { + "dataSources": { + "description": "The relevant data sources that enriched by ueba", + "items": { + "$ref": "#/definitions/UebaDataSources" + }, + "type": "array" + } + }, + "type": "object" + }, + "UebaDataSources": { + "description": "The data source that enriched by ueba.", + "enum": [ + "AuditLogs", + "AzureActivity", + "SecurityEvent", + "SigninLogs" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "UebaDataSources" + } + } + }, + "parameters": { + "Settings": { + "description": "The setting", + "in": "body", + "name": "settings", + "required": true, + "schema": { + "$ref": "#/definitions/Settings" + }, + "x-ms-parameter-location": "method" + }, + "SettingsName": { + "description": "The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba", + "in": "path", + "name": "settingsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SourceControls.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SourceControls.json new file mode 100644 index 000000000000..9ded499f5f19 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SourceControls.json @@ -0,0 +1,735 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/listRepositories": { + "post": { + "x-ms-examples": { + "Get repository list.": { + "$ref": "./examples/repositories/GetRepositories.json" + } + }, + "tags": [ + "Repositories" + ], + "description": "Gets a list of repositories metadata.", + "operationId": "SourceControl_listRepositories", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RepoTypeParameter" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/RepoList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/sourcecontrols": { + "get": { + "x-ms-examples": { + "Get all source controls.": { + "$ref": "./examples/sourcecontrols/GetSourceControls.json" + } + }, + "tags": [ + "SourceControls" + ], + "description": "Gets all source controls, without source control items.", + "operationId": "SourceControls_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SourceControlList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/sourcecontrols/{sourceControlId}": { + "get": { + "x-ms-examples": { + "Get a source control.": { + "$ref": "./examples/sourcecontrols/GetSourceControlById.json" + } + }, + "tags": [ + "SourceControls" + ], + "description": "Gets a source control byt its identifier.", + "operationId": "SourceControls_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SourceControlIdParameter" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SourceControl" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a source control.": { + "$ref": "./examples/sourcecontrols/DeleteSourceControl.json" + } + }, + "tags": [ + "SourceControls" + ], + "description": "Delete a source control.", + "operationId": "SourceControls_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SourceControlIdParameter" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates a source control.": { + "$ref": "./examples/sourcecontrols/CreateSourceControl.json" + } + }, + "tags": [ + "SourceControls" + ], + "description": "Creates a source control.", + "operationId": "SourceControls_Create", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SourceControlIdParameter" + }, + { + "$ref": "#/parameters/SourceControl" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SourceControl" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/SourceControl" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "RepoList": { + "description": "List all the source controls.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of repositories.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of repositories.", + "items": { + "$ref": "#/definitions/Repo" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "Repo": { + "description": "Represents a repository.", + "properties": { + "url": { + "description": "The url to access the repository.", + "type": "string" + }, + "fullName": { + "description": "The name of the repository.", + "type": "string" + }, + "branches": { + "description": "Array of branches.", + "items": { + "description": "name of branch.", + "type": "string" + }, + "type": "array" + } + }, + "x-ms-azure-resource": false, + "type": "object" + }, + "SourceControlList": { + "description": "List all the source controls.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of source controls.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of source controls.", + "items": { + "$ref": "#/definitions/SourceControl" + }, + "type": "array" + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "SourceControl": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a SourceControl in Azure Security Insights.", + "properties": { + "properties": { + "description": "source control properties", + "$ref": "#/definitions/SourceControlProperties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "SourceControlProperties": { + "description": "Describes source control properties", + "properties": { + "id": { + "description": "The id (a Guid) of the source control", + "type": "string" + }, + "version": { + "$ref": "#/definitions/Version", + "description": "The version number associated with the source control", + "type": "string" + }, + "displayName": { + "description": "The display name of the source control", + "type": "string" + }, + "description": { + "description": "A description of the source control", + "type": "string" + }, + "repoType": { + "$ref": "#/definitions/RepoType", + "description": "The repository type of the source control", + "type": "string" + }, + "contentTypes": { + "description": "Array of source control content types.", + "items": { + "$ref": "#/definitions/ContentType" + }, + "type": "array" + }, + "repository": { + "description": "Repository metadata.", + "$ref": "#/definitions/Repository" + }, + "repositoryResourceInfo": { + "description": "Information regarding the resources created in user's repository.", + "$ref": "#/definitions/RepositoryResourceInfo" + }, + "lastDeploymentInfo": { + "description": "Information regarding the latest deployment for the source control.", + "$ref": "#/definitions/DeploymentInfo" + } + }, + "required": [ + "displayName", + "repoType", + "contentTypes", + "repository" + ], + "type": "object" + }, + "Repository": { + "type": "object", + "description": "metadata of a repository.", + "properties": { + "url": { + "description": "Url of repository.", + "type": "string" + }, + "branch": { + "description": "Branch name of repository.", + "type": "string" + }, + "displayUrl": { + "description": "Display url of repository.", + "type": "string" + }, + "deploymentLogsUrl": { + "description": "Url to access repository action logs.", + "type": "string" + }, + "pathMapping": { + "description": "Dictionary of source control content type and path mapping.", + "items": { + "$ref": "#/definitions/ContentPathMap" + }, + "type": "array", + "x-ms-identifiers": [] + } + } + }, + "RepositoryResourceInfo": { + "type": "object", + "description": "Resources created in user's repository for the source-control.", + "properties": { + "webhook": { + "type": "object", + "description": "The webhook object created for the source-control.", + "$ref": "#/definitions/Webhook" + }, + "gitHubResourceInfo": { + "type": "object", + "description": "Resources created in GitHub for this source-control.", + "$ref": "#/definitions/GitHubResourceInfo" + }, + "azureDevOpsResourceInfo": { + "type": "object", + "description": "Resources created in Azure DevOps for this source-control.", + "$ref": "#/definitions/AzureDevOpsResourceInfo" + } + } + }, + "Webhook": { + "description": "Detail about the webhook object.", + "type": "object", + "properties": { + "webhookId": { + "description": "Unique identifier for the webhook.", + "type": "string" + }, + "webhookUrl": { + "description": "URL that gets invoked by the webhook.", + "type": "string" + }, + "webhookSecretUpdateTime": { + "description": "Time when the webhook secret was updated.", + "type": "string" + }, + "rotateWebhookSecret": { + "description": "A flag to instruct the backend service to rotate webhook secret.", + "type": "boolean" + } + } + }, + "GitHubResourceInfo": { + "description": "Resources created in GitHub repository.", + "type": "object", + "properties": { + "appInstallationId": { + "description": "GitHub application installation id.", + "type": "string" + } + } + }, + "AzureDevOpsResourceInfo": { + "description": "Resources created in Azure DevOps repository.", + "type": "object", + "properties": { + "pipelineId": { + "description": "Id of the pipeline created for the source-control.", + "type": "string" + }, + "serviceConnectionId": { + "description": "Id of the service-connection created for the source-control.", + "type": "string" + } + } + }, + "DeploymentInfo": { + "description": "Information regarding a deployment.", + "type": "object", + "properties": { + "deploymentFetchStatus": { + "$ref": "#/definitions/DeploymentFetchStatus", + "description": "Status while fetching the last deployment.", + "type": "string" + }, + "deployment": { + "$ref": "#/definitions/Deployment", + "description": "Deployment information.", + "type": "object" + }, + "message": { + "description": "Additional details about the deployment that can be shown to the user.", + "type": "string" + } + } + }, + "Deployment": { + "description": "Description about a deployment.", + "type": "object", + "properties": { + "deploymentId": { + "description": "Deployment identifier.", + "type": "string" + }, + "deploymentState": { + "$ref": "#/definitions/DeploymentState", + "description": "Current status of the deployment.", + "type": "string" + }, + "deploymentResult": { + "$ref": "#/definitions/DeploymentResult", + "description": "The outcome of the deployment.", + "type": "string" + }, + "deploymentTime": { + "format": "date-time", + "description": "The time when the deployment finished.", + "type": "string" + }, + "deploymentLogsUrl": { + "description": "Url to access repository action logs.", + "type": "string" + } + } + }, + "ContentPathMap": { + "description": "The mapping of content type to a repo path.", + "properties": { + "contentType": { + "$ref": "#/definitions/ContentType", + "description": "Content type.", + "type": "string" + }, + "path": { + "description": "The path to the content.", + "type": "string" + } + }, + "type": "object" + }, + "ContentType": { + "description": "The content type of a source control path.", + "enum": [ + "AnalyticRule", + "Workbook" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ContentType", + "values": [ + { + "value": "AnalyticRule" + }, + { + "value": "Workbook" + } + ] + } + }, + "RepoType": { + "description": "The type of repository.", + "enum": [ + "Github", + "DevOps" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "RepoType", + "values": [ + { + "value": "Github" + }, + { + "value": "DevOps" + } + ] + } + }, + "Version": { + "description": "The version of the source control.", + "enum": [ + "V1", + "V2" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "Version", + "values": [ + { + "value": "V1" + }, + { + "value": "V2" + } + ] + } + }, + "DeploymentFetchStatus": { + "description": "Status while trying to fetch the deployment information.", + "enum": [ + "Success", + "Unauthorized", + "NotFound" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DeploymentFetchStatus", + "values": [ + { + "value": "Success" + }, + { + "value": "Unauthorized" + }, + { + "value": "NotFound" + } + ] + } + }, + "DeploymentState": { + "description": "The current state of the deployment.", + "enum": [ + "In_Progress", + "Completed", + "Queued", + "Canceling" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DeploymentState", + "values": [ + { + "value": "In_Progress" + }, + { + "value": "Completed" + }, + { + "value": "Queued" + }, + { + "value": "Canceling" + } + ] + } + }, + "DeploymentResult": { + "description": "Status while trying to fetch the deployment information.", + "enum": [ + "Success", + "Canceled", + "Failed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DeploymentResult", + "values": [ + { + "value": "Success" + }, + { + "value": "Canceled" + }, + { + "value": "Failed" + } + ] + } + } + }, + "parameters": { + "RepoTypeParameter": { + "description": "The repo type.", + "in": "body", + "name": "repoType", + "required": true, + "schema": { + "$ref": "#/definitions/RepoType" + }, + "x-ms-parameter-location": "method" + }, + "SourceControlIdParameter": { + "description": "Source control Id", + "in": "path", + "name": "sourceControlId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "SourceControl": { + "description": "The SourceControl", + "in": "body", + "name": "sourceControl", + "required": true, + "schema": { + "$ref": "#/definitions/SourceControl" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json new file mode 100644 index 000000000000..bcd6ab025dc7 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json @@ -0,0 +1,1097 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator": { + "post": { + "x-ms-examples": { + "Create a new Threat Intelligence": { + "$ref": "./examples/threatintelligence/CreateThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Create a new threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_CreateIndicator", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceProperties" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to create indicators.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators": { + "get": { + "x-ms-examples": { + "Get all threat intelligence indicators": { + "$ref": "./examples/threatintelligence/GetThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Get all threat intelligence indicators.", + "operationId": "ThreatIntelligenceIndicators_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformationList" + } + }, + "default": { + "description": "Error response describing why the operation failed to get indicators.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}": { + "get": { + "x-ms-examples": { + "View a threat intelligence indicator by name": { + "$ref": "./examples/threatintelligence/GetThreatIntelligenceById.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "View a threat intelligence indicator by name.", + "operationId": "ThreatIntelligenceIndicator_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to view an indicator.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Update a threat Intelligence indicator": { + "$ref": "./examples/threatintelligence/UpdateThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Update a threat Intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_Create", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceProperties" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to update an indicator.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a threat intelligence indicator": { + "$ref": "./examples/threatintelligence/DeleteThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Delete a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed to delete an indicator.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators": { + "post": { + "x-ms-examples": { + "Query threat intelligence indicators as per filtering criteria": { + "$ref": "./examples/threatintelligence/QueryThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Query threat intelligence indicators as per filtering criteria.", + "operationId": "ThreatIntelligenceIndicator_QueryIndicators", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceFilteringCriteria" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics": { + "get": { + "x-ms-examples": { + "Get threat intelligence indicators metrics.": { + "$ref": "./examples/threatintelligence/CollectThreatIntelligenceMetrics.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source).", + "operationId": "ThreatIntelligenceIndicatorMetrics_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceMetricsList" + } + }, + "default": { + "description": "Error response describing why the operation failed to get metrics.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags": { + "post": { + "x-ms-examples": { + "Append tags to a threat intelligence indicator": { + "$ref": "./examples/threatintelligence/AppendTagsThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Append tags to a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_AppendTags", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceAppendTags" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "default": { + "description": "Error response describing why the operation failed to append tags.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags": { + "post": { + "x-ms-examples": { + "Replace tags to a Threat Intelligence": { + "$ref": "./examples/threatintelligence/ReplaceTagsThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Replace tags added to a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_ReplaceTags", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceReplaceTags" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to replace tags.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "ThreatIntelligenceName": { + "description": "Threat intelligence indicator name field.", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceProperties": { + "description": "Properties of threat intelligence indicators to create and update.", + "in": "body", + "name": "ThreatIntelligenceProperties", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorModel" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceReplaceTags": { + "description": "Tags in the threat intelligence indicator to be replaced.", + "in": "body", + "name": "ThreatIntelligenceReplaceTags", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorModel" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceFilteringCriteria": { + "description": "Filtering criteria for querying threat intelligence indicators.", + "in": "body", + "name": "ThreatIntelligenceFilteringCriteria", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceFilteringCriteria" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceIndicatorEntityKind": { + "description": "The threat intelligence entity kind", + "in": "query", + "name": "ctiEntityKind", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceAppendTags": { + "description": "The threat intelligence append tags request body", + "in": "body", + "name": "ThreatIntelligenceAppendTags", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceAppendTags" + }, + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "ThreatIntelligenceInformationList": { + "description": "List of all the threat intelligence information objects.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of information objects.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of threat intelligence information objects.", + "items": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "ThreatIntelligenceInformation": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Threat intelligence information object.", + "properties": { + "kind": { + "$ref": "#/definitions/ThreatIntelligenceResourceInnerKind", + "description": "The kind of the entity." + } + }, + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "ThreatIntelligenceIndicatorModel": { + "allOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + ], + "description": "Threat intelligence indicator entity.", + "properties": { + "properties": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", + "description": "Threat Intelligence Entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "indicator" + }, + "ThreatIntelligenceResourceInnerKind": { + "description": "The kind of the threat intelligence entity", + "enum": [ + "indicator" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ThreatIntelligenceResourceKindEnum", + "values": [ + { + "description": "Entity represents threat intelligence indicator in the system.", + "value": "indicator" + } + ] + } + }, + "ThreatIntelligenceIndicatorProperties": { + "allOf": [ + { + "$ref": "./common/EntityTypes.json#/definitions/EntityCommonProperties" + } + ], + "description": "Describes threat intelligence entity properties", + "properties": { + "threatIntelligenceTags": { + "description": "List of tags", + "items": { + "description": "tag", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "lastUpdatedTimeUtc": { + "description": "Last updated time in UTC", + "type": "string" + }, + "source": { + "description": "Source of a threat intelligence entity", + "type": "string" + }, + "displayName": { + "description": "Display name of a threat intelligence entity", + "type": "string" + }, + "description": { + "description": "Description of a threat intelligence entity", + "type": "string" + }, + "indicatorTypes": { + "description": "Indicator types of threat intelligence entities", + "items": { + "description": "Indicator type of a threat intelligence entity", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "pattern": { + "description": "Pattern of a threat intelligence entity", + "type": "string" + }, + "patternType": { + "description": "Pattern type of a threat intelligence entity", + "type": "string" + }, + "patternVersion": { + "description": "Pattern version of a threat intelligence entity", + "type": "string" + }, + "killChainPhases": { + "description": "Kill chain phases", + "items": { + "description": "Kill chain phase", + "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "parsedPattern": { + "description": "Parsed patterns", + "items": { + "description": "Parsed pattern", + "$ref": "#/definitions/ThreatIntelligenceParsedPattern" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "externalId": { + "description": "External ID of threat intelligence entity", + "type": "string" + }, + "createdByRef": { + "description": "Created by reference of threat intelligence entity", + "type": "string" + }, + "defanged": { + "description": "Is threat intelligence entity defanged", + "type": "boolean" + }, + "externalLastUpdatedTimeUtc": { + "description": "External last updated time in UTC", + "type": "string" + }, + "externalReferences": { + "description": "External References", + "items": { + "description": "external_reference", + "$ref": "#/definitions/ThreatIntelligenceExternalReference" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "granularMarkings": { + "description": "Granular Markings", + "items": { + "description": "Granular marking", + "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "labels": { + "description": "Labels of threat intelligence entity", + "items": { + "description": "label", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "revoked": { + "description": "Is threat intelligence entity revoked", + "type": "boolean" + }, + "confidence": { + "description": "Confidence of threat intelligence entity", + "type": "integer", + "format": "int32" + }, + "objectMarkingRefs": { + "description": "Threat intelligence entity object marking references", + "items": { + "description": "Threat intelligence entity object marking reference", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "language": { + "description": "Language of threat intelligence entity", + "type": "string" + }, + "threatTypes": { + "description": "Threat types", + "items": { + "description": "Threat type", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "validFrom": { + "description": "Valid from", + "type": "string" + }, + "validUntil": { + "description": "Valid until", + "type": "string" + }, + "created": { + "description": "Created by", + "type": "string" + }, + "modified": { + "description": "Modified by", + "type": "string" + }, + "extensions": { + "description": "Extensions map", + "type": "object", + "additionalProperties": {} + } + }, + "type": "object" + }, + "ThreatIntelligenceKillChainPhase": { + "description": "Describes threat kill chain phase entity", + "properties": { + "killChainName": { + "description": "Kill chainName name", + "type": "string" + }, + "phaseName": { + "description": "Phase name", + "type": "string" + } + }, + "type": "object" + }, + "ThreatIntelligenceParsedPattern": { + "description": "Describes parsed pattern entity", + "properties": { + "patternTypeKey": { + "description": "Pattern type key", + "type": "string" + }, + "patternTypeValues": { + "description": "Pattern type keys", + "items": { + "description": "Pattern type key", + "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "ThreatIntelligenceParsedPatternTypeValue": { + "description": "Describes threat kill chain phase entity", + "properties": { + "valueType": { + "description": "Type of the value", + "type": "string" + }, + "value": { + "description": "Value of parsed pattern", + "type": "string" + } + }, + "type": "object" + }, + "ThreatIntelligenceGranularMarkingModel": { + "description": "Describes threat granular marking model entity", + "properties": { + "language": { + "description": "Language granular marking model", + "type": "string" + }, + "markingRef": { + "description": "marking reference granular marking model", + "type": "integer", + "format": "int32" + }, + "selectors": { + "description": "granular marking model selectors", + "items": { + "description": "granular marking model selector", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "ThreatIntelligenceExternalReference": { + "description": "Describes external reference", + "properties": { + "description": { + "description": "External reference description", + "type": "string" + }, + "externalId": { + "description": "External reference ID", + "type": "string" + }, + "sourceName": { + "description": "External reference source name", + "type": "string" + }, + "url": { + "description": "External reference URL", + "type": "string" + }, + "hashes": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "External reference hashes" + } + }, + "type": "object" + }, + "ThreatIntelligenceFilteringCriteria": { + "description": "Filtering criteria for querying threat intelligence indicators.", + "properties": { + "pageSize": { + "description": "Page size", + "type": "integer", + "format": "int32" + }, + "minConfidence": { + "description": "Minimum confidence.", + "type": "integer", + "format": "int32" + }, + "maxConfidence": { + "description": "Maximum confidence.", + "type": "integer", + "format": "int32" + }, + "minValidUntil": { + "description": "Start time for ValidUntil filter.", + "type": "string" + }, + "maxValidUntil": { + "description": "End time for ValidUntil filter.", + "type": "string" + }, + "includeDisabled": { + "description": "Parameter to include/exclude disabled indicators.", + "type": "boolean" + }, + "sortBy": { + "description": "Columns to sort by and sorting order", + "items": { + "description": "Sort By", + "$ref": "#/definitions/ThreatIntelligenceSortingCriteria" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "sources": { + "description": "Sources of threat intelligence indicators", + "items": { + "description": "Source", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "patternTypes": { + "description": "Pattern types", + "items": { + "description": "Pattern type", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "threatTypes": { + "description": "Threat types of threat intelligence indicators", + "items": { + "description": "Threat type of a threat intelligence indicator", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "ids": { + "description": "Ids of threat intelligence indicators", + "items": { + "description": "Id of a threat intelligence indicator", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "keywords": { + "description": "Keywords for searching threat intelligence indicators", + "items": { + "description": "keyword for searching threat intelligence indicators", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "skipToken": { + "description": "Skip token.", + "type": "string" + } + }, + "type": "object" + }, + "ThreatIntelligenceSortingCriteria": { + "description": "List of available columns for sorting", + "properties": { + "itemKey": { + "description": "Column name", + "type": "string" + }, + "sortOrder": { + "$ref": "#/definitions/ThreatIntelligenceSortingOrder", + "description": "Sorting order (ascending/descending/unsorted)." + } + }, + "type": "object" + }, + "ThreatIntelligenceSortingOrder": { + "description": "Sorting order (ascending/descending/unsorted).", + "enum": [ + "unsorted", + "ascending", + "descending" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ThreatIntelligenceSortingCriteriaEnum", + "values": [ + { + "value": "unsorted" + }, + { + "value": "ascending" + }, + { + "value": "descending" + } + ] + } + }, + "ThreatIntelligenceAppendTags": { + "description": "Array of tags to be appended to the threat intelligence indicator.", + "properties": { + "threatIntelligenceTags": { + "description": "List of tags to be appended.", + "items": { + "description": "parameter", + "type": "string" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "ThreatIntelligenceMetricsList": { + "description": "List of all the threat intelligence metric fields (type/threat type/source).", + "properties": { + "value": { + "description": "Array of threat intelligence metric fields (type/threat type/source).", + "items": { + "$ref": "#/definitions/ThreatIntelligenceMetrics" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "ThreatIntelligenceMetrics": { + "description": "Threat intelligence metrics.", + "properties": { + "properties": { + "description": "Threat intelligence metrics.", + "$ref": "#/definitions/ThreatIntelligenceMetric" + } + }, + "type": "object" + }, + "ThreatIntelligenceMetric": { + "description": "Describes threat intelligence metric", + "properties": { + "lastUpdatedTimeUtc": { + "description": "Last updated indicator metric", + "type": "string" + }, + "threatTypeMetrics": { + "description": "Threat type metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "patternTypeMetrics": { + "description": "Pattern type metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "sourceMetrics": { + "description": "Source metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "ThreatIntelligenceMetricEntity": { + "description": "Describes threat intelligence metric entity", + "properties": { + "metricName": { + "description": "Metric name", + "type": "string" + }, + "metricValue": { + "description": "Metric value", + "type": "integer", + "format": "int32" + } + }, + "type": "object" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json new file mode 100644 index 000000000000..c927dd6098de --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json @@ -0,0 +1,353 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns/{ruleRunId}": { + "get": { + "tags": [ + "triggered analytics rule run" + ], + "description": "Gets the triggered analytics rule run.", + "operationId": "triggeredAnalyticsRuleRun_Get", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "description": "the triggered rule id", + "in": "path", + "name": "ruleRunId", + "required": true, + "type": "string" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/TriggeredAnalyticsRuleRun" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "triggeredAnalyticsRuleRun_Get": { + "$ref": "./examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRun_Get.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns": { + "get": { + "tags": [ + "triggered analytics rule runs" + ], + "description": "Gets the triggered analytics rule runs.", + "operationId": "getTriggeredAnalyticsRuleRuns_List", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/TriggeredAnalyticsRuleRuns" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "triggeredAnalyticsRuleRuns_Get": { + "$ref": "./examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRuns_Get.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/triggerRuleRun": { + "post": { + "tags": [ + "trigger analytics rule run" + ], + "description": "triggers analytics rule run", + "operationId": "alertRule_TriggerRuleRun", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/RuleId" + }, + { + "$ref": "#/parameters/AnalyticsRuleRunTriggerParameter" + } + ], + "responses": { + "202": { + "description": "The analytics rule run was successfully triggered.", + "headers": { + "Location": { + "type": "string" + } + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "triggerRuleRun_Post": { + "$ref": "./examples/triggeredAnalyticsRuleRuns/triggerRuleRun_Post.json" + } + }, + "x-ms-long-running-operation": true, + "x-ms-long-running-operation-options": { + "final-state-via": "location" + } + } + } + }, + "definitions": { + "ProvisioningState": { + "enum": [ + "Accepted", + "InProgress", + "Succeeded", + "Failed", + "Canceled" + ], + "description": "The triggered analytics rule run provisioning state", + "type": "string", + "example": "Accepted", + "x-ms-enum": { + "name": "ProvisioningState", + "modelAsString": true, + "values": [ + { + "value": "Accepted" + }, + { + "value": "InProgress" + }, + { + "value": "Succeeded" + }, + { + "value": "Failed" + }, + { + "value": "Canceled" + } + ] + } + }, + "TriggeredAnalyticsRuleRun": { + "required": [ + "properties" + ], + "description": "The triggered analytics rule run", + "type": "object", + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "properties": { + "properties": { + "$ref": "#/definitions/TriggeredAnalyticsRuleRunProperties", + "x-ms-client-flatten": true + } + } + }, + "TriggeredAnalyticsRuleRunProperties": { + "required": [ + "executionTimeUtc", + "provisioningState", + "ruleId", + "triggeredAnalyticsRuleRunId" + ], + "description": "The triggered analytics rule run Properties", + "type": "object", + "properties": { + "executionTimeUtc": { + "format": "date-time", + "type": "string" + }, + "ruleId": { + "type": "string" + }, + "triggeredAnalyticsRuleRunId": { + "type": "string" + }, + "provisioningState": { + "$ref": "#/definitions/ProvisioningState" + }, + "ruleRunAdditionalData": { + "type": "object", + "additionalProperties": {} + } + } + }, + "TriggeredAnalyticsRuleRuns": { + "required": [ + "value" + ], + "description": "The triggered analytics rule run array", + "type": "object", + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/TriggeredAnalyticsRuleRun" + } + }, + "nextLink": { + "type": "string", + "readOnly": true + } + } + }, + "AnalyticsRuleRunTriggerProperties": { + "required": [ + "executionTimeUtc" + ], + "description": "The Analytics Rule Run Trigger properties", + "type": "object", + "properties": { + "executionTimeUtc": { + "format": "date-time", + "type": "string" + } + } + }, + "AnalyticsRuleRunTrigger": { + "required": [ + "properties" + ], + "description": "Analytics Rule Run Trigger request", + "properties": { + "properties": { + "$ref": "#/definitions/AnalyticsRuleRunTriggerProperties", + "description": "The analytics Rule Run Trigger request", + "x-ms-client-flatten": true + } + }, + "type": "object" + } + }, + "parameters": { + "RuleId": { + "description": "Alert rule ID", + "in": "path", + "name": "ruleId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "AnalyticsRuleRunTriggerParameter": { + "description": "The Analytics Rule Run Trigger parameter", + "in": "body", + "name": "analyticsRuleRunTriggerParameter", + "required": true, + "schema": { + "$ref": "#/definitions/AnalyticsRuleRunTrigger" + }, + "x-ms-parameter-location": "method" + } + }, + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "flow": "implicit", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "scopes": { + "user_impersonation": "impersonate your user account" + }, + "description": "Azure Active Directory OAuth2 Flow" + } + }, + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "tags": [ + { + "name": "AnalyticsOnDemandArm", + "description": "Controller that handles requests for triggeredAnalyticsRuleRuns ARM API." + }, + { + "name": "AnalyticsOnDemandArm", + "description": "Triggered Analytics Rule Runs" + } + ], + "host": "management.azure.com", + "schemes": [ + "https" + ], + "produces": [ + "application/json" + ], + "consumes": [ + "application/json" + ] +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json new file mode 100644 index 000000000000..ed0a8759fb35 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json @@ -0,0 +1,721 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists": { + "get": { + "x-ms-examples": { + "Get all watchlists.": { + "$ref": "./examples/watchlists/GetWatchlists.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Gets all watchlists, without watchlist items.", + "operationId": "Watchlists_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}": { + "get": { + "x-ms-examples": { + "Get a watchlist.": { + "$ref": "./examples/watchlists/GetWatchlistByAlias.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Gets a watchlist, without its watchlist items.", + "operationId": "Watchlists_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a watchlist.": { + "$ref": "./examples/watchlists/DeleteWatchlist.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Delete a watchlist.", + "operationId": "Watchlists_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + } + ], + "responses": { + "200": { + "description": "OK", + "headers": { + "Azure-AsyncOperation": { + "description": "Contains the status URL on which clients are expected to poll the status of the delete operation.", + "type": "string" + } + } + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a watchlist.": { + "$ref": "./examples/watchlists/CreateWatchlist.json" + }, + "Creates or updates a watchlist and bulk creates watchlist items.": { + "$ref": "./examples/watchlists/CreateWatchlistAndWatchlistItems.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Create or update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint with either rawContent or a valid SAR URI and contentType properties. The rawContent is mainly used for small watchlist (content size below 3.8 MB). The SAS URI enables the creation of large watchlist, where the content size can go up to 500 MB. The status of processing such large file can be polled through the URL returned in Azure-AsyncOperation header.", + "operationId": "Watchlists_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/Watchlist" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "201": { + "description": "Created. The response includes the Provisioning State and the Azure-AsyncOperation header. To get the progress of the operation, call GET operation on the URL in Azure-AsyncOperation header field.", + "schema": { + "$ref": "#/definitions/Watchlist" + }, + "headers": { + "Azure-AsyncOperation": { + "description": "Contains the status URL on which clients are expected to poll the status of the operation.", + "type": "string" + } + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems": { + "get": { + "x-ms-examples": { + "Get all watchlist Items.": { + "$ref": "./examples/watchlists/GetWatchlistItems.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Gets all watchlist Items.", + "operationId": "WatchlistItems_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + }, + { + "$ref": "#/parameters/WatchlistAlias" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItemList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}": { + "get": { + "x-ms-examples": { + "Get a watchlist item.": { + "$ref": "./examples/watchlists/GetWatchlistItemById.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Gets a watchlist, without its watchlist items.", + "operationId": "WatchlistItems_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/WatchlistItemId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a watchlist Item.": { + "$ref": "./examples/watchlists/DeleteWatchlistItem.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Delete a watchlist item.", + "operationId": "WatchlistItems_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/WatchlistItemId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a watchlist item.": { + "$ref": "./examples/watchlists/CreateWatchlistItem.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Creates or updates a watchlist item.", + "operationId": "WatchlistItems_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/WatchlistItemId" + }, + { + "$ref": "#/parameters/WatchlistItem" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "WatchlistList": { + "description": "List all the watchlists.", + "type": "object", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of watchlists.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of watchlist.", + "items": { + "$ref": "#/definitions/Watchlist" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Watchlist": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Watchlist in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/WatchlistProperties", + "description": "Watchlist properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "WatchlistProperties": { + "description": "Describes watchlist properties", + "properties": { + "watchlistId": { + "description": "The id (a Guid) of the watchlist", + "type": "string" + }, + "displayName": { + "description": "The display name of the watchlist", + "type": "string" + }, + "provider": { + "description": "The provider of the watchlist", + "type": "string" + }, + "source": { + "description": "The filename of the watchlist, called 'source'", + "type": "string" + }, + "sourceType": { + "description": "The sourceType of the watchlist", + "enum": [ + "Local file", + "Remote storage" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "sourceType" + } + }, + "created": { + "description": "The time the watchlist was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The last time the watchlist was updated", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that created the watchlist", + "type": "object" + }, + "updatedBy": { + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist", + "type": "object" + }, + "description": { + "description": "A description of the watchlist", + "type": "string" + }, + "watchlistType": { + "description": "The type of the watchlist", + "type": "string" + }, + "watchlistAlias": { + "description": "The alias of the watchlist", + "type": "string" + }, + "isDeleted": { + "description": "A flag that indicates if the watchlist is deleted or not", + "type": "boolean" + }, + "labels": { + "description": "List of labels relevant to this watchlist", + "items": { + "$ref": "../../../common/2.0/types.json#/definitions/Label" + }, + "type": "array" + }, + "defaultDuration": { + "description": "The default duration of a watchlist (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "tenantId": { + "description": "The tenantId where the watchlist belongs to", + "type": "string" + }, + "numberOfLinesToSkip": { + "description": "The number of lines in a csv/tsv content to skip before the header", + "type": "integer", + "format": "int32" + }, + "rawContent": { + "description": "The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint", + "type": "string" + }, + "itemsSearchKey": { + "description": "The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.", + "type": "string" + }, + "contentType": { + "description": "The content type of the raw content. Example : text/csv or text/tsv ", + "type": "string" + }, + "uploadStatus": { + "description": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted", + "type": "string" + } + }, + "required": [ + "displayName", + "provider", + "itemsSearchKey" + ], + "type": "object" + }, + "WatchlistItemList": { + "description": "List all the watchlist items.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of watchlist item.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of watchlist items.", + "items": { + "$ref": "#/definitions/WatchlistItem" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "WatchlistItem": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Watchlist item in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/WatchlistItemProperties", + "description": "Watchlist Item properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "WatchlistItemProperties": { + "description": "Describes watchlist item properties", + "properties": { + "watchlistItemType": { + "description": "The type of the watchlist item", + "type": "string" + }, + "watchlistItemId": { + "description": "The id (a Guid) of the watchlist item", + "type": "string" + }, + "tenantId": { + "description": "The tenantId to which the watchlist item belongs to", + "type": "string" + }, + "isDeleted": { + "description": "A flag that indicates if the watchlist item is deleted or not", + "type": "boolean" + }, + "created": { + "description": "The time the watchlist item was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The last time the watchlist item was updated", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that created the watchlist item", + "type": "object" + }, + "updatedBy": { + "$ref": "../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist item" + }, + "itemsKeyValue": { + "description": "key-value pairs for a watchlist item", + "type": "object", + "additionalProperties": {} + }, + "entityMapping": { + "description": "key-value pairs for a watchlist item entity mapping", + "type": "object", + "additionalProperties": {} + } + }, + "required": [ + "itemsKeyValue" + ], + "type": "object" + } + }, + "parameters": { + "WatchlistAlias": { + "description": "Watchlist Alias", + "in": "path", + "name": "watchlistAlias", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Watchlist": { + "description": "The watchlist", + "in": "body", + "name": "watchlist", + "required": true, + "schema": { + "$ref": "#/definitions/Watchlist" + }, + "x-ms-parameter-location": "method" + }, + "WatchlistItem": { + "description": "The watchlist item", + "in": "body", + "name": "watchlistItem", + "required": true, + "schema": { + "$ref": "#/definitions/WatchlistItem" + }, + "x-ms-parameter-location": "method" + }, + "WatchlistItemId": { + "description": "Watchlist Item Id (GUID)", + "in": "path", + "name": "watchlistItemId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/AlertTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/AlertTypes.json new file mode 100644 index 000000000000..24580a69e2f0 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/AlertTypes.json @@ -0,0 +1,81 @@ +{ + "swagger": "2.0", + "info": { + "version": "2023-03-01-preview", + "title": "Common Alert types" + }, + "paths": {}, + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "definitions": { + "AlertSeverityEnum": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "Reconnaissance", + "ResourceDevelopment", + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack", + "ImpairProcessControl", + "InhibitResponseFunction" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + } + }, + "parameters": {} +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json new file mode 100644 index 000000000000..b382fa069354 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json @@ -0,0 +1,2550 @@ +{ + "swagger": "2.0", + "info": { + "version": "2023-03-01-preview", + "title": "Common Entity types" + }, + "paths": {}, + "definitions": { + "AccountEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an account entity.", + "properties": { + "properties": { + "$ref": "#/definitions/AccountEntityProperties", + "description": "Account entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Account" + }, + "AccountEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Account entity property bag.", + "properties": { + "aadTenantId": { + "description": "The Azure Active Directory tenant id.", + "readOnly": true, + "type": "string" + }, + "aadUserId": { + "description": "The Azure Active Directory user id.", + "readOnly": true, + "type": "string" + }, + "accountName": { + "description": "The name of the account. This field should hold only the name without any domain added to it, i.e. administrator.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name of the account.", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id that contains the account in case it is a local account (not domain joined)", + "readOnly": true, + "type": "string" + }, + "isDomainJoined": { + "description": "Determines whether this is a domain account.", + "readOnly": true, + "type": "boolean" + }, + "ntDomain": { + "description": "The NetBIOS domain name as it appears in the alert format domain/username. Examples: NT AUTHORITY.", + "readOnly": true, + "type": "string" + }, + "objectGuid": { + "description": "The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory.", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "puid": { + "description": "The Azure Active Directory Passport User ID.", + "readOnly": true, + "type": "string" + }, + "sid": { + "description": "The account security identifier, e.g. S-1-5-18.", + "readOnly": true, + "type": "string" + }, + "upnSuffix": { + "description": "The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com.", + "readOnly": true, + "type": "string" + }, + "dnsDomain": { + "description": "The fully qualified domain DNS name.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "AzureResourceEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an azure resource entity.", + "properties": { + "properties": { + "$ref": "#/definitions/AzureResourceEntityProperties", + "description": "AzureResource entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureResource" + }, + "AzureResourceEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "AzureResource entity property bag.", + "properties": { + "resourceId": { + "description": "The azure resource id of the resource", + "readOnly": true, + "type": "string" + }, + "subscriptionId": { + "description": "The subscription id of the resource", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "CloudApplicationEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a cloud application entity.", + "properties": { + "properties": { + "$ref": "#/definitions/CloudApplicationEntityProperties", + "description": "CloudApplication entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "CloudApplication" + }, + "CloudApplicationEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "CloudApplication entity property bag.", + "properties": { + "appId": { + "description": "The technical identifier of the application.", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "appName": { + "description": "The name of the related cloud application.", + "readOnly": true, + "type": "string" + }, + "instanceName": { + "description": "The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "DnsEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a dns entity.", + "properties": { + "properties": { + "$ref": "#/definitions/DnsEntityProperties", + "description": "Dns entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "DnsResolution" + }, + "DnsEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Dns entity property bag.", + "properties": { + "dnsServerIpEntityId": { + "description": "An ip entity id for the dns server resolving the request", + "readOnly": true, + "type": "string" + }, + "domainName": { + "description": "The name of the dns record associated with the alert", + "readOnly": true, + "type": "string" + }, + "hostIpAddressEntityId": { + "description": "An ip entity id for the dns request client", + "readOnly": true, + "type": "string" + }, + "ipAddressEntityIds": { + "description": "Ip entity identifiers for the resolved ip address.", + "items": { + "description": "Ip entity id", + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "Entity": { + "allOf": [ + { + "$ref": "../../../../../../common-types/resource-management/v3/types.json#/definitions/Resource" + } + ], + "properties": { + "kind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the entity." + } + }, + "description": "Specific entity.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "EntityCommonProperties": { + "description": "Entity common property bag.", + "properties": { + "additionalData": { + "additionalProperties": true, + "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "readOnly": true, + "type": "object" + }, + "friendlyName": { + "description": "The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "EntityInnerKind": { + "description": "The kind of the entity", + "enum": [ + "Account", + "Host", + "File", + "AzureResource", + "CloudApplication", + "DnsResolution", + "FileHash", + "Ip", + "Malware", + "Process", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "Url", + "IoTDevice", + "SecurityAlert", + "Bookmark", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail", + "Nic" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityKindEnum", + "values": [ + { + "description": "Entity represents account in the system.", + "value": "Account" + }, + { + "description": "Entity represents host in the system.", + "value": "Host" + }, + { + "description": "Entity represents file in the system.", + "value": "File" + }, + { + "description": "Entity represents azure resource in the system.", + "value": "AzureResource" + }, + { + "description": "Entity represents cloud application in the system.", + "value": "CloudApplication" + }, + { + "description": "Entity represents dns resolution in the system.", + "value": "DnsResolution" + }, + { + "description": "Entity represents file hash in the system.", + "value": "FileHash" + }, + { + "description": "Entity represents ip in the system.", + "value": "Ip" + }, + { + "description": "Entity represents malware in the system.", + "value": "Malware" + }, + { + "description": "Entity represents process in the system.", + "value": "Process" + }, + { + "description": "Entity represents registry key in the system.", + "value": "RegistryKey" + }, + { + "description": "Entity represents registry value in the system.", + "value": "RegistryValue" + }, + { + "description": "Entity represents security group in the system.", + "value": "SecurityGroup" + }, + { + "description": "Entity represents url in the system.", + "value": "Url" + }, + { + "description": "Entity represents IoT device in the system.", + "value": "IoTDevice" + }, + { + "description": "Entity represents security alert in the system.", + "value": "SecurityAlert" + }, + { + "description": "Entity represents bookmark in the system.", + "value": "Bookmark" + }, + { + "description": "Entity represents mail cluster in the system.", + "value": "MailCluster" + }, + { + "description": "Entity represents mail message in the system.", + "value": "MailMessage" + }, + { + "description": "Entity represents mailbox in the system.", + "value": "Mailbox" + }, + { + "description": "Entity represents submission mail in the system.", + "value": "SubmissionMail" + }, + { + "description": "Entity represents network interface in the system.", + "value": "Nic" + } + ] + } + }, + "EntityInnerType": { + "description": "The type of the entity", + "enum": [ + "Account", + "Host", + "File", + "AzureResource", + "CloudApplication", + "DNS", + "FileHash", + "IP", + "Malware", + "Process", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "IoTDevice", + "SecurityAlert", + "HuntingBookmark", + "MailCluster", + "MailMessage", + "Mailbox", + "SubmissionMail", + "Nic" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityType", + "values": [ + { + "description": "Entity represents account in the system.", + "value": "Account" + }, + { + "description": "Entity represents host in the system.", + "value": "Host" + }, + { + "description": "Entity represents file in the system.", + "value": "File" + }, + { + "description": "Entity represents azure resource in the system.", + "value": "AzureResource" + }, + { + "description": "Entity represents cloud application in the system.", + "value": "CloudApplication" + }, + { + "description": "Entity represents dns in the system.", + "value": "DNS" + }, + { + "description": "Entity represents file hash in the system.", + "value": "FileHash" + }, + { + "description": "Entity represents ip in the system.", + "value": "IP" + }, + { + "description": "Entity represents malware in the system.", + "value": "Malware" + }, + { + "description": "Entity represents process in the system.", + "value": "Process" + }, + { + "description": "Entity represents registry key in the system.", + "value": "RegistryKey" + }, + { + "description": "Entity represents registry value in the system.", + "value": "RegistryValue" + }, + { + "description": "Entity represents security group in the system.", + "value": "SecurityGroup" + }, + { + "description": "Entity represents url in the system.", + "value": "URL" + }, + { + "description": "Entity represents IoT device in the system.", + "value": "IoTDevice" + }, + { + "description": "Entity represents security alert in the system.", + "value": "SecurityAlert" + }, + { + "description": "Entity represents HuntingBookmark in the system.", + "value": "HuntingBookmark" + }, + { + "description": "Entity represents mail cluster in the system.", + "value": "MailCluster" + }, + { + "description": "Entity represents mail message in the system.", + "value": "MailMessage" + }, + { + "description": "Entity represents mailbox in the system.", + "value": "Mailbox" + }, + { + "description": "Entity represents submission mail in the system.", + "value": "SubmissionMail" + }, + { + "description": "Entity represents network interface in the system.", + "value": "Nic" + } + ] + } + }, + "EntityQueryKind": { + "description": "The kind of the entity query", + "enum": [ + "Expansion", + "Insight", + "Activity" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityQueryKind", + "values": [ + { + "value": "Expansion" + }, + { + "value": "Insight" + }, + { + "value": "Activity" + } + ] + } + }, + "ExpansionResultAggregation": { + "description": "Information of a specific aggregation in the expansion result.", + "properties": { + "aggregationType": { + "description": "The common type of the aggregation. (for e.g. entity field name)", + "type": "string" + }, + "count": { + "description": "Total number of aggregations of the given kind (and aggregationType if given) in the expansion result.", + "type": "integer", + "format": "int32" + }, + "displayName": { + "description": "The display name of the aggregation by type.", + "type": "string" + }, + "entityKind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the aggregated entity." + } + }, + "required": [ + "entityKind", + "count" + ], + "type": "object" + }, + "ExpansionResultsMetadata": { + "description": "Expansion result metadata.", + "properties": { + "aggregations": { + "description": "Information of the aggregated nodes in the expansion result.", + "items": { + "$ref": "#/definitions/ExpansionResultAggregation" + }, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "FileEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a file entity.", + "properties": { + "properties": { + "$ref": "#/definitions/FileEntityProperties", + "description": "File entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "File" + }, + "FileEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "File entity property bag.", + "properties": { + "directory": { + "description": "The full path to the file.", + "readOnly": true, + "type": "string" + }, + "fileHashEntityIds": { + "description": "The file hash entity identifiers associated with this file", + "items": { + "description": "file hash id", + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "fileName": { + "description": "The file name without path (some alerts might not include path).", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id which the file belongs to", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "FileHashEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a file hash entity.", + "properties": { + "properties": { + "$ref": "#/definitions/FileHashEntityProperties", + "description": "FileHash entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "FileHash" + }, + "FileHashEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "FileHash entity property bag.", + "properties": { + "algorithm": { + "description": "The hash algorithm type.", + "enum": [ + "Unknown", + "MD5", + "SHA1", + "SHA256", + "SHA256AC" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "FileHashAlgorithm", + "values": [ + { + "description": "Unknown hash algorithm", + "value": "Unknown" + }, + { + "description": "MD5 hash type", + "value": "MD5" + }, + { + "description": "SHA1 hash type", + "value": "SHA1" + }, + { + "description": "SHA256 hash type", + "value": "SHA256" + }, + { + "description": "SHA256 Authenticode hash type", + "value": "SHA256AC" + } + ] + } + }, + "hashValue": { + "description": "The file hash value.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "HostEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a host entity.", + "properties": { + "properties": { + "$ref": "#/definitions/HostEntityProperties", + "description": "Host entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Host" + }, + "HostEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Host entity property bag.", + "properties": { + "azureID": { + "description": "The azure resource id of the VM.", + "readOnly": true, + "type": "string" + }, + "dnsDomain": { + "description": "The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain", + "readOnly": true, + "type": "string" + }, + "hostName": { + "description": "The hostname without the domain suffix.", + "readOnly": true, + "type": "string" + }, + "isDomainJoined": { + "description": "Determines whether this host belongs to a domain.", + "readOnly": true, + "type": "boolean" + }, + "netBiosName": { + "description": "The host name (pre-windows2000).", + "readOnly": true, + "type": "string" + }, + "ntDomain": { + "description": "The NT domain that this host belongs to.", + "readOnly": true, + "type": "string" + }, + "omsAgentID": { + "description": "The OMS agent id, if the host has OMS agent installed.", + "readOnly": true, + "type": "string" + }, + "osFamily": { + "description": "The operating system type.", + "enum": [ + "Linux", + "Windows", + "Android", + "IOS", + "Unknown" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "OSFamily", + "values": [ + { + "description": "Host with Linux operating system.", + "value": "Linux" + }, + { + "description": "Host with Windows operating system.", + "value": "Windows" + }, + { + "description": "Host with Android operating system.", + "value": "Android" + }, + { + "description": "Host with IOS operating system.", + "value": "IOS" + }, + { + "description": "Host with Unknown operating system.", + "value": "Unknown" + } + ] + } + }, + "osVersion": { + "description": "A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "HuntingBookmark": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a Hunting bookmark entity.", + "properties": { + "properties": { + "$ref": "#/definitions/HuntingBookmarkProperties", + "description": "HuntingBookmark entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Bookmark" + }, + "HuntingBookmarkProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Describes bookmark properties", + "properties": { + "created": { + "description": "The time the bookmark was created", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "../../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "displayName": { + "description": "The display name of the bookmark", + "type": "string" + }, + "eventTime": { + "description": "The time of the event", + "format": "date-time", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "../../../../common/2.0/types.json#/definitions/Label" + }, + "type": "array", + "x-ms-identifiers": [] + }, + "notes": { + "description": "The notes of the bookmark", + "type": "string" + }, + "query": { + "description": "The query of the bookmark.", + "type": "string" + }, + "queryResult": { + "description": "The query result of the bookmark.", + "type": "string" + }, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "../../../../common/2.0/types.json#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "incidentInfo": { + "$ref": "IncidentTypes.json#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" + } + }, + "required": [ + "displayName", + "query" + ], + "type": "object" + }, + "IoTDeviceEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an IoT device entity.", + "properties": { + "properties": { + "$ref": "#/definitions/IoTDeviceEntityProperties", + "description": "IoTDevice entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "IoTDevice" + }, + "IoTDeviceEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "IoTDevice entity property bag.", + "properties": { + "deviceId": { + "description": "The ID of the IoT Device in the IoT Hub", + "readOnly": true, + "type": "string" + }, + "deviceName": { + "description": "The friendly name of the device", + "readOnly": true, + "type": "string" + }, + "source": { + "description": "The source of the device", + "readOnly": true, + "type": "string" + }, + "iotSecurityAgentId": { + "description": "The ID of the security agent running on the device", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "deviceType": { + "description": "The type of the device", + "readOnly": true, + "type": "string" + }, + "vendor": { + "description": "The vendor of the device", + "readOnly": true, + "type": "string" + }, + "edgeId": { + "description": "The ID of the edge device", + "readOnly": true, + "type": "string" + }, + "macAddress": { + "description": "The MAC address of the device", + "readOnly": true, + "type": "string" + }, + "model": { + "description": "The model of the device", + "readOnly": true, + "type": "string" + }, + "serialNumber": { + "description": "The serial number of the device", + "readOnly": true, + "type": "string" + }, + "firmwareVersion": { + "description": "The firmware version of the device", + "readOnly": true, + "type": "string" + }, + "operatingSystem": { + "description": "The operating system of the device", + "readOnly": true, + "type": "string" + }, + "iotHubEntityId": { + "description": "The AzureResource entity id of the IoT Hub", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id of this device", + "readOnly": true, + "type": "string" + }, + "ipAddressEntityId": { + "description": "The IP entity if of this device", + "readOnly": true, + "type": "string" + }, + "threatIntelligence": { + "description": "A list of TI contexts attached to the IoTDevice entity.", + "items": { + "$ref": "ThreatIntelligenceTypes.json#/definitions/ThreatIntelligence" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "protocols": { + "description": "A list of protocols of the IoTDevice entity.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "owners": { + "description": "A list of owners of the IoTDevice entity.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "nicEntityIds": { + "description": "A list of Nic entity ids of the IoTDevice entity.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "site": { + "description": "The site of the device", + "readOnly": true, + "type": "string" + }, + "zone": { + "description": "The zone location of the device within a site", + "readOnly": true, + "type": "string" + }, + "sensor": { + "description": "The sensor the device is monitored by", + "readOnly": true, + "type": "string" + }, + "deviceSubType": { + "description": "The subType of the device ('PLC', 'HMI', 'EWS', etc.)", + "readOnly": true, + "type": "string" + }, + "importance": { + "description": "Device importance, determines if the device classified as 'crown jewel'", + "enum": [ + "Unknown", + "Low", + "Normal", + "High" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DeviceImportance", + "values": [ + { + "description": "Unknown - Default value", + "value": "Unknown" + }, + { + "description": "Low", + "value": "Low" + }, + { + "description": "Normal", + "value": "Normal" + }, + { + "description": "High", + "value": "High" + } + ] + } + }, + "purdueLayer": { + "description": "The Purdue Layer of the device", + "readOnly": true, + "type": "string" + }, + "isAuthorized": { + "description": "Determines whether the device classified as authorized device", + "readOnly": true, + "type": "boolean" + }, + "isProgramming": { + "description": "Determines whether the device classified as programming device", + "readOnly": true, + "type": "boolean" + }, + "isScanner": { + "description": "Is the device classified as a scanner device", + "readOnly": true, + "type": "boolean" + } + }, + "type": "object" + }, + "IpEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an ip entity.", + "properties": { + "properties": { + "$ref": "#/definitions/IpEntityProperties", + "description": "Ip entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Ip" + }, + "IpEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Ip entity property bag.", + "properties": { + "address": { + "description": "The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6)", + "readOnly": true, + "type": "string" + }, + "location": { + "$ref": "#/definitions/GeoLocation", + "description": "The geo-location context attached to the ip entity" + }, + "threatIntelligence": { + "description": "A list of TI contexts attached to the ip entity.", + "items": { + "$ref": "ThreatIntelligenceTypes.json#/definitions/ThreatIntelligence" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "GeoLocation": { + "description": "The geo-location context attached to the ip entity", + "properties": { + "asn": { + "description": "Autonomous System Number", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "city": { + "description": "City name", + "readOnly": true, + "type": "string" + }, + "countryCode": { + "description": "The country code according to ISO 3166 format", + "readOnly": true, + "type": "string" + }, + "countryName": { + "description": "Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name", + "readOnly": true, + "type": "string" + }, + "latitude": { + "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "longitude": { + "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "state": { + "description": "State name", + "readOnly": true, + "type": "string" + } + }, + "readOnly": true, + "type": "object" + }, + "MailboxEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mailbox entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailboxEntityProperties", + "description": "Mailbox entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Mailbox" + }, + "MailboxEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mailbox entity property bag.", + "properties": { + "mailboxPrimaryAddress": { + "description": "The mailbox's primary address", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The mailbox's display name", + "readOnly": true, + "type": "string" + }, + "upn": { + "description": "The mailbox's UPN", + "readOnly": true, + "type": "string" + }, + "externalDirectoryObjectId": { + "description": "The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side", + "format": "uuid", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "MailClusterEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mail cluster entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailClusterEntityProperties", + "description": "Mail cluster entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MailCluster" + }, + "MailClusterEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mail cluster entity property bag.", + "properties": { + "networkMessageIds": { + "description": "The mail message IDs that are part of the mail cluster", + "items": { + "description": "A mail message ID", + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "countByDeliveryStatus": { + "description": "Count of mail messages by DeliveryStatus string representation", + "readOnly": true, + "type": "object" + }, + "countByThreatType": { + "description": "Count of mail messages by ThreatType string representation", + "readOnly": true, + "type": "object" + }, + "countByProtectionStatus": { + "description": "Count of mail messages by ProtectionStatus string representation", + "readOnly": true, + "type": "object" + }, + "threats": { + "description": "The threats of mail messages that are part of the mail cluster", + "items": { + "description": "A threat", + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "query": { + "description": "The query that was used to identify the messages of the mail cluster", + "readOnly": true, + "type": "string" + }, + "queryTime": { + "description": "The query time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "mailCount": { + "description": "The number of mail messages that are part of the mail cluster", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "isVolumeAnomaly": { + "description": "Is this a volume anomaly mail cluster", + "readOnly": true, + "type": "boolean" + }, + "source": { + "description": "The source of the mail cluster (default is 'O365 ATP')", + "readOnly": true, + "type": "string" + }, + "clusterSourceIdentifier": { + "description": "The id of the cluster source", + "readOnly": true, + "type": "string" + }, + "clusterSourceType": { + "description": "The type of the cluster source", + "readOnly": true, + "type": "string" + }, + "clusterQueryStartTime": { + "description": "The cluster query start time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "clusterQueryEndTime": { + "description": "The cluster query end time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "clusterGroup": { + "description": "The cluster group", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "MailMessageEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mail message entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailMessageEntityProperties", + "description": "Mail message entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MailMessage" + }, + "MailMessageEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mail message entity property bag.", + "properties": { + "fileEntityIds": { + "description": "The File entity ids of this mail message's attachments", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "recipient": { + "description": "The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient", + "readOnly": true, + "type": "string" + }, + "urls": { + "description": "The Urls contained in this mail message", + "items": { + "description": "A Url contained in this mail message", + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "threats": { + "description": "The threats of this mail message", + "items": { + "description": "A threat of the mail message", + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "p1Sender": { + "description": "The p1 sender's email address", + "readOnly": true, + "type": "string" + }, + "p1SenderDisplayName": { + "description": "The p1 sender's display name", + "readOnly": true, + "type": "string" + }, + "p1SenderDomain": { + "description": "The p1 sender's domain", + "readOnly": true, + "type": "string" + }, + "senderIP": { + "description": "The sender's IP address", + "readOnly": true, + "type": "string" + }, + "p2Sender": { + "description": "The p2 sender's email address", + "readOnly": true, + "type": "string" + }, + "p2SenderDisplayName": { + "description": "The p2 sender's display name", + "readOnly": true, + "type": "string" + }, + "p2SenderDomain": { + "description": "The p2 sender's domain", + "readOnly": true, + "type": "string" + }, + "receiveDate": { + "description": "The receive date of this message", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "networkMessageId": { + "description": "The network message id of this mail message", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "internetMessageId": { + "description": "The internet message id of this mail message", + "readOnly": true, + "type": "string" + }, + "subject": { + "description": "The subject of this mail message", + "readOnly": true, + "type": "string" + }, + "language": { + "description": "The language of this mail message", + "readOnly": true, + "type": "string" + }, + "threatDetectionMethods": { + "description": "The threat detection methods", + "items": { + "description": "A threat detection method", + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "bodyFingerprintBin1": { + "description": "The bodyFingerprintBin1", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin2": { + "description": "The bodyFingerprintBin2", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin3": { + "description": "The bodyFingerprintBin3", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin4": { + "description": "The bodyFingerprintBin4", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin5": { + "description": "The bodyFingerprintBin5", + "type": "integer", + "format": "int32" + }, + "antispamDirection": { + "description": "The directionality of this mail message", + "enum": [ + "Unknown", + "Inbound", + "Outbound", + "Intraorg" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AntispamMailDirection", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "Inbound", + "value": "Inbound" + }, + { + "description": "Outbound", + "value": "Outbound" + }, + { + "description": "Intraorg", + "value": "Intraorg" + } + ] + } + }, + "deliveryAction": { + "description": "The delivery action of this mail message like Delivered, Blocked, Replaced etc", + "enum": [ + "Unknown", + "DeliveredAsSpam", + "Delivered", + "Blocked", + "Replaced" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "DeliveryAction", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "DeliveredAsSpam", + "value": "DeliveredAsSpam" + }, + { + "description": "Delivered", + "value": "Delivered" + }, + { + "description": "Blocked", + "value": "Blocked" + }, + { + "description": "Replaced", + "value": "Replaced" + } + ] + } + }, + "deliveryLocation": { + "description": "The delivery location of this mail message like Inbox, JunkFolder etc", + "enum": [ + "Unknown", + "Inbox", + "JunkFolder", + "DeletedFolder", + "Quarantine", + "External", + "Failed", + "Dropped", + "Forwarded" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "DeliveryLocation", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "Inbox", + "value": "Inbox" + }, + { + "description": "JunkFolder", + "value": "JunkFolder" + }, + { + "description": "DeletedFolder", + "value": "DeletedFolder" + }, + { + "description": "Quarantine", + "value": "Quarantine" + }, + { + "description": "External", + "value": "External" + }, + { + "description": "Failed", + "value": "Failed" + }, + { + "description": "Dropped", + "value": "Dropped" + }, + { + "description": "Forwarded", + "value": "Forwarded" + } + ] + } + } + }, + "type": "object" + }, + "MalwareEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a malware entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MalwareEntityProperties", + "description": "File entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Malware" + }, + "MalwareEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Malware entity property bag.", + "properties": { + "category": { + "description": "The malware category by the vendor, e.g. Trojan", + "readOnly": true, + "type": "string" + }, + "fileEntityIds": { + "description": "List of linked file entity identifiers on which the malware was found", + "items": { + "description": "file entity id", + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "malwareName": { + "description": "The malware name by the vendor, e.g. Win32/Toga!rfn", + "readOnly": true, + "type": "string" + }, + "processEntityIds": { + "description": "List of linked process entity identifiers on which the malware was found.", + "items": { + "description": "process entity id", + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "ProcessEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a process entity.", + "properties": { + "properties": { + "$ref": "#/definitions/ProcessEntityProperties", + "description": "Process entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Process" + }, + "ProcessEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Process entity property bag.", + "properties": { + "accountEntityId": { + "description": "The account entity id running the processes.", + "readOnly": true, + "type": "string" + }, + "commandLine": { + "description": "The command line used to create the process", + "readOnly": true, + "type": "string" + }, + "creationTimeUtc": { + "description": "The time when the process started to run", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "elevationToken": { + "description": "The elevation token associated with the process.", + "enum": [ + "Default", + "Full", + "Limited" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "ElevationToken", + "values": [ + { + "description": "Default elevation token", + "value": "Default" + }, + { + "description": "Full elevation token", + "value": "Full" + }, + { + "description": "Limited elevation token", + "value": "Limited" + } + ] + } + }, + "hostEntityId": { + "description": "The host entity id on which the process was running", + "readOnly": true, + "type": "string" + }, + "hostLogonSessionEntityId": { + "description": "The session entity id in which the process was running", + "readOnly": true, + "type": "string" + }, + "imageFileEntityId": { + "description": "Image file entity id", + "readOnly": true, + "type": "string" + }, + "parentProcessEntityId": { + "description": "The parent process entity id.", + "readOnly": true, + "type": "string" + }, + "processId": { + "description": "The process ID", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "RegistryKeyEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a registry key entity.", + "properties": { + "properties": { + "$ref": "#/definitions/RegistryKeyEntityProperties", + "description": "RegistryKey entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "RegistryKey" + }, + "RegistryKeyEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "RegistryKey entity property bag.", + "properties": { + "hive": { + "description": "the hive that holds the registry key.", + "enum": [ + "HKEY_LOCAL_MACHINE", + "HKEY_CLASSES_ROOT", + "HKEY_CURRENT_CONFIG", + "HKEY_USERS", + "HKEY_CURRENT_USER_LOCAL_SETTINGS", + "HKEY_PERFORMANCE_DATA", + "HKEY_PERFORMANCE_NLSTEXT", + "HKEY_PERFORMANCE_TEXT", + "HKEY_A", + "HKEY_CURRENT_USER" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "RegistryHive", + "values": [ + { + "description": "HKEY_LOCAL_MACHINE", + "value": "HKEY_LOCAL_MACHINE" + }, + { + "description": "HKEY_CLASSES_ROOT", + "value": "HKEY_CLASSES_ROOT" + }, + { + "description": "HKEY_CURRENT_CONFIG", + "value": "HKEY_CURRENT_CONFIG" + }, + { + "description": "HKEY_USERS", + "value": "HKEY_USERS" + }, + { + "description": "HKEY_CURRENT_USER_LOCAL_SETTINGS", + "value": "HKEY_CURRENT_USER_LOCAL_SETTINGS" + }, + { + "description": "HKEY_PERFORMANCE_DATA", + "value": "HKEY_PERFORMANCE_DATA" + }, + { + "description": "HKEY_PERFORMANCE_NLSTEXT", + "value": "HKEY_PERFORMANCE_NLSTEXT" + }, + { + "description": "HKEY_PERFORMANCE_TEXT", + "value": "HKEY_PERFORMANCE_TEXT" + }, + { + "description": "HKEY_A", + "value": "HKEY_A" + }, + { + "description": "HKEY_CURRENT_USER", + "value": "HKEY_CURRENT_USER" + } + ] + } + }, + "key": { + "description": "The registry key path.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "RegistryValueEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a registry value entity.", + "properties": { + "properties": { + "$ref": "#/definitions/RegistryValueEntityProperties", + "description": "RegistryKey entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "RegistryValue" + }, + "RegistryValueEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "RegistryValue entity property bag.", + "properties": { + "keyEntityId": { + "description": "The registry key entity id.", + "readOnly": true, + "type": "string" + }, + "valueData": { + "description": "String formatted representation of the value data.", + "readOnly": true, + "type": "string" + }, + "valueName": { + "description": "The registry value name.", + "readOnly": true, + "type": "string" + }, + "valueType": { + "description": "Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.", + "enum": [ + "None", + "Unknown", + "String", + "ExpandString", + "Binary", + "DWord", + "MultiString", + "QWord" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "RegistryValueKind", + "values": [ + { + "description": "None", + "value": "None" + }, + { + "description": "Unknown value type", + "value": "Unknown" + }, + { + "description": "String value type", + "value": "String" + }, + { + "description": "ExpandString value type", + "value": "ExpandString" + }, + { + "description": "Binary value type", + "value": "Binary" + }, + { + "description": "DWord value type", + "value": "DWord" + }, + { + "description": "MultiString value type", + "value": "MultiString" + }, + { + "description": "QWord value type", + "value": "QWord" + } + ] + } + } + }, + "type": "object" + }, + "SecurityAlert": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a security alert entity.", + "properties": { + "properties": { + "$ref": "#/definitions/SecurityAlertProperties", + "description": "SecurityAlert entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SecurityAlert" + }, + "SecurityAlertProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "SecurityAlert entity property bag.", + "properties": { + "alertDisplayName": { + "description": "The display name of the alert.", + "readOnly": true, + "type": "string" + }, + "alertType": { + "description": "The type name of the alert.", + "readOnly": true, + "type": "string" + }, + "compromisedEntity": { + "description": "Display name of the main entity being reported on.", + "readOnly": true, + "type": "string" + }, + "confidenceLevel": { + "description": "The confidence level of this alert.", + "enum": [ + "Unknown", + "Low", + "High" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConfidenceLevel", + "values": [ + { + "description": "Unknown confidence, the is the default value", + "value": "Unknown" + }, + { + "description": "Low confidence, meaning we have some doubts this is indeed malicious or part of an attack", + "value": "Low" + }, + { + "description": "High confidence that the alert is true positive malicious", + "value": "High" + } + ] + } + }, + "confidenceReasons": { + "description": "The confidence reasons", + "items": { + "description": "confidence reason item", + "properties": { + "reason": { + "description": "The reason's description", + "readOnly": true, + "type": "string" + }, + "reasonType": { + "description": "The type (category) of the reason", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "confidenceScore": { + "description": "The confidence score of the alert.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "confidenceScoreStatus": { + "description": "The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.", + "enum": [ + "NotApplicable", + "InProcess", + "NotFinal", + "Final" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConfidenceScoreStatus", + "values": [ + { + "description": "Score will not be calculated for this alert as it is not supported by virtual analyst", + "value": "NotApplicable" + }, + { + "description": "No score was set yet and calculation is in progress", + "value": "InProcess" + }, + { + "description": "Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data", + "value": "NotFinal" + }, + { + "description": "Final score was calculated and available", + "value": "Final" + } + ] + } + }, + "description": { + "description": "Alert description.", + "readOnly": true, + "type": "string" + }, + "endTimeUtc": { + "description": "The impact end time of the alert (the time of the last event contributing to the alert).", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "intent": { + "description": "Holds the alert intent stage(s) mapping for this alert.", + "enum": [ + "Unknown", + "Probing", + "Exploitation", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Execution", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "KillChainIntent", + "values": [ + { + "description": "The default value.", + "value": "Unknown" + }, + { + "description": "Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.", + "value": "Probing" + }, + { + "description": "Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.", + "value": "Exploitation" + }, + { + "description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.", + "value": "Persistence" + }, + { + "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.", + "value": "PrivilegeEscalation" + }, + { + "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ", + "value": "DefenseEvasion" + }, + { + "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.", + "value": "CredentialAccess" + }, + { + "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", + "value": "Discovery" + }, + { + "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.", + "value": "LateralMovement" + }, + { + "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.", + "value": "Execution" + }, + { + "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Collection" + }, + { + "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Exfiltration" + }, + { + "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network.", + "value": "CommandAndControl" + }, + { + "description": "The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.", + "value": "Impact" + } + ] + } + }, + "providerAlertId": { + "description": "The identifier of the alert inside the product which generated the alert.", + "readOnly": true, + "type": "string" + }, + "processingEndTime": { + "description": "The time the alert was made available for consumption.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "productComponentName": { + "description": "The name of a component inside the product which generated the alert.", + "readOnly": true, + "type": "string" + }, + "productName": { + "description": "The name of the product which published this alert.", + "readOnly": true, + "type": "string" + }, + "productVersion": { + "description": "The version of the product generating the alert.", + "readOnly": true, + "type": "string" + }, + "remediationSteps": { + "description": "Manual action items to take to remediate the alert.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "severity": { + "$ref": "AlertTypes.json#/definitions/AlertSeverityEnum", + "description": "The severity of the alert", + "type": "string" + }, + "startTimeUtc": { + "description": "The impact start time of the alert (the time of the first event contributing to the alert).", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "status": { + "description": "The lifecycle status of the alert.", + "enum": [ + "Unknown", + "New", + "Resolved", + "Dismissed", + "InProgress" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertStatus", + "values": [ + { + "description": "Unknown value", + "value": "Unknown" + }, + { + "description": "New alert", + "value": "New" + }, + { + "description": "Alert closed after handling", + "value": "Resolved" + }, + { + "description": "Alert dismissed as false positive", + "value": "Dismissed" + }, + { + "description": "Alert is being handled", + "value": "InProgress" + } + ] + } + }, + "systemAlertId": { + "description": "Holds the product identifier of the alert for the product.", + "readOnly": true, + "type": "string" + }, + "tactics": { + "description": "The tactics of the alert", + "items": { + "$ref": "AlertTypes.json#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + }, + "timeGenerated": { + "description": "The time the alert was generated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "vendorName": { + "description": "The name of the vendor that raise the alert.", + "readOnly": true, + "type": "string" + }, + "alertLink": { + "description": "The uri link of the alert.", + "readOnly": true, + "type": "string" + }, + "resourceIdentifiers": { + "description": "The list of resource identifiers of the alert.", + "items": { + "type": "object" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + }, + "SecurityGroupEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a security group entity.", + "properties": { + "properties": { + "$ref": "#/definitions/SecurityGroupEntityProperties", + "description": "SecurityGroup entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SecurityGroup" + }, + "SecurityGroupEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "SecurityGroup entity property bag.", + "properties": { + "distinguishedName": { + "description": "The group distinguished name", + "readOnly": true, + "type": "string" + }, + "objectGuid": { + "description": "A single-value attribute that is the unique identifier for the object, assigned by active directory.", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "sid": { + "description": "The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "SubmissionMailEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a submission mail entity.", + "properties": { + "properties": { + "$ref": "#/definitions/SubmissionMailEntityProperties", + "description": "Submission mail entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SubmissionMail" + }, + "SubmissionMailEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Submission mail entity property bag.", + "properties": { + "networkMessageId": { + "description": "The network message id of email to which submission belongs", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "submissionId": { + "description": "The submission id", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "submitter": { + "description": "The submitter", + "readOnly": true, + "type": "string" + }, + "submissionDate": { + "description": "The submission date", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "timestamp": { + "description": "The Time stamp when the message is received (Mail)", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "recipient": { + "description": "The recipient of the mail", + "readOnly": true, + "type": "string" + }, + "sender": { + "description": "The sender of the mail", + "readOnly": true, + "type": "string" + }, + "senderIp": { + "description": "The sender's IP", + "readOnly": true, + "type": "string" + }, + "subject": { + "description": "The subject of submission mail", + "readOnly": true, + "type": "string" + }, + "reportType": { + "description": "The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "UrlEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a url entity.", + "properties": { + "properties": { + "$ref": "#/definitions/UrlEntityProperties", + "description": "Url entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Url" + }, + "UrlEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Url entity property bag.", + "properties": { + "url": { + "description": "A full URL the entity points to", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "NicEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an network interface entity.", + "properties": { + "properties": { + "$ref": "#/definitions/NicEntityProperties", + "description": "Network interface entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Nic" + }, + "NicEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Nic entity property bag.", + "properties": { + "macAddress": { + "description": "The MAC address of this network interface", + "readOnly": true, + "type": "string" + }, + "ipAddressEntityId": { + "description": "The IP entity id of this network interface", + "readOnly": true, + "type": "string" + }, + "vlans": { + "description": "A list of VLANs of the network interface entity.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array", + "x-ms-identifiers": [] + } + }, + "type": "object" + } + }, + "parameters": {} +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/IncidentTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/IncidentTypes.json new file mode 100644 index 000000000000..363b9f74092f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/IncidentTypes.json @@ -0,0 +1,246 @@ +{ + "swagger": "2.0", + "info": { + "version": "2023-03-01-preview", + "title": "Common Incident types" + }, + "paths": {}, + "definitions": { + "IncidentClassificationEnum": { + "description": "The reason the incident was closed", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassification", + "values": [ + { + "description": "Incident classification was undetermined", + "value": "Undetermined" + }, + { + "description": "Incident was true positive", + "value": "TruePositive" + }, + { + "description": "Incident was benign positive", + "value": "BenignPositive" + }, + { + "description": "Incident was false positive", + "value": "FalsePositive" + } + ] + } + }, + "IncidentClassificationReasonEnum": { + "description": "The classification reason the incident was closed with", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassificationReason", + "values": [ + { + "description": "Classification reason was suspicious activity", + "value": "SuspiciousActivity" + }, + { + "description": "Classification reason was suspicious but expected", + "value": "SuspiciousButExpected" + }, + { + "description": "Classification reason was incorrect alert logic", + "value": "IncorrectAlertLogic" + }, + { + "description": "Classification reason was inaccurate data", + "value": "InaccurateData" + } + ] + } + }, + "IncidentLabel": { + "description": "Represents an incident label", + "properties": { + "labelName": { + "description": "The name of the label", + "type": "string" + }, + "labelType": { + "$ref": "#/definitions/IncidentLabelType" + } + }, + "required": [ + "labelName" + ], + "type": "object" + }, + "IncidentLabelType": { + "description": "The type of the label", + "enum": [ + "User", + "AutoAssigned" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentLabelType", + "values": [ + { + "description": "Label manually created by a user", + "value": "User" + }, + { + "description": "Label automatically created by the system", + "value": "AutoAssigned" + } + ] + } + }, + "IncidentSeverityEnum": { + "description": "The severity of the incident", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "IncidentStatusEnum": { + "description": "The status of the incident", + "enum": [ + "New", + "Active", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentStatus", + "values": [ + { + "description": "An active incident which isn't being handled currently", + "value": "New" + }, + { + "description": "An active incident which is being handled", + "value": "Active" + }, + { + "description": "A non-active incident", + "value": "Closed" + } + ] + } + }, + "IncidentOwnerInfo": { + "description": "Information on the user an incident is assigned to", + "properties": { + "email": { + "description": "The email of the user the incident is assigned to.", + "type": "string" + }, + "assignedTo": { + "description": "The name of the user the incident is assigned to.", + "type": "string" + }, + "objectId": { + "description": "The object id of the user the incident is assigned to.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the user the incident is assigned to.", + "type": "string" + }, + "ownerType": { + "description": "The type of the owner the incident is assigned to.", + "type": "string", + "enum": [ + "Unknown", + "User", + "Group" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "OwnerType", + "values": [ + { + "description": "The incident owner type is unknown", + "value": "Unknown" + }, + { + "description": "The incident owner type is an AAD user", + "value": "User" + }, + { + "description": "The incident owner type is an AAD group", + "value": "Group" + } + ] + } + } + }, + "type": "object" + }, + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", + "properties": { + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "type": "string", + "$ref": "#/definitions/IncidentSeverityEnum" + }, + "title": { + "description": "The title of the incident", + "type": "string" + }, + "relationName": { + "description": "Relation Name", + "type": "string" + } + }, + "type": "object" + } + }, + "parameters": {} +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/RelationTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/RelationTypes.json new file mode 100644 index 000000000000..9db736c45d77 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/RelationTypes.json @@ -0,0 +1,95 @@ +{ + "swagger": "2.0", + "info": { + "version": "2023-03-01-preview", + "title": "Common Relation types" + }, + "paths": {}, + "definitions": { + "RelationList": { + "description": "List of relations.", + "properties": { + "nextLink": { + "readOnly": true, + "description": "URL to fetch the next set of relations.", + "type": "string" + }, + "value": { + "description": "Array of relations.", + "type": "array", + "items": { + "$ref": "#/definitions/Relation" + } + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "Relation": { + "type": "object", + "description": "Represents a relation between two resources", + "allOf": [ + { + "$ref": "../../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "properties": { + "properties": { + "$ref": "#/definitions/RelationProperties", + "description": "Relation properties", + "x-ms-client-flatten": true + } + } + }, + "RelationProperties": { + "description": "Relation property bag.", + "properties": { + "relatedResourceId": { + "description": "The resource ID of the related resource", + "type": "string" + }, + "relatedResourceName": { + "description": "The name of the related resource", + "readOnly": true, + "type": "string" + }, + "relatedResourceType": { + "description": "The resource type of the related resource", + "readOnly": true, + "type": "string" + }, + "relatedResourceKind": { + "description": "The resource kind of the related resource", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "relatedResourceId" + ], + "type": "object" + } + }, + "parameters": { + "RelationName": { + "name": "relationName", + "in": "path", + "required": true, + "type": "string", + "description": "Relation Name", + "x-ms-parameter-location": "method" + }, + "Relation": { + "name": "relation", + "in": "body", + "description": "The relation model", + "required": true, + "schema": { + "$ref": "#/definitions/Relation" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ThreatIntelligenceTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ThreatIntelligenceTypes.json new file mode 100644 index 000000000000..4f11264f17eb --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ThreatIntelligenceTypes.json @@ -0,0 +1,48 @@ +{ + "swagger": "2.0", + "info": { + "version": "2023-03-01-preview", + "title": "Common Relation types" + }, + "paths": {}, + "definitions": { + "ThreatIntelligence": { + "description": "ThreatIntelligence property bag.", + "properties": { + "confidence": { + "description": "Confidence (must be between 0 and 1)", + "format": "double", + "readOnly": true, + "type": "number" + }, + "providerName": { + "description": "Name of the provider from whom this Threat Intelligence information was received", + "readOnly": true, + "type": "string" + }, + "reportLink": { + "description": "Report link", + "readOnly": true, + "type": "string" + }, + "threatDescription": { + "description": "Threat description (free text)", + "readOnly": true, + "type": "string" + }, + "threatName": { + "description": "Threat name (e.g. \"Jedobot malware\")", + "readOnly": true, + "type": "string" + }, + "threatType": { + "description": "Threat type (e.g. \"Botnet\")", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + } + }, + "parameters": {} +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json new file mode 100644 index 000000000000..4e0adcd8c9bf --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json @@ -0,0 +1,2992 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { + "get": { + "x-ms-examples": { + "Get all data connectors.": { + "$ref": "./examples/dataConnectors/GetDataConnectors.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets all data connectors.", + "operationId": "DataConnectors_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnectorList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { + "get": { + "x-ms-examples": { + "Get an Office365 data connector.": { + "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" + }, + "Get a TI data connector": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" + }, + "Get a TI Taxii data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceTaxiiById.json" + }, + "Get a MCAS data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" + }, + "Get a ASC data connector": { + "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" + }, + "Get an AADIP (Azure Active Directory Identity Protection) data connector": { + "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" + }, + "Get an AwsCloudTrail data connector": { + "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" + }, + "Get an Aws S3 data connector": { + "$ref": "./examples/dataConnectors/GetAmazonWebServicesS3ById.json" + }, + "Get an AATP data connector": { + "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" + }, + "Get a MDATP data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" + }, + "Get an Office ATP data connector": { + "$ref": "./examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json" + }, + "Get an Office IRM data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftInsiderRiskManagementById.json" + }, + "Get an Office365 Project data connector": { + "$ref": "./examples/dataConnectors/GetOffice365ProjectDataConnetorById.json" + }, + "Get a MicrosoftPurviewInformationProtection data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftPurviewInformationProtectionDataConnetorById.json" + }, + "Get an Office365 PowerBI data connector": { + "$ref": "./examples/dataConnectors/GetOfficePowerBIDataConnetorById.json" + }, + "Get a Dynamics365 data connector": { + "$ref": "./examples/dataConnectors/GetDynamics365DataConnectorById.json" + }, + "Get a MicrosoftThreatProtection data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftThreatProtectionById.json" + }, + "Get a MicrosoftThreatIntelligence data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json" + }, + "Get a GenericUI data connector": { + "$ref": "./examples/dataConnectors/GetGenericUI.json" + }, + "Get a APIPolling data connector": { + "$ref": "./examples/dataConnectors/GetAPIPolling.json" + }, + "Get a IoT data connector": { + "$ref": "./examples/dataConnectors/GetIoTById.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets a data connector.", + "operationId": "DataConnectors_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an Office365 data connector": { + "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" + }, + "Creates or updates an Office365 Project data connector": { + "$ref": "./examples/dataConnectors/CreateOffice365ProjectDataConnetor.json" + }, + "Creates or updates an MicrosoftPurviewInformationProtection data connector": { + "$ref": "./examples/dataConnectors/CreateMicrosoftPurviewInformationProtectionDataConnetor.json" + }, + "Creates or updates a Microsoft Threat Intelligence data connector.": { + "$ref": "./examples/dataConnectors/CreateMicrosoftThreatIntelligenceDataConnector.json" + }, + "Creates or updates an Office PowerBI data connector": { + "$ref": "./examples/dataConnectors/CreateOfficePowerBIDataConnector.json" + }, + "Creates or updates a Threat Intelligence Taxii data connector.": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json" + }, + "Creates or updates an Threat Intelligence Platform data connector": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" + }, + "Creates or updates a Dynamics365 data connector.": { + "$ref": "./examples/dataConnectors/CreateDynamics365DataConnetor.json" + }, + "Creates or updates a GenericUI data connector": { + "$ref": "./examples/dataConnectors/CreateGenericUI.json" + }, + "Creates or updates a APIPolling data connector": { + "$ref": "./examples/dataConnectors/CreateAPIPolling.json" + }, + "Creates or updates a MicrosoftThreatProtection data connector": { + "$ref": "./examples/dataConnectors/CreateMicrosoftThreatProtectionDataConnetor.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Creates or updates the data connector.", + "operationId": "DataConnectors_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + }, + { + "$ref": "#/parameters/DataConnector" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an Office365 data connector": { + "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" + }, + "Delete an Office365 Project data connector": { + "$ref": "./examples/dataConnectors/DeleteOffice365ProjectDataConnetor.json" + }, + "Delete an MicrosoftPurviewInformationProtection data connector": { + "$ref": "./examples/dataConnectors/DeleteMicrosoftPurviewInformationProtectionDataConnetor.json" + }, + "Delete an MicrosoftThreatIntelligence data connector": { + "$ref": "./examples/dataConnectors/DeleteMicrosoftThreatIntelligenceDataConnector.json" + }, + "Delete an Office PowerBI data connector": { + "$ref": "./examples/dataConnectors/DeleteOfficePowerBIDataConnetor.json" + }, + "Delete a GenericUI data connector": { + "$ref": "./examples/dataConnectors/DeleteGenericUI.json" + }, + "Delete a APIPolling data connector": { + "$ref": "./examples/dataConnectors/DeleteAPIPolling.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Delete the data connector.", + "operationId": "DataConnectors_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}/connect": { + "post": { + "x-ms-examples": { + "Connect an APIPolling data connector": { + "$ref": "./examples/dataConnectors/ConnectAPIPolling.json" + }, + "Connect an APIPolling V2 logs data connector": { + "$ref": "./examples/dataConnectors/ConnectAPIPollingV2Logs.json" + } + }, + "tags": [ + "Data Connectors Connect" + ], + "description": "Connects a data connector.", + "operationId": "DataConnectors_Connect", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + }, + { + "$ref": "#/parameters/DataConnectorConnectBody" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}/disconnect": { + "post": { + "x-ms-examples": { + "Disconnect an APIPolling data connector": { + "$ref": "./examples/dataConnectors/DisconnectAPIPolling.json" + } + }, + "tags": [ + "Data Connectors Disconnect" + ], + "description": "Disconnect a data connector.", + "operationId": "DataConnectors_Disconnect", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK, Operation successfully completed" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements": { + "post": { + "x-ms-examples": { + "Check requirements for TI.": { + "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligence.json" + }, + "Check requirements for TI Taxii.": { + "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json" + }, + "Check requirements for AADIP (Azure Active Directory Identity Protection).": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json" + }, + "Check requirements for AADIP (Azure Active Directory Identity Protection) - no license.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json" + }, + "Check requirements for AADIP (Azure Active Directory Identity Protection) - no authorization.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json" + }, + "Check requirements for ASC.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json" + }, + "Check requirements for Mcas.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json" + }, + "Check requirements for Mdatp.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMdatp.json" + }, + "Check requirements for OfficeATP.": { + "$ref": "./examples/dataConnectors/CheckRequirementsOfficeATP.json" + }, + "Check requirements for OfficeIRM.": { + "$ref": "./examples/dataConnectors/CheckRequirementsOfficeIRM.json" + }, + "Check requirements for Office365Project.": { + "$ref": "./examples/dataConnectors/CheckRequirementsOffice365Project.json" + }, + "Check requirements for MicrosoftPurviewInformationProtection.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftPurviewInformationProtection.json" + }, + "Check requirements for OfficePowerBI.": { + "$ref": "./examples/dataConnectors/CheckRequirementsOfficePowerBI.json" + }, + "Check requirements for Dynamics365.": { + "$ref": "./examples/dataConnectors/CheckRequirementsDynamics365.json" + }, + "Check requirements for MicrosoftThreatProtection.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json" + }, + "Check requirements for MicrosoftThreatIntelligence.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json" + }, + "Check requirements for IoT.": { + "$ref": "./examples/dataConnectors/CheckRequirementsIoT.json" + } + }, + "tags": [ + "Check Data Connector Requirements" + ], + "description": "Get requirements state for a data connector type.", + "operationId": "DataConnectorsCheckRequirements_Post", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorsCheckRequirementsBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnectorRequirementsState" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "AADCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents AADIP (Azure Active Directory Identity Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/AADCheckRequirementsProperties", + "description": "AADIP (Azure Active Directory Identity Protection) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "AADIP (Azure Active Directory Identity Protection) requirements check properties.", + "type": "object" + }, + "AATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPCheckRequirementsProperties", + "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + }, + "AATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "ASCCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents ASC (Azure Security Center) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/ASCCheckRequirementsProperties", + "description": "ASC (Azure Security Center) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCCheckRequirementsProperties": { + "description": "ASC (Azure Security Center) requirements check properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "AwsCloudTrailCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Amazon Web Services CloudTrail requirements check request.", + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AwsS3CheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Amazon Web Services S3 requirements check request.", + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesS3" + }, + "DataConnectorsCheckRequirements": { + "description": "Data connector requirements properties.", + "properties": { + "kind": { + "$ref": "#/definitions/DataConnectorKind", + "description": "Describes the kind of connector to be checked.", + "type": "string" + } + }, + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "DataConnectorAuthorizationState": { + "description": "Describes the state of user's authorization for a connector kind.", + "enum": [ + "Valid", + "Invalid" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorAuthorizationState", + "values": [ + { + "value": "Valid" + }, + { + "value": "Invalid" + } + ] + } + }, + "DataConnectorLicenseState": { + "description": "Describes the state of user's license for a connector kind.", + "enum": [ + "Valid", + "Invalid", + "Unknown" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorLicenseState", + "values": [ + { + "value": "Valid" + }, + { + "value": "Invalid" + }, + { + "value": "Unknown" + } + ] + } + }, + "DataConnectorRequirementsState": { + "description": "Data connector requirements status.", + "properties": { + "authorizationState": { + "description": "Authorization state for this connector", + "$ref": "#/definitions/DataConnectorAuthorizationState" + }, + "licenseState": { + "description": "License state for this connector", + "$ref": "#/definitions/DataConnectorLicenseState" + } + }, + "type": "object" + }, + "Dynamics365CheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents Dynamics365 requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/Dynamics365CheckRequirementsProperties", + "description": "Dynamics365 requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Dynamics365" + }, + "Dynamics365CheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Dynamics365 requirements check properties.", + "type": "object" + }, + "MCASCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASCheckRequirementsProperties", + "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + }, + "MCASCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", + "type": "object" + }, + "MDATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPCheckRequirementsProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "MSTICheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents Microsoft Threat Intelligence requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MSTICheckRequirementsProperties", + "description": "Microsoft Threat Intelligence requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatIntelligence" + }, + "MSTICheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Microsoft Threat Intelligence requirements check properties.", + "type": "object" + }, + "MtpCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MTP (Microsoft Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MTPCheckRequirementsProperties", + "description": "MTP (Microsoft Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatProtection" + }, + "MTPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MTP (Microsoft Threat Protection) requirements check properties.", + "type": "object" + }, + "OfficeATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeATPCheckRequirementsProperties", + "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "OfficeATP" + }, + "OfficeATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "OfficeIRMCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents OfficeIRM (Microsoft Insider Risk Management) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeIRMCheckRequirementsProperties", + "description": "OfficeIRM (Microsoft Insider Risk Management) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "OfficeIRM" + }, + "OfficeIRMCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "OfficeIRM (Microsoft Insider Risk Management) requirements check properties.", + "type": "object" + }, + "MicrosoftPurviewInformationProtectionCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MicrosoftPurviewInformationProtection requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftPurviewInformationProtectionCheckRequirementsProperties", + "description": "MicrosoftPurviewInformationProtection requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftPurviewInformationProtection" + }, + "MicrosoftPurviewInformationProtectionCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MicrosoftPurviewInformationProtection requirements check properties.", + "type": "object" + }, + "Office365ProjectCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents Office365 Project requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/Office365ProjectCheckRequirementsProperties", + "description": "Office365 Project requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Office365Project" + }, + "Office365ProjectCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Office365 Project requirements check properties.", + "type": "object" + }, + "OfficePowerBICheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents Office PowerBI requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficePowerBICheckRequirementsProperties", + "description": "Office Power BI requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "OfficePowerBI" + }, + "OfficePowerBICheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Office PowerBI requirements check properties.", + "type": "object" + }, + "TICheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Threat Intelligence Platforms data connector check requirements", + "properties": { + "properties": { + "$ref": "#/definitions/TICheckRequirementsProperties", + "description": "Threat Intelligence Platforms data connector check required properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TICheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence Platforms data connector required properties.", + "properties": {}, + "type": "object" + }, + "TiTaxiiCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Threat Intelligence TAXII data connector check requirements", + "properties": { + "properties": { + "$ref": "#/definitions/TiTaxiiCheckRequirementsProperties", + "description": "Threat Intelligence TAXII check required properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + }, + "TiTaxiiCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence TAXII data connector required properties.", + "type": "object" + }, + "IoTCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents IoT requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/IoTCheckRequirementsProperties", + "description": "IoT requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "IOT" + }, + "IoTCheckRequirementsProperties": { + "description": "IoT requirements check properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "AADDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AADIP (Azure Active Directory Identity Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AADDataConnectorProperties", + "description": "AADIP (Azure Active Directory Identity Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "AADIP (Azure Active Directory Identity Protection) data connector properties.", + "type": "object" + }, + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "$ref": "#/definitions/DataConnectorDataTypeCommon", + "description": "Alerts data type connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "alerts" + ] + }, + "MSTIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Microsoft Threat Intelligence data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MSTIDataConnectorProperties", + "description": "Microsoft Threat Intelligence data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatIntelligence" + }, + "MSTIDataConnectorDataTypes": { + "description": "The available data types for Microsoft Threat Intelligence Platforms data connector.", + "properties": { + "microsoftEmergingThreatFeed": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "properties": { + "lookbackPeriod": { + "description": "The lookback period for the feed to be imported.", + "type": "string" + } + }, + "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", + "type": "object", + "required": [ + "lookbackPeriod" + ] + } + }, + "type": "object", + "required": [ + "microsoftEmergingThreatFeed" + ] + }, + "MSTIDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Microsoft Threat Intelligence data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MSTIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "MTPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MTP (Microsoft Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MTPDataConnectorProperties", + "description": "MTP (Microsoft Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatProtection" + }, + "MTPDataConnectorDataTypes": { + "description": "The available data types for Microsoft Threat Protection Platforms data connector.", + "properties": { + "incidents": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Incidents data type for Microsoft Threat Protection Platforms data connector.", + "type": "object" + }, + "alerts": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Alerts data type for Microsoft Threat Protection Platforms data connector.", + "type": "object" + } + }, + "type": "object", + "required": [ + "incidents" + ] + }, + "MtpProvider": { + "description": "The available data providers.", + "enum": [ + "microsoftDefenderForCloudApps", + "microsoftDefenderForIdentity" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MtpProvider" + } + }, + "MtpFilteredProviders": { + "description": "Represents the connector's Filtered providers", + "properties": { + "alerts": { + "description": "Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state.", + "items": { + "$ref": "#/definitions/MtpProvider" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "alerts" + ] + }, + "MTPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MTP (Microsoft Threat Protection) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MTPDataConnectorDataTypes", + "description": "The available data types for the connector." + }, + "filteredProviders": { + "$ref": "#/definitions/MtpFilteredProviders", + "description": "The available filtered providers for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "AATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPDataConnectorProperties", + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + }, + "AATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "ASCDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents ASC (Azure Security Center) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/ASCDataConnectorProperties", + "description": "ASC (Azure Security Center) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "ASC (Azure Security Center) data connector properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "AwsCloudTrailDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Amazon Web Services CloudTrail data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", + "description": "Amazon Web Services CloudTrail data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AwsCloudTrailDataConnectorDataTypes": { + "description": "The available data types for Amazon Web Services CloudTrail data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" + } + }, + "type": "object", + "required": [ + "logs" + ] + }, + "AwsCloudTrailDataConnectorProperties": { + "description": "Amazon Web Services CloudTrail data connector properties.", + "properties": { + "awsRoleArn": { + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object", + "required": [ + "dataTypes" + ] + }, + "AwsS3DataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Amazon Web Services S3 data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AwsS3DataConnectorProperties", + "description": "Amazon Web Services S3 data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesS3" + }, + "AwsS3DataConnectorDataTypes": { + "description": "The available data types for Amazon Web Services S3 data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" + } + }, + "type": "object", + "required": [ + "logs" + ] + }, + "AwsS3DataConnectorProperties": { + "description": "Amazon Web Services S3 data connector properties.", + "properties": { + "destinationTable": { + "description": "The logs destination table name in LogAnalytics.", + "type": "string" + }, + "sqsUrls": { + "description": "The AWS sqs urls for the connector.", + "x-ms-identifiers": [], + "type": "array", + "items": { + "description": "AWS sqs url.", + "type": "string" + } + }, + "roleArn": { + "description": "The Aws Role Arn that is used to access the Aws account.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AwsS3DataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object", + "required": [ + "destinationTable", + "sqsUrls", + "roleArn", + "dataTypes" + ] + }, + "DataConnector": { + "description": "Data connector", + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "discriminator": "kind", + "required": [ + "kind" + ], + "properties": { + "kind": { + "$ref": "#/definitions/DataConnectorKind", + "description": "The data connector kind", + "type": "string" + } + }, + "type": "object" + }, + "DataConnectorDataTypeCommon": { + "description": "Common field for data type in data connectors.", + "properties": { + "state": { + "description": "Describe whether this data type connection is enabled or not.", + "enum": [ + "Enabled", + "Disabled" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataTypeState" + } + } + }, + "type": "object", + "required": [ + "state" + ] + }, + "DataConnectorWithAlertsProperties": { + "description": "Data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "DataConnectorKind": { + "description": "The kind of the data connector", + "enum": [ + "AzureActiveDirectory", + "AzureSecurityCenter", + "MicrosoftCloudAppSecurity", + "ThreatIntelligence", + "ThreatIntelligenceTaxii", + "Office365", + "OfficeATP", + "OfficeIRM", + "Office365Project", + "MicrosoftPurviewInformationProtection", + "OfficePowerBI", + "AmazonWebServicesCloudTrail", + "AmazonWebServicesS3", + "AzureAdvancedThreatProtection", + "MicrosoftDefenderAdvancedThreatProtection", + "Dynamics365", + "MicrosoftThreatProtection", + "MicrosoftThreatIntelligence", + "GenericUI", + "APIPolling", + "IOT" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorKind", + "values": [ + { + "value": "AzureActiveDirectory" + }, + { + "value": "AzureSecurityCenter" + }, + { + "value": "MicrosoftCloudAppSecurity" + }, + { + "value": "ThreatIntelligence" + }, + { + "value": "ThreatIntelligenceTaxii" + }, + { + "value": "Office365" + }, + { + "value": "OfficeATP" + }, + { + "value": "OfficeIRM" + }, + { + "value": "Office365Project" + }, + { + "value": "MicrosoftPurviewInformationProtection" + }, + { + "value": "OfficePowerBI" + }, + { + "value": "AmazonWebServicesCloudTrail" + }, + { + "value": "AmazonWebServicesS3" + }, + { + "value": "AzureAdvancedThreatProtection" + }, + { + "value": "MicrosoftDefenderAdvancedThreatProtection" + }, + { + "value": "Dynamics365" + }, + { + "value": "MicrosoftThreatProtection" + }, + { + "value": "MicrosoftThreatIntelligence" + }, + { + "value": "GenericUI" + }, + { + "value": "APIPolling" + }, + { + "value": "IOT" + } + ] + } + }, + "DataConnectorList": { + "description": "List all the data connectors.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of data connectors.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of data connectors.", + "items": { + "$ref": "#/definitions/DataConnector" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "DataConnectorTenantId": { + "description": "Properties data connector on tenant level.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object", + "required": [ + "tenantId" + ] + }, + "MCASDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASDataConnectorProperties", + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + }, + "MCASDataConnectorDataTypes": { + "allOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "discoveryLogs": { + "$ref": "#/definitions/DataConnectorDataTypeCommon", + "description": "Discovery log data type connection." + } + }, + "type": "object" + }, + "MCASDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MCASDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "Dynamics365DataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Dynamics365 data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/Dynamics365DataConnectorProperties", + "description": "Dynamics365 data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Dynamics365" + }, + "Dynamics365DataConnectorDataTypes": { + "description": "The available data types for Dynamics365 data connector.", + "properties": { + "dynamics365CdsActivities": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Common Data Service data type connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "dynamics365CdsActivities" + ] + }, + "Dynamics365DataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Dynamics365 data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/Dynamics365DataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "OfficeATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeATPDataConnectorProperties", + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "OfficeATP" + }, + "OfficeATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "MicrosoftPurviewInformationProtectionDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Microsoft Purview Information Protection data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftPurviewInformationProtectionDataConnectorProperties", + "description": "Microsoft Purview Information Protection data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftPurviewInformationProtection" + }, + "MicrosoftPurviewInformationProtectionConnectorDataTypes": { + "description": "The available data types for Microsoft Purview Information Protection data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" + } + }, + "type": "object", + "required": [ + "logs" + ] + }, + "MicrosoftPurviewInformationProtectionDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Microsoft Purview Information Protection data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MicrosoftPurviewInformationProtectionConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object", + "required": [ + "dataTypes" + ] + }, + "Office365ProjectDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Office Microsoft Project data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/Office365ProjectDataConnectorProperties", + "description": "Office Microsoft Project data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Office365Project" + }, + "Office365ProjectConnectorDataTypes": { + "description": "The available data types for Office Microsoft Project data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" + } + }, + "type": "object", + "required": [ + "logs" + ] + }, + "Office365ProjectDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Office Microsoft Project data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/Office365ProjectConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object", + "required": [ + "dataTypes" + ] + }, + "OfficePowerBIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Office Microsoft PowerBI data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficePowerBIDataConnectorProperties", + "description": "Office Microsoft PowerBI data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "OfficePowerBI" + }, + "OfficePowerBIConnectorDataTypes": { + "description": "The available data types for Office Microsoft PowerBI data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" + } + }, + "type": "object", + "required": [ + "logs" + ] + }, + "OfficePowerBIDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Office Microsoft PowerBI data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/OfficePowerBIConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object", + "required": [ + "dataTypes" + ] + }, + "OfficeIRMDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents OfficeIRM (Microsoft Insider Risk Management) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeIRMDataConnectorProperties", + "description": "OfficeIRM (Microsoft Insider Risk Management) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "OfficeIRM" + }, + "OfficeIRMDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "OfficeIRM (Microsoft Insider Risk Management) data connector properties.", + "type": "object" + }, + "MDATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPDataConnectorProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "OfficeDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents office data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeDataConnectorProperties", + "description": "Office data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Office365" + }, + "OfficeDataConnectorDataTypes": { + "description": "The available data types for office data connector.", + "properties": { + "exchange": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Exchange data type connection.", + "type": "object" + }, + "sharePoint": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "SharePoint data type connection.", + "type": "object" + }, + "teams": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Teams data type connection.", + "type": "object" + } + }, + "required": [ + "exchange", + "sharePoint", + "teams" + ], + "type": "object" + }, + "OfficeDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Office data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/OfficeDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "TIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents threat intelligence data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/TIDataConnectorProperties", + "description": "TI (Threat Intelligence) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TIDataConnectorDataTypes": { + "description": "The available data types for TI (Threat Intelligence) data connector.", + "properties": { + "indicators": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for indicators connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "indicators" + ] + }, + "TIDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "TI (Threat Intelligence) data connector properties.", + "properties": { + "tipLookbackPeriod": { + "description": "The lookback period for the feed to be imported.", + "format": "date-time", + "type": "string", + "x-nullable": true + }, + "dataTypes": { + "$ref": "#/definitions/TIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object", + "required": [ + "dataTypes" + ] + }, + "TiTaxiiDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server", + "properties": { + "properties": { + "$ref": "#/definitions/TiTaxiiDataConnectorProperties", + "description": "Threat intelligence TAXII data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + }, + "TiTaxiiDataConnectorDataTypes": { + "description": "The available data types for Threat Intelligence TAXII data connector.", + "properties": { + "taxiiClient": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for TAXII connector.", + "type": "object" + } + }, + "type": "object", + "required": [ + "taxiiClient" + ] + }, + "TiTaxiiDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence TAXII data connector properties.", + "properties": { + "workspaceId": { + "description": "The workspace id.", + "type": "string" + }, + "friendlyName": { + "description": "The friendly name for the TAXII server.", + "type": "string" + }, + "taxiiServer": { + "description": "The API root for the TAXII server.", + "type": "string" + }, + "collectionId": { + "description": "The collection id of the TAXII server.", + "type": "string" + }, + "userName": { + "description": "The userName for the TAXII server.", + "type": "string" + }, + "password": { + "description": "The password for the TAXII server.", + "type": "string" + }, + "taxiiLookbackPeriod": { + "description": "The lookback period for the TAXII server.", + "format": "date-time", + "type": "string", + "x-nullable": true + }, + "pollingFrequency": { + "description": "The polling frequency for the TAXII server.", + "type": "string", + "x-nullable": true, + "enum": [ + "OnceAMinute", + "OnceAnHour", + "OnceADay" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "PollingFrequency", + "values": [ + { + "description": "Once a minute", + "value": "OnceAMinute" + }, + { + "description": "Once an hour", + "value": "OnceAnHour" + }, + { + "description": "Once a day", + "value": "OnceADay" + } + ] + } + }, + "dataTypes": { + "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes", + "description": "The available data types for Threat Intelligence TAXII data connector." + } + }, + "required": [ + "dataTypes", + "pollingFrequency" + ], + "type": "object" + }, + "IoTDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents IoT data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/IoTDataConnectorProperties", + "description": "IoT data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "IOT" + }, + "IoTDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "IoT data connector properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "CodelessUiDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Codeless UI data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/CodelessParameters", + "description": "Codeless UI data connector properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "GenericUI" + }, + "CodelessParameters": { + "description": "Represents Codeless UI data connector", + "type": "object", + "properties": { + "connectorUiConfig": { + "$ref": "#/definitions/CodelessUiConnectorConfigProperties", + "description": "Config to describe the instructions blade" + } + } + }, + "CodelessUiConnectorConfigProperties": { + "description": "Config to describe the instructions blade", + "type": "object", + "properties": { + "title": { + "description": "Connector blade title", + "type": "string" + }, + "publisher": { + "description": "Connector publisher name", + "type": "string" + }, + "descriptionMarkdown": { + "description": "Connector description", + "type": "string" + }, + "customImage": { + "description": "An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery", + "type": "string" + }, + "graphQueriesTableName": { + "description": "Name of the table the connector will insert the data to", + "type": "string" + }, + "graphQueries": { + "description": "The graph query to show the current data status", + "x-ms-identifiers": [], + "items": { + "allOf": [ + { + "$ref": "#/definitions/GraphQueries" + } + ] + }, + "type": "array" + }, + "sampleQueries": { + "description": "The sample queries for the connector", + "x-ms-identifiers": [], + "items": { + "allOf": [ + { + "$ref": "#/definitions/SampleQueries" + } + ] + }, + "type": "array" + }, + "dataTypes": { + "description": "Data types to check for last data received", + "x-ms-identifiers": [], + "items": { + "allOf": [ + { + "$ref": "#/definitions/LastDataReceivedDataType" + } + ] + }, + "type": "array" + }, + "connectivityCriteria": { + "description": "Define the way the connector check connectivity", + "x-ms-identifiers": [], + "items": { + "allOf": [ + { + "$ref": "#/definitions/ConnectivityCriteria" + } + ] + }, + "type": "array" + }, + "availability": { + "description": "Connector Availability Status", + "$ref": "#/definitions/Availability" + }, + "permissions": { + "description": "Permissions required for the connector", + "$ref": "#/definitions/Permissions" + }, + "instructionSteps": { + "description": "Instruction steps to enable the connector", + "x-ms-identifiers": [], + "items": { + "allOf": [ + { + "$ref": "#/definitions/InstructionSteps" + } + ] + }, + "type": "array" + } + }, + "required": [ + "title", + "publisher", + "descriptionMarkdown", + "graphQueriesTableName", + "graphQueries", + "sampleQueries", + "dataTypes", + "connectivityCriteria", + "availability", + "permissions", + "instructionSteps" + ] + }, + "DataConnectorConnectBody": { + "description": "Represents Codeless API Polling data connector.", + "type": "object", + "x-ms-identifiers": [], + "properties": { + "kind": { + "description": "The authentication kind used to poll the data", + "enum": [ + "Basic", + "OAuth2", + "APIKey" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConnectAuthKind" + } + }, + "apiKey": { + "type": "string", + "description": "The API key of the audit server." + }, + "dataCollectionEndpoint": { + "type": "string", + "description": "Used in v2 logs connector. Represents the data collection ingestion endpoint in log analytics." + }, + "dataCollectionRuleImmutableId": { + "type": "string", + "description": "Used in v2 logs connector. The data collection rule immutable id, the rule defines the transformation and data destination." + }, + "outputStream": { + "type": "string", + "description": "Used in v2 logs connector. The stream we are sending the data to, this is the name of the streamDeclarations defined in the DCR." + }, + "clientSecret": { + "type": "string", + "description": "The client secret of the OAuth 2.0 application." + }, + "clientId": { + "type": "string", + "description": "The client id of the OAuth 2.0 application." + }, + "authorizationCode": { + "type": "string", + "description": "The authorization code used in OAuth 2.0 code flow to issue a token." + }, + "userName": { + "type": "string", + "description": "The user name in the audit log server." + }, + "password": { + "type": "string", + "description": "The user password in the audit log server.", + "x-ms-secret": true + }, + "requestConfigUserInputValues": { + "type": "array", + "description": "", + "x-ms-identifiers": [], + "items": { + "type": "object" + } + } + } + }, + "CodelessApiPollingDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Codeless API Polling data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/ApiPollingParameters", + "description": "Codeless poling data connector properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "APIPolling" + }, + "ApiPollingParameters": { + "description": "Represents Codeless API Polling data connector", + "type": "object", + "properties": { + "connectorUiConfig": { + "$ref": "#/definitions/CodelessUiConnectorConfigProperties", + "description": "Config to describe the instructions blade" + }, + "pollingConfig": { + "$ref": "#/definitions/CodelessConnectorPollingConfigProperties", + "description": "Config to describe the polling instructions" + } + } + }, + "CodelessConnectorPollingConfigProperties": { + "description": "Config to describe the polling config for API poller connector", + "type": "object", + "properties": { + "isActive": { + "description": "The poller active status", + "type": "boolean" + }, + "auth": { + "type": "object", + "$ref": "#/definitions/CodelessConnectorPollingAuthProperties", + "description": "Describe the authentication type of the poller" + }, + "request": { + "type": "object", + "$ref": "#/definitions/CodelessConnectorPollingRequestProperties", + "description": "Describe the poll request config parameters of the poller" + }, + "paging": { + "type": "object", + "$ref": "#/definitions/CodelessConnectorPollingPagingProperties", + "description": "Describe the poll request paging config of the poller" + }, + "response": { + "type": "object", + "$ref": "#/definitions/CodelessConnectorPollingResponseProperties", + "description": "Describe the response config parameters of the poller" + } + }, + "required": [ + "auth", + "request" + ] + }, + "CodelessConnectorPollingResponseProperties": { + "description": "Describes the response from the external server", + "type": "object", + "properties": { + "eventsJsonPaths": { + "description": "Describes the path we should extract the data in the response", + "x-ms-identifiers": [], + "items": { + "type": "string" + }, + "type": "array" + }, + "successStatusJsonPath": { + "description": "Describes the path we should extract the status code in the response", + "type": "string" + }, + "successStatusValue": { + "description": "Describes the path we should extract the status value in the response", + "type": "string" + }, + "isGzipCompressed": { + "description": "Describes if the data in the response is Gzip", + "type": "boolean" + } + }, + "required": [ + "eventsJsonPaths" + ] + }, + "CodelessConnectorPollingPagingProperties": { + "description": "Describe the properties needed to make a pagination call", + "type": "object", + "properties": { + "pagingType": { + "description": "Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'", + "type": "string" + }, + "nextPageParaName": { + "description": "Defines the name of a next page attribute", + "type": "string" + }, + "nextPageTokenJsonPath": { + "description": "Defines the path to a next page token JSON", + "type": "string" + }, + "pageCountAttributePath": { + "description": "Defines the path to a page count attribute", + "type": "string" + }, + "pageTotalCountAttributePath": { + "description": "Defines the path to a page total count attribute", + "type": "string" + }, + "pageTimeStampAttributePath": { + "description": "Defines the path to a paging time stamp attribute", + "type": "string" + }, + "searchTheLatestTimeStampFromEventsList": { + "description": "Determines whether to search for the latest time stamp in the events list", + "type": "string" + }, + "pageSizeParaName": { + "description": "Defines the name of the page size parameter", + "type": "string" + }, + "pageSize": { + "description": "Defines the paging size", + "format": "int32", + "type": "integer" + } + }, + "required": [ + "pagingType" + ] + }, + "CodelessConnectorPollingRequestProperties": { + "description": "Describe the request properties needed to successfully pull from the server", + "type": "object", + "properties": { + "apiEndpoint": { + "description": "Describe the endpoint we should pull the data from", + "type": "string" + }, + "rateLimitQps": { + "description": "Defines the rate limit QPS", + "format": "int32", + "type": "integer" + }, + "queryWindowInMin": { + "description": "The window interval we will use the pull the data", + "format": "int32", + "type": "integer" + }, + "httpMethod": { + "description": "The http method type we will use in the poll request, GET or POST", + "type": "string" + }, + "queryTimeFormat": { + "description": "The time format will be used the query events in a specific window", + "type": "string" + }, + "retryCount": { + "description": "Describe the amount of time we should try and poll the data in case of failure", + "format": "int32", + "type": "integer" + }, + "timeoutInSeconds": { + "description": "The number of seconds we will consider as a request timeout", + "format": "int32", + "type": "integer" + }, + "headers": { + "description": "Describe the headers sent in the poll request", + "type": "object" + }, + "queryParameters": { + "description": "Describe the query parameters sent in the poll request", + "type": "object" + }, + "queryParametersTemplate": { + "description": "For advanced scenarios for example user name/password embedded in nested JSON payload", + "type": "string" + }, + "startTimeAttributeName": { + "description": "This will be used the query events from a start of the time window", + "type": "string" + }, + "endTimeAttributeName": { + "description": "This will be used the query events from the end of the time window", + "type": "string" + } + }, + "required": [ + "apiEndpoint", + "httpMethod", + "queryWindowInMin", + "queryTimeFormat" + ] + }, + "CodelessConnectorPollingAuthProperties": { + "description": "Describe the authentication properties needed to successfully authenticate with the server", + "type": "object", + "properties": { + "authType": { + "description": "The authentication type", + "type": "string" + }, + "apiKeyName": { + "description": "The header name which the token is sent with", + "type": "string" + }, + "apiKeyIdentifier": { + "description": "A prefix send in the header before the actual token", + "type": "string" + }, + "isApiKeyInPostPayload": { + "description": "Marks if the key should sent in header", + "type": "string" + }, + "flowName": { + "description": "Describes the flow name, for example 'AuthCode' for Oauth 2.0", + "type": "string" + }, + "tokenEndpoint": { + "description": "The endpoint used to issue a token, used in Oauth 2.0 flow", + "type": "string" + }, + "authorizationEndpoint": { + "description": "The endpoint used to authorize the user, used in Oauth 2.0 flow", + "type": "string" + }, + "authorizationEndpointQueryParameters": { + "description": "The query parameters used in authorization request, used in Oauth 2.0 flow", + "type": "object" + }, + "redirectionEndpoint": { + "description": "The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow", + "type": "string" + }, + "tokenEndpointHeaders": { + "description": "The query headers used in token request, used in Oauth 2.0 flow", + "type": "object" + }, + "tokenEndpointQueryParameters": { + "description": "The query parameters used in token request, used in Oauth 2.0 flow", + "type": "object" + }, + "isClientSecretInHeader": { + "description": "Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow", + "type": "boolean" + }, + "scope": { + "description": "The OAuth token scope", + "type": "string" + } + }, + "required": [ + "authType" + ] + }, + "LastDataReceivedDataType": { + "description": "Data type for last data received", + "type": "object", + "properties": { + "name": { + "description": "Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder", + "type": "string" + }, + "lastDataReceivedQuery": { + "description": "Query for indicate last data received", + "type": "string" + } + } + }, + "Permissions": { + "description": "Permissions required for the connector", + "x-ms-identifiers": [], + "type": "object", + "properties": { + "resourceProvider": { + "description": "Resource provider permissions required for the connector", + "x-ms-identifiers": [], + "items": { + "allOf": [ + { + "$ref": "#/definitions/ResourceProvider" + } + ] + }, + "type": "array" + }, + "customs": { + "description": "Customs permissions required for the connector", + "x-ms-identifiers": [], + "items": { + "allOf": [ + { + "$ref": "#/definitions/Customs" + } + ] + }, + "type": "array" + } + } + }, + "Customs": { + "description": "Customs permissions required for the connector", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/CustomsPermission" + } + ] + }, + "CustomsPermission": { + "description": "Customs permissions required for the connector", + "type": "object", + "properties": { + "name": { + "description": "Customs permissions name", + "type": "string" + }, + "description": { + "description": "Customs permissions description", + "type": "string" + } + } + }, + "ResourceProvider": { + "description": "Resource provider permissions required for the connector", + "type": "object", + "properties": { + "provider": { + "description": "Provider name", + "enum": [ + "Microsoft.OperationalInsights/solutions", + "Microsoft.OperationalInsights/workspaces", + "Microsoft.OperationalInsights/workspaces/datasources", + "microsoft.aadiam/diagnosticSettings", + "Microsoft.OperationalInsights/workspaces/sharedKeys", + "Microsoft.Authorization/policyAssignments" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ProviderName" + } + }, + "permissionsDisplayText": { + "description": "Permission description text", + "type": "string" + }, + "providerDisplayName": { + "description": "Permission provider display name", + "type": "string" + }, + "scope": { + "description": "Permission provider scope", + "enum": [ + "ResourceGroup", + "Subscription", + "Workspace" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "PermissionProviderScope" + } + }, + "requiredPermissions": { + "description": "Required permissions for the connector", + "$ref": "#/definitions/RequiredPermissions" + } + } + }, + "InstructionSteps": { + "description": "Instruction steps to enable the connector", + "type": "object", + "properties": { + "title": { + "description": "Instruction step title", + "type": "string" + }, + "description": { + "description": "Instruction step description", + "type": "string" + }, + "instructions": { + "description": "Instruction step details", + "x-ms-identifiers": [], + "items": { + "allOf": [ + { + "$ref": "#/definitions/ConnectorInstructionModelBase" + } + ] + }, + "type": "array" + } + } + }, + "ConnectorInstructionModelBase": { + "description": "Instruction step details", + "type": "object", + "properties": { + "parameters": { + "type": "object", + "description": "The parameters for the setting" + }, + "type": { + "description": "The kind of the setting", + "enum": [ + "CopyableLabel", + "InstructionStepsGroup", + "InfoMessage" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "SettingType" + } + } + }, + "required": [ + "type" + ] + }, + "RequiredPermissions": { + "description": "Required permissions for the connector", + "type": "object", + "properties": { + "action": { + "description": "action permission", + "type": "boolean" + }, + "write": { + "description": "write permission", + "type": "boolean" + }, + "read": { + "description": "read permission", + "type": "boolean" + }, + "delete": { + "description": "delete permission", + "type": "boolean" + } + } + }, + "Availability": { + "description": "Connector Availability Status", + "type": "object", + "properties": { + "status": { + "description": "The connector Availability Status", + "format": "int32", + "type": "integer", + "enum": [ + 1 + ], + "x-ms-enum": { + "name": "AvailabilityStatus", + "values": [ + { + "value": 1, + "description": "Available" + } + ] + } + }, + "isPreview": { + "description": "Set connector as preview", + "type": "boolean" + } + } + }, + "ConnectivityCriteria": { + "description": "Setting for the connector check connectivity", + "type": "object", + "properties": { + "type": { + "description": "type of connectivity", + "enum": [ + "IsConnectedQuery" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConnectivityType" + } + }, + "value": { + "description": "Queries for checking connectivity", + "x-ms-identifiers": [], + "type": "array", + "items": { + "description": "checking connectivity query", + "type": "string" + } + } + } + }, + "SampleQueries": { + "description": "The sample queries for the connector", + "type": "object", + "properties": { + "description": { + "description": "The sample query description", + "type": "string" + }, + "query": { + "description": "the sample query", + "type": "string" + } + } + }, + "GraphQueries": { + "type": "object", + "description": "The graph query to show the current data status", + "properties": { + "metricName": { + "description": "the metric that the query is checking", + "type": "string" + }, + "legend": { + "description": "The legend for the graph", + "type": "string" + }, + "baseQuery": { + "description": "The base query for the graph", + "type": "string" + } + } + } + }, + "parameters": { + "DataConnector": { + "description": "The data connector", + "in": "body", + "name": "dataConnector", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnector" + }, + "x-ms-parameter-location": "method" + }, + "DataConnectorId": { + "description": "Connector ID", + "in": "path", + "name": "dataConnectorId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "DataConnectorConnectBody": { + "description": "The data connector", + "in": "body", + "name": "connectBody", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnectorConnectBody" + }, + "x-ms-parameter-location": "method" + }, + "DataConnectorsCheckRequirementsBody": { + "description": "The parameters for requirements check message", + "in": "body", + "name": "DataConnectorsCheckRequirements", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/CreateActionOfAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/CreateActionOfAlertRule.json new file mode 100644 index 000000000000..04fabc67bdec --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/CreateActionOfAlertRule.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "action": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "triggerUri": "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/DeleteActionOfAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/DeleteActionOfAlertRule.json new file mode 100644 index 000000000000..700a235bf48d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/DeleteActionOfAlertRule.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetActionOfAlertRuleById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetActionOfAlertRuleById.json new file mode 100644 index 000000000000..a0473bd72eba --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetActionOfAlertRuleById.json @@ -0,0 +1,24 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetAllActionsByAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetAllActionsByAlertRule.json new file mode 100644 index 000000000000..f07446639bdb --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetAllActionsByAlertRule.json @@ -0,0 +1,27 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e", + "name": "912bec42-cb66-4c03-ac63-1761b6898c3e", + "type": "Microsoft.SecurityInsights/alertRules/actions", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "workflowId": "cd3765391efd48549fd7681ded1d48d7", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json new file mode 100644 index 000000000000..1f51abf071fd --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -0,0 +1,53 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "alertRuleTemplateId": "65360bb0-8986-4ade-a89d-af3cf44d28aa" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa", + "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "kind": "Scheduled", + "properties": { + "severity": "Low", + "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "displayName": "Changes to Amazon VPC settings", + "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "tactics": [ + "PrivilegeEscalation", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "lastUpdatedDateUTC": "2020-02-27T00:00:00Z", + "version": "1.0.2", + "createdDateUTC": "2019-02-27T00:00:00Z", + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "AWS", + "dataTypes": [ + "AWSCloudTrail" + ] + } + ], + "alertRulesCreatedByTemplateCount": 0 + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json new file mode 100644 index 000000000000..00cdd1378ef8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -0,0 +1,238 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa", + "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "kind": "Scheduled", + "properties": { + "severity": "Low", + "query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "displayName": "Changes to Amazon VPC settings", + "description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/", + "tactics": [ + "PrivilegeEscalation", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "lastUpdatedDateUTC": "2020-02-27T00:00:00Z", + "createdDateUTC": "2019-02-27T00:00:00Z", + "status": "Available", + "version": "1.0.1", + "requiredDataConnectors": [ + { + "connectorId": "AWS", + "dataTypes": [ + "AWSCloudTrail" + ] + } + ], + "alertRulesCreatedByTemplateCount": 0 + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8", + "name": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\n\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\n- Fusion for emerging threats\n- Fusion for ransomware\n- Scenario-based Fusion detections (122 scenarios)\n\nTo enable these detections, we recommend you configure the following data connectors for best results:\n- Out-of-the-box anomaly detections\n- Azure Active Directory Identity Protection\n- Azure Defender\n- Azure Defender for IoT\n- Microsoft 365 Defender\n- Microsoft Cloud App Security \n- Microsoft Defender for Endpoint\n- Microsoft Defender for Identity\n- Microsoft Defender for Office 365\n- Palo Alto Networks\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\n\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.", + "tactics": [ + "Collection", + "CommandAndControl", + "CredentialAccess", + "DefenseEvasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "InitialAccess", + "LateralMovement", + "Persistence", + "PrivilegeEscalation" + ], + "sourceSettings": [ + { + "sourceName": "Anomalies", + "sourceSubTypes": null + }, + { + "sourceName": "Alert providers", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Azure Active Directory Identity Protection", + "severityFilter": { + "enabled": true, + "isSupported": true, + "severityFilters": [ + "Informational", + "Low", + "Medium", + "High" + ] + } + }, + { + "sourceSubTypeName": "Azure Defender", + "severityFilter": { + "enabled": true, + "isSupported": true, + "severityFilters": [ + "Informational", + "Low", + "Medium", + "High" + ] + } + }, + { + "sourceSubTypeName": "Azure Defender for IoT", + "severityFilter": { + "enabled": true, + "isSupported": true, + "severityFilters": [ + "Informational", + "Low", + "Medium", + "High" + ] + } + }, + { + "sourceSubTypeName": "Microsoft 365 Defender", + "severityFilter": { + "enabled": true, + "isSupported": true, + "severityFilters": [ + "Informational", + "Low", + "Medium", + "High" + ] + } + }, + { + "sourceSubTypeName": "Microsoft Cloud App Security", + "severityFilter": { + "enabled": true, + "isSupported": true, + "severityFilters": [ + "Informational", + "Low", + "Medium", + "High" + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Endpoint", + "severityFilter": { + "enabled": true, + "isSupported": true, + "severityFilters": [ + "Informational", + "Low", + "Medium", + "High" + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Identity", + "severityFilter": { + "enabled": true, + "isSupported": true, + "severityFilters": [ + "Informational", + "Low", + "Medium", + "High" + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Office 365", + "severityFilter": { + "enabled": true, + "isSupported": true, + "severityFilters": [ + "Informational", + "Low", + "Medium", + "High" + ] + } + }, + { + "sourceSubTypeName": "Azure Sentinel scheduled analytics rules", + "severityFilter": { + "enabled": true, + "isSupported": true, + "severityFilters": [ + "Informational", + "Low", + "Medium", + "High" + ] + } + } + ] + }, + { + "sourceName": "Raw logs from other sources", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Palo Alto Networks", + "severityFilter": { + "enabled": false, + "isSupported": false, + "severityFilters": null + } + } + ] + } + ], + "lastUpdatedDateUTC": "2021-06-09T00:00:00Z", + "createdDateUTC": "2019-07-25T00:00:00Z", + "status": "Available", + "severity": "High", + "alertRulesCreatedByTemplateCount": 0 + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb", + "name": "b3cfc7c0-092c-481c-a55b-34a3979758cb", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "displayName": "Create incidents based on Microsoft Cloud App Security alerts", + "description": "Create incidents based on all alerts generated in Microsoft Cloud App Security", + "lastUpdatedDateUTC": "2020-02-27T00:00:00Z", + "createdDateUTC": "2019-07-16T00:00:00Z", + "status": "Available", + "alertRulesCreatedByTemplateCount": 0 + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRule.json new file mode 100644 index 000000000000..e5e84bf7f54f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRule.json @@ -0,0 +1,845 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "myFirstFusionRule", + "alertRule": { + "kind": "Fusion", + "etag": "3d00c3ca-0000-0100-0000-5d42d5010000", + "properties": { + "enabled": true, + "sourceSettings": [ + { + "enabled": true, + "sourceName": "Anomalies", + "sourceSubTypes": null + }, + { + "enabled": true, + "sourceName": "Alert providers", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Azure Active Directory Identity Protection", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender for IoT", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft 365 Defender", + "enabled": true, + "severityFilter": [ + "High", + "Medium", + "Low", + "Informational" + ], + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Cloud App Security", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Endpoint", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Identity", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Office 365", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Sentinel scheduled analytics rules", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + } + ] + }, + { + "enabled": true, + "sourceName": "Raw logs from other sources", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Palo Alto Networks", + "enabled": true, + "severityFilters": { + "filters": null + } + } + ] + } + ], + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\n\nThere are a total of 122 Fusion incident types detected by Azure Sentinel.\n\nTo detect these multistage attacks, the following data connectors must be configured:\n- Azure Active Directory Identity Protection.\n- Microsoft Cloud App Security.\n- Microsoft Defender for Endpoint.\n- Azure Defender.\n- Palo Alto Networks.\n- Scheduled Analytics Rules supported by Fusion\n\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Collection", + "CommandAndControl", + "CredentialAccess", + "DefenseEvasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "InitialAccess", + "LateralMovement", + "Persistence", + "PrivilegeEscalation" + ], + "sourceSettings": [ + { + "enabled": true, + "sourceName": "Anomalies", + "sourceSubTypes": null + }, + { + "enabled": true, + "sourceName": "Alert providers", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Azure Active Directory Identity Protection", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender for IoT", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft 365 Defender", + "enabled": true, + "severityFilter": [ + "High", + "Medium", + "Low", + "Informational" + ], + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Cloud App Security", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Endpoint", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Identity", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Office 365", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Sentinel scheduled analytics rules", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + } + ] + }, + { + "enabled": true, + "sourceName": "Raw logs from other sources", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Palo Alto Networks", + "enabled": true, + "severityFilters": { + "isSupported": false, + "filters": null + } + } + ] + } + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\n\nThere are a total of 122 Fusion incident types detected by Azure Sentinel.\n\nTo detect these multistage attacks, the following data connectors must be configured:\n- Azure Active Directory Identity Protection.\n- Microsoft Cloud App Security.\n- Microsoft Defender for Endpoint.\n- Azure Defender.\n- Palo Alto Networks.\n- Scheduled Analytics Rules supported by Fusion\n\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Collection", + "CommandAndControl", + "CredentialAccess", + "DefenseEvasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "InitialAccess", + "LateralMovement", + "Persistence", + "PrivilegeEscalation" + ], + "sourceSettings": [ + { + "enabled": true, + "sourceName": "Anomalies", + "sourceSubTypes": null + }, + { + "enabled": true, + "sourceName": "Alert providers", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Azure Active Directory Identity Protection", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender for IoT", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft 365 Defender", + "enabled": true, + "severityFilter": [ + "High", + "Medium", + "Low", + "Informational" + ], + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Cloud App Security", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Endpoint", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Identity", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Office 365", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Sentinel scheduled analytics rules", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + } + ] + }, + { + "enabled": true, + "sourceName": "Raw logs from other sources", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Palo Alto Networks", + "enabled": true, + "severityFilters": { + "isSupported": false, + "filters": null + } + } + ] + } + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRuleWithFusionScenarioExclusion.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRuleWithFusionScenarioExclusion.json new file mode 100644 index 000000000000..d14590320e97 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRuleWithFusionScenarioExclusion.json @@ -0,0 +1,851 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "myFirstFusionRule", + "alertRule": { + "kind": "Fusion", + "etag": "3d00c3ca-0000-0100-0000-5d42d5010000", + "properties": { + "enabled": true, + "sourceSettings": [ + { + "enabled": true, + "sourceName": "Anomalies", + "sourceSubTypes": null + }, + { + "enabled": true, + "sourceName": "Alert providers", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Azure Active Directory Identity Protection", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender for IoT", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft 365 Defender", + "enabled": true, + "severityFilter": [ + "High", + "Medium", + "Low", + "Informational" + ], + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Cloud App Security", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Endpoint", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Identity", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Office 365", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Sentinel scheduled analytics rules", + "enabled": true, + "severityFilters": { + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + } + ] + }, + { + "enabled": true, + "sourceName": "Raw logs from other sources", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Palo Alto Networks", + "enabled": true, + "severityFilters": { + "filters": null + } + } + ] + } + ], + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\n\nThere are a total of 122 Fusion incident types detected by Azure Sentinel.\n\nTo detect these multistage attacks, the following data connectors must be configured:\n- Azure Active Directory Identity Protection.\n- Microsoft Cloud App Security.\n- Microsoft Defender for Endpoint.\n- Azure Defender.\n- Palo Alto Networks.\n- Scheduled Analytics Rules supported by Fusion\n\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Collection", + "CommandAndControl", + "CredentialAccess", + "DefenseEvasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "InitialAccess", + "LateralMovement", + "Persistence", + "PrivilegeEscalation" + ], + "sourceSettings": [ + { + "enabled": true, + "sourceName": "Anomalies", + "sourceSubTypes": null + }, + { + "enabled": true, + "sourceName": "Alert providers", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Azure Active Directory Identity Protection", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender for IoT", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft 365 Defender", + "enabled": true, + "severityFilter": [ + "High", + "Medium", + "Low", + "Informational" + ], + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Cloud App Security", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Endpoint", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Identity", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Office 365", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Sentinel scheduled analytics rules", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + } + ] + }, + { + "enabled": true, + "sourceName": "Raw logs from other sources", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Palo Alto Networks", + "enabled": true, + "severityFilters": { + "isSupported": false, + "filters": null + } + } + ] + } + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\n\nThere are a total of 122 Fusion incident types detected by Azure Sentinel.\n\nTo detect these multistage attacks, the following data connectors must be configured:\n- Azure Active Directory Identity Protection.\n- Microsoft Cloud App Security.\n- Microsoft Defender for Endpoint.\n- Azure Defender.\n- Palo Alto Networks.\n- Scheduled Analytics Rules supported by Fusion\n\nFor a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Collection", + "CommandAndControl", + "CredentialAccess", + "DefenseEvasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "InitialAccess", + "LateralMovement", + "Persistence", + "PrivilegeEscalation" + ], + "sourceSettings": [ + { + "enabled": true, + "sourceName": "Anomalies", + "sourceSubTypes": null + }, + { + "enabled": true, + "sourceName": "Alert providers", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Azure Active Directory Identity Protection", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender for IoT", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft 365 Defender", + "enabled": true, + "severityFilter": [ + "High", + "Medium", + "Low", + "Informational" + ], + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Cloud App Security", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Endpoint", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Identity", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Office 365", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Sentinel scheduled analytics rules", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + } + ] + }, + { + "enabled": true, + "sourceName": "Raw logs from other sources", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Palo Alto Networks", + "enabled": true, + "severityFilters": { + "isSupported": false, + "filters": null + } + } + ] + } + ], + "scenarioExclusionPatterns": [ + { + "exclusionPattern": "Alert providers:Azure Active Directory Identity Protection:Infected Device;Alert providers:Azure Defender:Crypto-mining activity", + "dateAddedInUTC": "2021-10-01T15:26:44.9429806Z" + } + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2019-09-04T13:13:11.5340061Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json new file mode 100644 index 000000000000..9cca5b7342b7 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json @@ -0,0 +1,58 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "microsoftSecurityIncidentCreationRuleExample", + "alertRule": { + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "displayName": "testing displayname", + "enabled": true + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateNrtAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateNrtAlertRule.json new file mode 100644 index 000000000000..b1f9b16573a7 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateNrtAlertRule.json @@ -0,0 +1,136 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "alertRule": { + "kind": "NRT", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host", + "Account" + ] + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "NRT", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "lastModifiedUtc": "2019-01-01T13:15:30Z", + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host", + "Account" + ] + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "NRT", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "lastModifiedUtc": "2019-01-01T13:15:30Z", + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host", + "Account" + ] + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateScheduledAlertRule.json new file mode 100644 index 000000000000..fd9a8308b7cb --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateScheduledAlertRule.json @@ -0,0 +1,270 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "alertRule": { + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "query": "Heartbeat", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "sentinelEntitiesMappings": [ + { + "columnName": "Entities" + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertDynamicProperties": [ + { + "alertProperty": "ProductComponentName", + "value": "ProductComponentNameCustomColumn" + }, + { + "alertProperty": "ProductName", + "value": "ProductNameCustomColumn" + }, + { + "alertProperty": "AlertLink", + "value": "Link" + } + ] + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"01005144-0000-0d00-0000-6058632c0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "query": "Heartbeat", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2021-03-01T13:17:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"01007444-0000-0d00-0000-605863a70000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "query": "Heartbeat", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2021-03-01T13:15:30Z", + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/DeleteAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/DeleteAlertRule.json new file mode 100644 index 000000000000..920630b681df --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/DeleteAlertRule.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetAllAlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetAllAlertRules.json new file mode 100644 index 000000000000..c7bd974176ad --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetAllAlertRules.json @@ -0,0 +1,412 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "query": "Heartbeat", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2021-03-01T13:17:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"25005c11-0000-0d00-0000-5d6cc0e20000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\n\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\n- Fusion for emerging threats\n- Fusion for ransomware\n- Scenario-based Fusion detections (122 scenarios)\n\nTo enable these detections, we recommend you configure the following data connectors for best results:\n- Out-of-the-box anomaly detections\n- Azure Active Directory Identity Protection\n- Azure Defender\n- Azure Defender for IoT\n- Microsoft 365 Defender\n- Microsoft Cloud App Security \n- Microsoft Defender for Endpoint\n- Microsoft Defender for Identity\n- Microsoft Defender for Office 365\n- Palo Alto Networks\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\n\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Collection", + "CommandAndControl", + "CredentialAccess", + "DefenseEvasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "InitialAccess", + "LateralMovement", + "Persistence", + "PrivilegeEscalation" + ], + "sourceSettings": [ + { + "enabled": true, + "sourceName": "Anomalies", + "sourceSubTypes": null + }, + { + "enabled": true, + "sourceName": "Alert providers", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Azure Active Directory Identity Protection", + "sourceSubTypeDisplayName": "Azure Active Directory Identity Protection", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender", + "sourceSubTypeDisplayName": "Microsoft Defender for Cloud", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender for IoT", + "sourceSubTypeDisplayName": "Microsoft Defender for IoT", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft 365 Defender", + "sourceSubTypeDisplayName": "Microsoft 365 Defender", + "enabled": true, + "severityFilter": [ + "High", + "Medium", + "Low", + "Informational" + ], + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Cloud App Security", + "sourceSubTypeDisplayName": "Microsoft Cloud App Security", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Endpoint", + "sourceSubTypeDisplayName": "Microsoft Defender for Endpoint", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Identity", + "sourceSubTypeDisplayName": "Microsoft Defender for Identity", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Office 365", + "sourceSubTypeDisplayName": "Microsoft Defender for Office 365", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Sentinel scheduled analytics rules", + "sourceSubTypeDisplayName": "Azure Sentinel scheduled analytics rules", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + } + ] + }, + { + "enabled": true, + "sourceName": "Raw logs from other sources", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Palo Alto Networks", + "sourceSubTypeDisplayName": "Palo Alto Networks", + "enabled": true, + "severityFilters": { + "isSupported": false, + "filters": null + } + } + ] + } + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2021-10-22T07:12:34.9065092Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetFusionAlertRule.json new file mode 100644 index 000000000000..8cdd5ad0dd71 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetFusionAlertRule.json @@ -0,0 +1,310 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "myFirstFusionRule" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule", + "name": "myFirstFusionRule", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Fusion", + "properties": { + "displayName": "Advanced Multi-Stage Attack Detection", + "description": "Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\n\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\n- Fusion for emerging threats\n- Fusion for ransomware\n- Scenario-based Fusion detections (122 scenarios)\n\nTo enable these detections, we recommend you configure the following data connectors for best results:\n- Out-of-the-box anomaly detections\n- Azure Active Directory Identity Protection\n- Azure Defender\n- Azure Defender for IoT\n- Microsoft 365 Defender\n- Microsoft Cloud App Security \n- Microsoft Defender for Endpoint\n- Microsoft Defender for Identity\n- Microsoft Defender for Office 365\n- Palo Alto Networks\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\n\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.", + "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8", + "tactics": [ + "Collection", + "CommandAndControl", + "CredentialAccess", + "DefenseEvasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "InitialAccess", + "LateralMovement", + "Persistence", + "PrivilegeEscalation" + ], + "sourceSettings": [ + { + "enabled": true, + "sourceName": "Anomalies", + "sourceSubTypes": null + }, + { + "enabled": true, + "sourceName": "Alert providers", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Azure Active Directory Identity Protection", + "sourceSubTypeDisplayName": "Azure Active Directory Identity Protection", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender", + "sourceSubTypeDisplayName": "Microsoft Defender for Cloud", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Defender for IoT", + "sourceSubTypeDisplayName": "Microsoft Defender for IoT", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft 365 Defender", + "sourceSubTypeDisplayName": "Microsoft 365 Defender", + "enabled": true, + "severityFilter": [ + "High", + "Medium", + "Low", + "Informational" + ], + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Cloud App Security", + "sourceSubTypeDisplayName": "Microsoft Cloud App Security", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Endpoint", + "sourceSubTypeDisplayName": "Microsoft Defender for Endpoint", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Identity", + "sourceSubTypeDisplayName": "Microsoft Defender for Identity", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Microsoft Defender for Office 365", + "sourceSubTypeDisplayName": "Microsoft Defender for Office 365", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + }, + { + "sourceSubTypeName": "Azure Sentinel scheduled analytics rules", + "sourceSubTypeDisplayName": "Azure Sentinel scheduled analytics rules", + "enabled": true, + "severityFilters": { + "isSupported": true, + "filters": [ + { + "severity": "High", + "enabled": true + }, + { + "severity": "Medium", + "enabled": true + }, + { + "severity": "Low", + "enabled": true + }, + { + "severity": "Informational", + "enabled": true + } + ] + } + } + ] + }, + { + "enabled": true, + "sourceName": "Raw logs from other sources", + "sourceSubTypes": [ + { + "sourceSubTypeName": "Palo Alto Networks", + "sourceSubTypeDisplayName": "Palo Alto Networks", + "enabled": true, + "severityFilters": { + "isSupported": false, + "filters": null + } + } + ] + } + ], + "severity": "High", + "enabled": true, + "lastModifiedUtc": "2021-10-20T13:13:11.5340061Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json new file mode 100644 index 000000000000..549b0056502b --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json @@ -0,0 +1,30 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "microsoftSecurityIncidentCreationRuleExample" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample", + "name": "microsoftSecurityIncidentCreationRuleExample", + "etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "MicrosoftSecurityIncidentCreation", + "properties": { + "productFilter": "Microsoft Cloud App Security", + "severitiesFilter": null, + "displayNamesFilter": null, + "displayName": "testing displayname", + "enabled": true, + "description": null, + "alertRuleTemplateName": null, + "lastModifiedUtc": "2019-09-04T12:05:35.7296311Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetNrtAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetNrtAlertRule.json new file mode 100644 index 000000000000..131f808c4ee1 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetNrtAlertRule.json @@ -0,0 +1,55 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "NRT", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "Rule2", + "description": "", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "query": "ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "lastModifiedUtc": "2019-01-01T13:15:30Z", + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host", + "Account" + ] + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetScheduledAlertRule.json new file mode 100644 index 000000000000..4a9726b6112a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetScheduledAlertRule.json @@ -0,0 +1,95 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/alertRules", + "kind": "Scheduled", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "alertRuleTemplateName": null, + "displayName": "My scheduled rule", + "description": "An example for a scheduled rule", + "severity": "High", + "enabled": true, + "tactics": [ + "Persistence", + "LateralMovement" + ], + "techniques": [ + "T1037", + "T1021" + ], + "query": "Heartbeat", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "lastModifiedUtc": "2021-03-01T13:17:30Z", + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "OperatingSystemName": "OSName", + "OperatingSystemType": "OSType" + }, + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ComputerIP" + } + ] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Alert from {{Computer}}", + "alertDescriptionFormat": "Suspicious activity was made by {{ComputerIP}}", + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Host" + ], + "groupByAlertDetails": [ + "DisplayName" + ], + "groupByCustomDetails": [ + "OperatingSystemType", + "OperatingSystemName" + ] + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json new file mode 100644 index 000000000000..3dc09b8874e0 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json @@ -0,0 +1,171 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "automationRuleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "automationRule": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/automationRules", + "properties": { + "displayName": "Suspicious user sign-in events", + "order": 1, + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentRelatedAnalyticRuleIds", + "operator": "Contains", + "propertyValues": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" + ] + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "AddIncidentTask", + "actionConfiguration": { + "title": "Reset user passwords", + "description": "Reset passwords for compromised users." + } + } + ], + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdTimeUtc": "2019-01-01T13:00:00Z", + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/automationRules", + "properties": { + "displayName": "Suspicious user sign-in events", + "order": 1, + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentRelatedAnalyticRuleIds", + "operator": "Contains", + "propertyValues": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" + ] + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "AddIncidentTask", + "actionConfiguration": { + "title": "Reset user passwords", + "description": "Reset passwords for compromised users." + } + } + ], + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdTimeUtc": "2019-01-01T13:00:00Z", + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/automationRules", + "properties": { + "displayName": "Suspicious user sign-in events", + "order": 1, + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentRelatedAnalyticRuleIds", + "operator": "Contains", + "propertyValues": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" + ] + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "AddIncidentTask", + "actionConfiguration": { + "title": "Reset user passwords", + "description": "Reset passwords for compromised users." + } + } + ], + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdTimeUtc": "2019-01-01T13:00:00Z", + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Delete.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Delete.json new file mode 100644 index 000000000000..7cb3290977e3 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Delete.json @@ -0,0 +1,17 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "automationRuleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": {} + }, + "204": { + "body": {} + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Get.json new file mode 100644 index 000000000000..0f68eee1b9a1 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Get.json @@ -0,0 +1,65 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "automationRuleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/automationRules", + "properties": { + "displayName": "Suspicious user sign-in events", + "order": 1, + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentRelatedAnalyticRuleIds", + "operator": "Contains", + "propertyValues": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" + ] + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "AddIncidentTask", + "actionConfiguration": { + "title": "Reset user passwords", + "description": "Reset passwords for compromised users." + } + } + ], + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdTimeUtc": "2019-01-01T13:00:00Z", + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_List.json new file mode 100644 index 000000000000..e73d293badee --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_List.json @@ -0,0 +1,68 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/automationRules", + "properties": { + "displayName": "Suspicious user sign-in events", + "order": 1, + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentRelatedAnalyticRuleIds", + "operator": "Contains", + "propertyValues": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" + ] + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "AddIncidentTask", + "actionConfiguration": { + "title": "Reset user passwords", + "description": "Reset passwords for compromised users." + } + } + ], + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdTimeUtc": "2019-01-01T13:00:00Z", + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/CreateBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/CreateBookmark.json new file mode 100644 index 000000000000..a7d67a8d0a22 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/CreateBookmark.json @@ -0,0 +1,143 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "bookmarkId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "bookmark": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My bookmark", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70" + }, + "updated": "2021-09-01T13:15:30Z", + "created": "2021-09-01T13:15:30Z", + "notes": "Found a suspicious activity", + "labels": [ + "Tag1", + "Tag2" + ], + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result", + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/bookmarks", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My bookmark", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updated": "2021-09-01T13:15:30Z", + "created": "2021-09-01T13:15:30Z", + "notes": "Found a suspicious activity", + "labels": [ + "Tag1", + "Tag2" + ], + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result", + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/bookmarks", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My bookmark", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updated": "2021-09-01T13:15:30Z", + "created": "2021-09-01T13:15:30Z", + "notes": "Found a suspicious activity", + "labels": [ + "Tag1", + "Tag2" + ], + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result", + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/DeleteBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/DeleteBookmark.json new file mode 100644 index 000000000000..0a9f3a816df4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/DeleteBookmark.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "bookmarkId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarkById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarkById.json new file mode 100644 index 000000000000..2f5663594e1e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarkById.json @@ -0,0 +1,64 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "bookmarkId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/bookmarks", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My bookmark", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updated": "2021-09-01T13:15:30Z", + "created": "2021-09-01T13:15:30Z", + "notes": "Found a suspicious activity", + "labels": [ + "Tag1", + "Tag2" + ], + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result", + "incidentInfo": { + "incidentId": "DDA55F97-170B-40B9-B8ED-CBFD05481E7D", + "severity": "Low", + "title": "New case 1", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018" + }, + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarks.json new file mode 100644 index 000000000000..79823611f67c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarks.json @@ -0,0 +1,67 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/bookmarks", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My bookmark", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updated": "2021-09-01T13:15:30Z", + "created": "2021-09-01T13:15:30Z", + "notes": "Found a suspicious activity", + "labels": [ + "Tag1", + "Tag2" + ], + "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", + "queryResult": "Security Event query result", + "incidentInfo": { + "incidentId": "DDA55F97-170B-40B9-B8ED-CBFD05481E7D", + "severity": "Low", + "title": "New case 1", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018" + }, + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/expand/PostExpandBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/expand/PostExpandBookmark.json new file mode 100644 index 000000000000..47c4007d7b45 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/expand/PostExpandBookmark.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "bookmarkId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "parameters": { + "expansionId": "27f76e63-c41b-480f-bb18-12ad2e011d49", + "startTime": "2019-12-25T17:21:00.000Z", + "endTime": "2020-01-24T17:21:00.000Z" + } + }, + "responses": { + "200": { + "body": { + "value": { + "entities": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/fe4ddab5-8cea-eca3-c8b8-9e92e830a387", + "name": "fe4ddab5-8cea-eca3-c8b8-9e92e830a387", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Account", + "properties": { + "friendlyName": "administrator", + "accountName": "administrator", + "ntDomain": "domain" + } + } + ] + }, + "metaData": { + "aggregations": [ + { + "entityKind": "Account", + "count": 1 + } + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/CreateBookmarkRelation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/CreateBookmarkRelation.json new file mode 100644 index 000000000000..21514b442a0f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/CreateBookmarkRelation.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "bookmarkId": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "relation": { + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "type": "Microsoft.SecurityInsights/bookmarks/relations", + "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812", + "relatedResourceName": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "relatedResourceType": "Microsoft.SecurityInsights/incidents" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "type": "Microsoft.SecurityInsights/bookmarks/relations", + "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812", + "relatedResourceName": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "relatedResourceType": "Microsoft.SecurityInsights/incidents" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/DeleteBookmarkRelation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/DeleteBookmarkRelation.json new file mode 100644 index 000000000000..1dc720c7cc48 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/DeleteBookmarkRelation.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "bookmarkId": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetAllBookmarkRelations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetAllBookmarkRelations.json new file mode 100644 index 000000000000..92ea96943b2d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetAllBookmarkRelations.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "bookmarkId": "2216d0e1-91e3-4902-89fd-d2df8c535096" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "type": "Microsoft.SecurityInsights/bookmarks/relations", + "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812", + "relatedResourceName": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "relatedResourceType": "Microsoft.SecurityInsights/incidents" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetBookmarkRelationByName.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetBookmarkRelationByName.json new file mode 100644 index 000000000000..995e2fa5ae64 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetBookmarkRelationByName.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "bookmarkId": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096/relations/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "type": "Microsoft.SecurityInsights/bookmarks/relations", + "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812", + "relatedResourceName": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "relatedResourceType": "Microsoft.SecurityInsights/incidents" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json new file mode 100644 index 000000000000..d617aa7d2f88 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "AzureActiveDirectory", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json new file mode 100644 index 000000000000..d617aa7d2f88 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "AzureActiveDirectory", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json new file mode 100644 index 000000000000..d617aa7d2f88 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "AzureActiveDirectory", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json new file mode 100644 index 000000000000..ce40ca980e8c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "AzureSecurityCenter", + "properties": { + "subscriptionId": "c0688291-89d7-4bed-87a2-a7b1bff43f4c" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsDynamics365.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsDynamics365.json new file mode 100644 index 000000000000..d0e333c43111 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsDynamics365.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "Dynamics365", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsIoT.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsIoT.json new file mode 100644 index 000000000000..1c29f84a6c85 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsIoT.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "IOT", + "properties": { + "subscriptionId": "c0688291-89d7-4bed-87a2-a7b1bff43f4c" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMdatp.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMdatp.json new file mode 100644 index 000000000000..9a532d42a804 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMdatp.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "MicrosoftCloudAppSecurity", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json new file mode 100644 index 000000000000..9a532d42a804 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "MicrosoftCloudAppSecurity", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftPurviewInformationProtection.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftPurviewInformationProtection.json new file mode 100644 index 000000000000..9c8e1f60e24d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftPurviewInformationProtection.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "MicrosoftPurviewInformationProtection", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json new file mode 100644 index 000000000000..a45d6735f323 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "MicrosoftThreatIntelligence", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json new file mode 100644 index 000000000000..0533b1c342a1 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "MicrosoftThreatProtection", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOffice365Project.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOffice365Project.json new file mode 100644 index 000000000000..2b9348367570 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOffice365Project.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "Office365Project", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeATP.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeATP.json new file mode 100644 index 000000000000..820ff1f60dae --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeATP.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "OfficeATP", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeIRM.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeIRM.json new file mode 100644 index 000000000000..3a8ea01363bd --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeIRM.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "OfficeIRM", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficePowerBI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficePowerBI.json new file mode 100644 index 000000000000..06ac9914a16f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficePowerBI.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "OfficePowerBI", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligence.json new file mode 100644 index 000000000000..e7563c37e454 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligence.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "ThreatIntelligence", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json new file mode 100644 index 000000000000..6dff99162784 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "DataConnectorsCheckRequirements": { + "kind": "ThreatIntelligenceTaxii", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" + } + } + }, + "responses": { + "200": { + "body": { + "authorizationState": "Valid", + "licenseState": "Valid" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPolling.json new file mode 100644 index 000000000000..c8f2197dca6f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPolling.json @@ -0,0 +1,24 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "connectBody": { + "kind": "APIKey", + "apiKey": "123456789", + "requestConfigUserInputValues": [ + { + "displayText": "Organization Name", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "somePlaceHolderValue", + "requestObjectKey": "apiEndpoint" + } + ] + } + }, + "responses": { + "200": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPollingV2Logs.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPollingV2Logs.json new file mode 100644 index 000000000000..360ebb10aa17 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPollingV2Logs.json @@ -0,0 +1,27 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "connectBody": { + "kind": "APIKey", + "apiKey": "123456789", + "dataCollectionEndpoint": "https://test.eastus.ingest.monitor.azure.com", + "dataCollectionRuleImmutableId": "dcr-34adsj9o7d6f9de204478b9cgb43b631", + "outputStream": "Custom-MyTableRawData", + "requestConfigUserInputValues": [ + { + "displayText": "Organization Name", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "somePlaceHolderValue", + "requestObjectKey": "apiEndpoint" + } + ] + } + }, + "responses": { + "200": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateAPIPolling.json new file mode 100644 index 000000000000..62b036db776f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateAPIPolling.json @@ -0,0 +1,368 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "dataConnector": { + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "GitHub Enterprise Audit Log", + "publisher": "GitHub", + "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", + "graphQueriesTableName": "GitHubAuditLogPolling_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GitHub audit log events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "{{graphQueriesTableName}}\n | take 10 " + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "GitHub API personal token Key", + "description": "You need access to GitHub personal token, the key should have 'admin:org' scope" + } + ] + }, + "instructionSteps": [ + { + "title": "Connect GitHub Enterprise Audit Log to Azure Sentinel", + "description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "Organization Name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "apiKeyIdentifier": "token", + "apiKeyName": "Authorization" + }, + "request": { + "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", + "rateLimitQps": 50, + "queryWindowInMin": 15, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 2, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" + } + }, + "paging": { + "pagingType": "LinkHeader", + "pageSizeParaName": "per_page" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "GitHub Enterprise Audit Log", + "publisher": "GitHub", + "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", + "graphQueriesTableName": "GitHubAuditLogPolling_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GitHub audit log events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "{{graphQueriesTableName}}\n | take 10 " + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "GitHub API personal token Key", + "description": "You need access to GitHub personal token, the key should have 'admin:org' scope" + } + ] + }, + "instructionSteps": [ + { + "title": "Connect GitHub Enterprise Audit Log to Azure Sentinel", + "description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "Organization Name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "apiKeyIdentifier": "token", + "apiKeyName": "Authorization" + }, + "request": { + "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", + "rateLimitQps": 50, + "queryWindowInMin": 15, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 2, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" + } + }, + "paging": { + "pagingType": "LinkHeader", + "pageSizeParaName": "per_page" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "GitHub Enterprise Audit Log", + "publisher": "GitHub", + "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", + "graphQueriesTableName": "GitHubAuditLogPolling_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GitHub audit log events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "{{graphQueriesTableName}}\n | take 10 " + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "GitHub API personal token Key", + "description": "You need access to GitHub personal token, the key should have 'admin:org' scope" + } + ] + }, + "instructionSteps": [ + { + "title": "Connect GitHub Enterprise Audit Log to Azure Sentinel", + "description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "Organization Name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "apiKeyIdentifier": "token", + "apiKeyName": "Authorization" + }, + "request": { + "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", + "rateLimitQps": 50, + "queryWindowInMin": 15, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 2, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" + } + }, + "paging": { + "pagingType": "LinkHeader", + "pageSizeParaName": "per_page" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json new file mode 100644 index 000000000000..5b316202307b --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json @@ -0,0 +1,57 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "c2541efb-c9a6-47fe-9501-87d1017d1512", + "dataConnector": { + "kind": "Dynamics365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "dynamics365CdsActivities": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "c2541efb-c9a6-47fe-9501-87d1017d1512", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Dynamics365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "dynamics365CdsActivities": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "c2541efb-c9a6-47fe-9501-87d1017d1512", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Dynamics365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "dynamics365CdsActivities": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateGenericUI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateGenericUI.json new file mode 100644 index 000000000000..5047be982cd4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateGenericUI.json @@ -0,0 +1,437 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "dataConnector": { + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (CCP DEMO)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "graphQueriesTableName": "QualysHostDetection_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Vulerabilities detected", + "query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions." + }, + { + "title": "", + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "title": "", + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "title": "", + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**." + }, + { + "title": "", + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ] + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (CCP DEMO)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "graphQueriesTableName": "QualysHostDetection_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Vulerabilities detected", + "query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions." + }, + { + "title": "", + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "title": "", + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "title": "", + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**." + }, + { + "title": "", + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ] + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (CCP DEMO)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "graphQueriesTableName": "QualysHostDetection_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Vulerabilities detected", + "query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions." + }, + { + "title": "", + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "title": "", + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "title": "", + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**." + }, + { + "title": "", + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ] + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftPurviewInformationProtectionDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftPurviewInformationProtectionDataConnetor.json new file mode 100644 index 000000000000..feac6ff72c04 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftPurviewInformationProtectionDataConnetor.json @@ -0,0 +1,57 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "kind": "MicrosoftPurviewInformationProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftPurviewInformationProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftPurviewInformationProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatIntelligenceDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatIntelligenceDataConnector.json new file mode 100644 index 000000000000..470c3238a993 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatIntelligenceDataConnector.json @@ -0,0 +1,59 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "dataConnector": { + "kind": "MicrosoftThreatIntelligence", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "dataTypes": { + "microsoftEmergingThreatFeed": { + "state": "Enabled", + "lookbackPeriod": "1970-01-01T00:00:00.000Z" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "d12423f6-a60b-4ca5-88c0-feb1a182d0f0", + "kind": "MicrosoftThreatIntelligence", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "dataTypes": { + "microsoftEmergingThreatFeed": { + "state": "Enabled", + "lookbackPeriod": "01/01/1970 00:00:00" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "d12423f6-a60b-4ca5-88c0-feb1a182d0f0", + "kind": "MicrosoftThreatIntelligence", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "dataTypes": { + "microsoftEmergingThreatFeed": { + "state": "Enabled", + "lookbackPeriod": "01/01/1970 00:00:00" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatProtectionDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatProtectionDataConnetor.json new file mode 100644 index 000000000000..91cf0220c7db --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatProtectionDataConnetor.json @@ -0,0 +1,81 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "kind": "MicrosoftThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "178265c4-3136-4ff6-8ed1-b5b62b4cb5f5", + "dataTypes": { + "incidents": { + "state": "Disabled" + }, + "alerts": { + "state": "Enabled" + } + }, + "filteredProviders": { + "alerts": [ + "microsoftDefenderForCloudApps" + ] + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/595c870a-5b74-4a23-984c-9ddba29cefe3", + "name": "595c870a-5b74-4a23-984c-9ddba29cefe3", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftThreatProtection", + "etag": "2b61bd0c-62b4-4968-8f9a-71b91be61127", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "incidents": { + "state": "Disabled55" + }, + "alerts": { + "state": "Enabled" + } + }, + "filteredProviders": { + "alerts": [ + "microsoftDefenderForCloudApps" + ] + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/595c870a-5b74-4a23-984c-9ddba29cefe3", + "name": "595c870a-5b74-4a23-984c-9ddba29cefe3", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftThreatProtection", + "etag": "2b61bd0c-62b4-4968-8f9a-71b91be61127", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "incidents": { + "state": "Disabled" + }, + "alerts": { + "state": "Enabled" + } + }, + "filteredProviders": { + "alerts": [ + "microsoftDefenderForCloudApps" + ] + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOffice365ProjectDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOffice365ProjectDataConnetor.json new file mode 100644 index 000000000000..e07600516d77 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOffice365ProjectDataConnetor.json @@ -0,0 +1,57 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "kind": "Office365Project", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365Project", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365Project", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json new file mode 100644 index 000000000000..204ba2a92256 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json @@ -0,0 +1,75 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficePowerBIDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficePowerBIDataConnector.json new file mode 100644 index 000000000000..959742f2f00f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficePowerBIDataConnector.json @@ -0,0 +1,57 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "kind": "OfficePowerBI", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "OfficePowerBI", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "OfficePowerBI", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json new file mode 100644 index 000000000000..65f78cd6161f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json @@ -0,0 +1,59 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "kind": "ThreatIntelligence", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json new file mode 100644 index 000000000000..82fcf47519e2 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json @@ -0,0 +1,81 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "dataConnector": { + "etag": "d12423f6-a60b-4ca5-88c0-feb1a182d0f0", + "kind": "ThreatIntelligenceTaxii", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "taxiiServer": "https://limo.anomali.com/api/v1/taxii2/feeds", + "collectionId": "135", + "workspaceId": "dd124572-4962-4495-9bd2-9dade12314b4", + "friendlyName": "testTaxii", + "userName": "--", + "password": "--", + "taxiiLookbackPeriod": "2020-01-01T13:00:30.123Z", + "pollingFrequency": "OnceADay", + "dataTypes": { + "taxiiClient": { + "state": "Enabled" + } + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "d12423f6-a60b-4ca5-88c0-feb1a182d0f0", + "kind": "ThreatIntelligenceTaxii", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "taxiiServer": "https://limo.anomali.com/api/v1/taxii2/feeds", + "collectionId": "135", + "workspaceId": "28e5f051-34cb-4208-9037-693e5342a871", + "friendlyName": "testTaxii", + "userName": null, + "password": null, + "taxiiLookbackPeriod": "2020-01-01T13:00:30.123Z", + "pollingFrequency": "OnceADay", + "dataTypes": { + "taxiiClient": { + "state": "Enabled" + } + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "d12423f6-a60b-4ca5-88c0-feb1a182d0f0", + "kind": "ThreatIntelligenceTaxii", + "properties": { + "tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "taxiiServer": "https://limo.anomali.com/api/v1/taxii2/feeds", + "collectionId": "135", + "workspaceId": "28e5f051-34cb-4208-9037-693e5342a871", + "friendlyName": "testTaxii", + "userName": null, + "password": null, + "taxiiLookbackPeriod": "2020-01-01T13:00:30.123Z", + "pollingFrequency": "OnceADay", + "dataTypes": { + "taxiiClient": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteAPIPolling.json new file mode 100644 index 000000000000..3c0dbf9cf4ca --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteAPIPolling.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteGenericUI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteGenericUI.json new file mode 100644 index 000000000000..3c0dbf9cf4ca --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteGenericUI.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftPurviewInformationProtectionDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftPurviewInformationProtectionDataConnetor.json new file mode 100644 index 000000000000..27c0bb8f2a97 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftPurviewInformationProtectionDataConnetor.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftThreatIntelligenceDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftThreatIntelligenceDataConnector.json new file mode 100644 index 000000000000..1e907be7ae1d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftThreatIntelligenceDataConnector.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOffice365ProjectDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOffice365ProjectDataConnetor.json new file mode 100644 index 000000000000..27c0bb8f2a97 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOffice365ProjectDataConnetor.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json new file mode 100644 index 000000000000..27c0bb8f2a97 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficePowerBIDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficePowerBIDataConnetor.json new file mode 100644 index 000000000000..27c0bb8f2a97 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficePowerBIDataConnetor.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DisconnectAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DisconnectAPIPolling.json new file mode 100644 index 000000000000..8c60edd00ea1 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DisconnectAPIPolling.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "disconnectBody": {} + }, + "responses": { + "200": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAPIPolling.json new file mode 100644 index 000000000000..7991c461841d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAPIPolling.json @@ -0,0 +1,133 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "GitHub Enterprise Audit Log", + "publisher": "GitHub", + "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", + "customImage": "The image connector content", + "graphQueriesTableName": "GitHubAuditLogPolling_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GitHub audit log events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "{{graphQueriesTableName}}\n | take 10 " + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "GitHub API personal token Key", + "description": "You need access to GitHub personal token, the key should have 'admin:org' scope" + } + ] + }, + "instructionSteps": [ + { + "title": "Connect GitHub Enterprise Audit Log to Azure Sentinel", + "description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "Organization Name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "apiKeyIdentifier": "token", + "apiKeyName": "Authorization" + }, + "request": { + "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", + "rateLimitQps": 50, + "queryWindowInMin": 15, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 2, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" + } + }, + "paging": { + "pagingType": "LinkHeader", + "pageSizeParaName": "per_page" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json new file mode 100644 index 000000000000..c419b8afe827 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "AmazonWebServicesCloudTrail", + "properties": { + "awsRoleArn": "myAwsRoleArn", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesS3ById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesS3ById.json new file mode 100644 index 000000000000..f3c5f32b7874 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesS3ById.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "afef3743-0c88-469c-84ff-ca2e87dc1e48" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/afef3743-0c88-469c-84ff-ca2e87dc1e48", + "name": "afef3743-0c88-469c-84ff-ca2e87dc1e48", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "AmazonWebServicesS3", + "properties": { + "destinationTable": "AWSVPCFlow", + "roleArn": "arn:aws:iam::072643944673:role/RoleName", + "sqsUrls": [ + "https://sqs.us-west-1.amazonaws.com/111111111111/sqsTestName" + ], + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json new file mode 100644 index 000000000000..40fe42b274c9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "name": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureActiveDirectory", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json new file mode 100644 index 000000000000..d699cc5ffbdd --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "07e42cb3-e658-4e90-801c-efa0f29d3d44" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44", + "name": "07e42cb3-e658-4e90-801c-efa0f29d3d44", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json new file mode 100644 index 000000000000..166fe5583f1e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "name": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureSecurityCenter", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "subscriptionId": "c0688291-89d7-4bed-87a2-a7b1bff43f4c", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDataConnectors.json new file mode 100644 index 000000000000..fbb4ca55f4bb --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDataConnectors.json @@ -0,0 +1,508 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "name": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureSecurityCenter", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c39bb458-02a7-4b3f-b0c8-71a1d2692652", + "name": "c39bb458-02a7-4b3f-b0c8-71a1d2692652", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligenceTaxii", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "workspaceId": "8b014a77-4695-4ef4-96bb-6623afb121a2", + "friendlyName": "My TI Taxii Connector", + "taxiiServer": "https://mytaxiiserver.com/taxiing/v2/api", + "collectionId": "e0b1f32d-1188-48f7-a7a3-de71924e4b5e", + "userName": "", + "password": "", + "pollingFrequency": "OnceAMinute", + "dataTypes": { + "taxiiClient": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "name": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureActiveDirectory", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42", + "name": "b96d014d-b5c2-4a01-9aba-a8058f629d42", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftCloudAppSecurity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + }, + "discoveryLogs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44", + "name": "07e42cb3-e658-4e90-801c-efa0f29d3d44", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "AzureAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "AmazonWebServicesCloudTrail", + "properties": { + "awsRoleArn": "myAwsRoleArn", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/afef3743-0c88-469c-84ff-ca2e87dc1e48", + "name": "afef3743-0c88-469c-84ff-ca2e87dc1e48", + "type": "Microsoft.SecurityInsights/dataConnectors", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "AmazonWebServicesS3", + "properties": { + "destinationTable": "AWSVPCFlow", + "roleArn": "arn:aws:iam::072643944673:role/RoleName", + "sqsUrls": [ + "https://sqs.us-west-1.amazonaws.com/111111111111/sqsTestName" + ], + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "name": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftDefenderAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "3d3e955e-33eb-401d-89a7-251c81ddd660", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "OfficeATP", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "3d3e955e-33eb-401d-89a7-251c81ddd660", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365Project", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "3d3e955e-33eb-401d-89a7-251c81ddd660", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "OfficePowerBI", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "c2541efb-c9a6-47fe-9501-87d1017d1512", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Dynamics365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "dynamics365CdsActivities": { + "state": "Enabled" + } + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (CCP DEMO)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "customImage": "The image connector content", + "graphQueriesTableName": "QualysHostDetection_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Vulerabilities detected", + "query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions." + }, + { + "title": "", + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "title": "", + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "title": "", + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**." + }, + { + "title": "", + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ] + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "APIPolling", + "properties": { + "connectorUiConfig": { + "title": "GitHub Enterprise Audit Log", + "publisher": "GitHub", + "descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", + "graphQueriesTableName": "GitHubAuditLogPolling_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GitHub audit log events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "{{graphQueriesTableName}}\n | take 10 " + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "SentinelKindsV2", + "value": [] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "GitHub API personal token Key", + "description": "You need access to GitHub personal token, the key should have 'admin:org' scope" + } + ] + }, + "instructionSteps": [ + { + "title": "Connect GitHub Enterprise Audit Log to Azure Sentinel", + "description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key", + "instructions": [ + { + "parameters": { + "enable": "true", + "userRequestPlaceHoldersInput": [ + { + "displayText": "Organization Name", + "requestObjectKey": "apiEndpoint", + "placeHolderName": "{{placeHolder1}}", + "placeHolderValue": "" + } + ] + }, + "type": "APIKey" + } + ] + } + ] + }, + "pollingConfig": { + "auth": { + "authType": "APIKey", + "apiKeyIdentifier": "token", + "apiKeyName": "Authorization" + }, + "request": { + "apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log", + "rateLimitQps": 50, + "queryWindowInMin": 15, + "httpMethod": "Get", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "retryCount": 2, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + }, + "queryParameters": { + "phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}" + } + }, + "paging": { + "pagingType": "LinkHeader", + "pageSizeParaName": "per_page" + }, + "response": { + "eventsJsonPaths": [ + "$" + ] + } + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json new file mode 100644 index 000000000000..7767f9ef970f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "c2541efb-c9a6-47fe-9501-87d1017d1512" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "c2541efb-c9a6-47fe-9501-87d1017d1512", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Dynamics365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "dynamics365CdsActivities": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetGenericUI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetGenericUI.json new file mode 100644 index 000000000000..8d52fb3d6128 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetGenericUI.json @@ -0,0 +1,156 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "316ec55e-7138-4d63-ab18-90c8a60fd1c8" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8", + "etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Qualys Vulnerability Management (CCP DEMO)", + "publisher": "Qualys", + "descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ", + "customImage": "The image connector content", + "graphQueriesTableName": "QualysHostDetection_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Top 10 Vulerabilities detected", + "query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Qualys API Key", + "description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)." + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes." + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions." + }, + { + "title": "", + "description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**." + }, + { + "title": "", + "description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**." + }, + { + "title": "", + "description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**." + }, + { + "title": "", + "description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)" + } + ] + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetIoTById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetIoTById.json new file mode 100644 index 000000000000..8fd734a483cf --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetIoTById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "d2e5dc7a-f3a2-429d-954b-939fa8c2932e" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/d2e5dc7a-f3a2-429d-954b-939fa8c2932e", + "name": "d2e5dc7a-f3a2-429d-954b-939fa8c2932e", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "IOT", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "subscriptionId": "c0688291-89d7-4bed-87a2-a7b1bff43f4c", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json new file mode 100644 index 000000000000..db200a3d8739 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json @@ -0,0 +1,31 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "b96d014d-b5c2-4a01-9aba-a8058f629d42" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42", + "name": "b96d014d-b5c2-4a01-9aba-a8058f629d42", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftCloudAppSecurity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + }, + "discoveryLogs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json new file mode 100644 index 000000000000..f3d2ad7012ed --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "name": "06b3ccb8-1384-4bcc-aec7-852f6d57161b", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftDefenderAdvancedThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftInsiderRiskManagementById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftInsiderRiskManagementById.json new file mode 100644 index 000000000000..4927cdcba056 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftInsiderRiskManagementById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "3d3e955e-33eb-401d-89a7-251c81ddd660" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "3d3e955e-33eb-401d-89a7-251c81ddd660", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "OfficeIRM", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftPurviewInformationProtectionDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftPurviewInformationProtectionDataConnetorById.json new file mode 100644 index 000000000000..a1b7a0ad295b --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftPurviewInformationProtectionDataConnetorById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftPurviewInformationProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json new file mode 100644 index 000000000000..3b1cbdbaba7e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "microsoftEmergingThreatFeed": { + "state": "Enabled", + "lookbackPeriod": "01/01/1970 00:00:00" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json new file mode 100644 index 000000000000..bd7c6269c8c8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json @@ -0,0 +1,36 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "MicrosoftThreatProtection", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "incidents": { + "state": "Enabled" + }, + "alerts": { + "state": "Enabled" + } + }, + "filteredProviders": { + "alerts": [ + "microsoftDefenderForCloudApps" + ] + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json new file mode 100644 index 000000000000..0bdbe481ff44 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "3d3e955e-33eb-401d-89a7-251c81ddd660" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660", + "name": "3d3e955e-33eb-401d-89a7-251c81ddd660", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "OfficeATP", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "alerts": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365ProjectDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365ProjectDataConnetorById.json new file mode 100644 index 000000000000..ecac96a605e9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365ProjectDataConnetorById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365Project", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json new file mode 100644 index 000000000000..51a5ae6e08d7 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json @@ -0,0 +1,34 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Office365", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "sharePoint": { + "state": "Enabled" + }, + "exchange": { + "state": "Enabled" + }, + "teams": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficePowerBIDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficePowerBIDataConnetorById.json new file mode 100644 index 000000000000..ad2210561c45 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficePowerBIDataConnetorById.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "OfficePowerBI", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "dataTypes": { + "logs": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json new file mode 100644 index 000000000000..38c52188cf6b --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "c345bf40-8509-4ed2-b947-50cb773aaf04" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04", + "name": "c345bf40-8509-4ed2-b947-50cb773aaf04", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligence", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "tipLookbackPeriod": "2020-01-01T13:00:30.123Z", + "dataTypes": { + "indicators": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json new file mode 100644 index 000000000000..6f0cdd2d6069 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json @@ -0,0 +1,36 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "dataConnectorId": "c39bb458-02a7-4b3f-b0c8-71a1d2692652" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c39bb458-02a7-4b3f-b0c8-71a1d2692652", + "name": "c39bb458-02a7-4b3f-b0c8-71a1d2692652", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "ThreatIntelligenceTaxii", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8", + "workspaceId": "8b014a77-4695-4ef4-96bb-6623afb121a2", + "friendlyName": "My TI Taxii Connector", + "taxiiServer": "https://mytaxiiserver.com/taxiing/v2/api", + "collectionId": "e0b1f32d-1188-48f7-a7a3-de71924e4b5e", + "userName": "", + "password": "", + "taxiiLookbackPeriod": "2020-01-01T13:00:30.123Z", + "pollingFrequency": "OnceADay", + "dataTypes": { + "taxiiClient": { + "state": "Enabled" + } + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetGeodataByIp.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetGeodataByIp.json new file mode 100644 index 000000000000..449e742fee24 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetGeodataByIp.json @@ -0,0 +1,31 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "ipAddress": "1.2.3.4" + }, + "responses": { + "200": { + "body": { + "asn": "12345", + "carrier": "Microsoft", + "city": "Redmond", + "cityCf": 90, + "continent": "north america", + "country": "united states", + "countryCf": 99, + "ipAddr": "1.2.3.4", + "ipRoutingType": "fixed", + "latitude": "40.2436", + "longitude": "-100.8891", + "organization": "Microsoft", + "organizationType": "tech", + "region": "western usa", + "state": "washington", + "stateCf": null, + "stateCode": "wa" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetWhoisByDomainName.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetWhoisByDomainName.json new file mode 100644 index 000000000000..33bb49275d66 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetWhoisByDomainName.json @@ -0,0 +1,87 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "domain": "microsoft.com" + }, + "responses": { + "200": { + "body": { + "domain": "microsoft.com", + "server": null, + "created": "2021-09-01T16:15:01.187045Z", + "updated": "2021-09-01T16:15:01.187045Z", + "expires": null, + "parsedWhois": { + "registrar": { + "name": "MarkMonitor, Inc", + "abuseContactPhone": "12083895770", + "abuseContactEmail": "abuse@microsoft.com", + "url": "http://www.markmonitor.com", + "whoisServer": "whois.markmonitor.com" + }, + "contacts": { + "admin": { + "name": "Administrator", + "org": "Microsoft", + "street": [ + "One Microsoft Way" + ], + "city": null, + "state": "WA", + "postal": "98052", + "country": "United States", + "phone": "1-800-555-1234", + "fax": null, + "email": "mail@microsoft.com" + }, + "registrant": null, + "billing": { + "name": "Administrator", + "org": "Microsoft", + "street": [ + "One Microsoft Way" + ], + "city": null, + "state": "WA", + "postal": "98052", + "country": "United States", + "phone": "1-800-555-1234", + "fax": null, + "email": "mail@microsoft.com" + }, + "tech": { + "name": "Administrator", + "org": "Microsoft", + "street": [ + "One Microsoft Way" + ], + "city": null, + "state": "WA", + "postal": "98052", + "country": "United States", + "phone": "1-800-555-1234", + "fax": null, + "email": "mail@microsoft.com" + } + }, + "nameServers": [ + "ns1-205.azure-dns.com", + "ns2-205.azure-dns.net", + "ns3-205.azure-dns.org", + "ns4-205.azure-dns.info" + ], + "statuses": [ + "clientUpdateProhibited", + "clientTransferProhibited", + "clientDeleteProhibited", + "serverUpdateProhibited", + "serverTransferProhibited", + "serverDeleteProhibited" + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAccountEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAccountEntityById.json new file mode 100644 index 000000000000..76d42a475151 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAccountEntityById.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Account", + "properties": { + "friendlyName": "administrator", + "accountName": "administrator", + "ntDomain": "domain", + "upnSuffix": "contoso", + "sid": "S-1-5-18", + "aadTenantId": "70fbdad0-7441-4564-b2b5-2b8862d0fee0", + "aadUserId": "f7033626-2572-46b1-bba0-06646f4f95b3", + "puid": "ee3cb2d8-14ba-45ef-8009-d6f1cacfa04d", + "isDomainJoined": true, + "objectGuid": "11227b78-3c6e-436e-a2a2-02fc7662eca0", + "dnsDomain": "contoso.com" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAzureResourceEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAzureResourceEntityById.json new file mode 100644 index 000000000000..20db326a109d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAzureResourceEntityById.json @@ -0,0 +1,24 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "AzureResource", + "properties": { + "friendlyName": "vm1", + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetCloudApplicationEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetCloudApplicationEntityById.json new file mode 100644 index 000000000000..42177681da3a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetCloudApplicationEntityById.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "CloudApplication", + "properties": { + "friendlyName": "AppName", + "appId": 1, + "appName": "AppName", + "instanceName": "InstanceName" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetDnsEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetDnsEntityById.json new file mode 100644 index 000000000000..59741321be80 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetDnsEntityById.json @@ -0,0 +1,26 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "f4e74920-f2c0-4412-a45f-66d94fdf01f8" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/f4e74920-f2c0-4412-a45f-66d94fdf01f8", + "name": "f4e74920-f2c0-4412-a45f-66d94fdf01f8", + "type": "Microsoft.SecurityInsights/entities", + "kind": "DnsResolution", + "properties": { + "friendlyName": "domain", + "domainName": "domain", + "ipAddressEntityIds": [ + "475d3120-33e0-4841-9f1c-a8f15a801d19" + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetEntities.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetEntities.json new file mode 100644 index 000000000000..c99045d3f836 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetEntities.json @@ -0,0 +1,63 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Account", + "properties": { + "friendlyName": "administrator", + "accountName": "administrator", + "ntDomain": "domain", + "upnSuffix": "contoso", + "sid": "S-1-5-18", + "aadTenantId": "70fbdad0-7441-4564-b2b5-2b8862d0fee0", + "aadUserId": "f7033626-2572-46b1-bba0-06646f4f95b3", + "puid": "ee3cb2d8-14ba-45ef-8009-d6f1cacfa04d", + "isDomainJoined": true, + "objectGuid": "11227b78-3c6e-436e-a2a2-02fc7662eca0" + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/fed9fe89-dce8-40f2-bf44-70f23fe93b3c", + "name": "fed9fe89-dce8-40f2-bf44-70f23fe93b3c", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Host", + "properties": { + "friendlyName": "vm1", + "dnsDomain": "contoso", + "ntDomain": "domain", + "hostName": "vm1", + "netBiosName": "contoso", + "azureID": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", + "omsAgentID": "70fbdad0-7441-4564-b2b5-2b8862d0fee0", + "osFamily": "Windows", + "osVersion": "1.0", + "isDomainJoined": true + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/af378b21-b4aa-4fe7-bc70-13f8621a322f", + "name": "af378b21-b4aa-4fe7-bc70-13f8621a322f", + "type": "Microsoft.SecurityInsights/entities", + "kind": "File", + "properties": { + "friendlyName": "cmd.exe", + "directory": "C:\\Windows\\System32", + "fileName": "cmd.exe" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileEntityById.json new file mode 100644 index 000000000000..9e7091d4036d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileEntityById.json @@ -0,0 +1,24 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "af378b21-b4aa-4fe7-bc70-13f8621a322f" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/af378b21-b4aa-4fe7-bc70-13f8621a322f", + "name": "af378b21-b4aa-4fe7-bc70-13f8621a322f", + "type": "Microsoft.SecurityInsights/entities", + "kind": "File", + "properties": { + "friendlyName": "cmd.exe", + "directory": "C:\\Windows\\System32", + "fileName": "cmd.exe" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileHashEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileHashEntityById.json new file mode 100644 index 000000000000..513385c8673b --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileHashEntityById.json @@ -0,0 +1,24 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "ea359fa6-c1e5-f878-e105-6344f3e399a1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/ea359fa6-c1e5-f878-e105-6344f3e399a1", + "name": "ea359fa6-c1e5-f878-e105-6344f3e399a1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "FileHash", + "properties": { + "friendlyName": "E923636F1093C414AAB39F846E9D7A372BEEFA7B628B28179197E539C56AA0F0(SHA256)", + "hashValue": "E923636F1093C414AAB39F846E9D7A372BEEFA7B628B28179197E539C56AA0F0", + "algorithm": "SHA256" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetHostEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetHostEntityById.json new file mode 100644 index 000000000000..ee92058a24c0 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetHostEntityById.json @@ -0,0 +1,31 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Host", + "properties": { + "friendlyName": "vm1", + "dnsDomain": "contoso", + "ntDomain": "domain", + "hostName": "vm1", + "netBiosName": "contoso", + "azureID": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", + "omsAgentID": "70fbdad0-7441-4564-b2b5-2b8862d0fee0", + "osFamily": "Windows", + "osVersion": "1.0", + "isDomainJoined": true + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIoTDeviceEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIoTDeviceEntityById.json new file mode 100644 index 000000000000..f88f49348183 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIoTDeviceEntityById.json @@ -0,0 +1,45 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "IoTDevice", + "properties": { + "friendlyName": "device1", + "deviceId": "device1", + "deviceName": "device1", + "iotHubEntityId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/8b2d9401-f953-e89d-2583-be9b4975870c", + "nicEntityIds": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/6ee379bd-ace8-44cf-ab10-ee669a1b71e2" + ], + "deviceType": "Industrial", + "firmwareVersion": "20.11", + "importance": "Normal", + "isAuthorized": true, + "isProgramming": false, + "isScanner": false, + "model": "demo-model", + "protocols": [ + "CIP", + "EtherNet/IP" + ], + "operatingSystem": "Windows", + "purdueLayer": "ProcessControl", + "sensor": "demo-sensor", + "site": "demo-site", + "vendor": "demo-vendor", + "zone": "zone" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIpEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIpEntityById.json new file mode 100644 index 000000000000..96225553f23e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIpEntityById.json @@ -0,0 +1,23 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Ip", + "properties": { + "friendlyName": "10.3.2.8", + "address": "10.3.2.8" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailClusterEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailClusterEntityById.json new file mode 100644 index 000000000000..43cc718fd635 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailClusterEntityById.json @@ -0,0 +1,44 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "MailCluster", + "properties": { + "friendlyName": "ClusterSourceIdentifier", + "networkMessageIds": [ + "ccfce855-e02f-491b-a1cc-5bafb371ad0c" + ], + "countByDeliveryStatus": { + "deliveryStatus": 5 + }, + "countByThreatType": { + "threatType": 6 + }, + "countByProtectionStatus": { + "protectionStatus": 65 + }, + "threats": [ + "thrreat1", + "thread2" + ], + "query": "kqlFilter", + "queryTime": "2021-09-01T01:42:01.6026755Z", + "source": "ClusterSourceIdentifier", + "clusterSourceIdentifier": "cluster source identifier", + "clusterSourceType": "Similarity", + "clusterGroup": "cluster group" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailMessageEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailMessageEntityById.json new file mode 100644 index 000000000000..37a8d3bd1ce9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailMessageEntityById.json @@ -0,0 +1,48 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "MailMessage", + "properties": { + "friendlyName": "cmd.exe", + "fileEntityIds": [ + "ccfce855-e02f-491b-a1cc-5bafb371ad0c" + ], + "recipient": "recipient", + "urls": [ + "http://moqbrarcwmnk.banxhdcojlg.biz" + ], + "threats": [ + "thrreat1", + "thread2" + ], + "p1Sender": "email@fake.com", + "p1SenderDisplayName": "p1 sender display name", + "p1SenderDomain": "p1 sender domain", + "senderIP": "1.23.34.43", + "p2Sender": "the sender", + "deliveryAction": "Blocked", + "p2SenderDisplayName": "p2 sender display name", + "p2SenderDomain": "p2 Sender Domain", + "internetMessageId": "message id", + "subject": "subject", + "language": "language", + "threatDetectionMethods": [ + "thrreat1", + "thread2" + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailboxEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailboxEntityById.json new file mode 100644 index 000000000000..5b07027770f4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailboxEntityById.json @@ -0,0 +1,26 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Mailbox", + "properties": { + "friendlyName": "emailAddress1", + "displayName": "display name", + "mailboxPrimaryAddress": "emailAddress1", + "upn": "upn1", + "externalDirectoryObjectId": "18cc8fdc-e169-4451-983a-bd027db286eb" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMalwareEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMalwareEntityById.json new file mode 100644 index 000000000000..bb72b3d084d4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMalwareEntityById.json @@ -0,0 +1,24 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "af378b21-b4aa-4fe7-bc70-13f8621a322f" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/af378b21-b4aa-4fe7-bc70-13f8621a322f", + "name": "af378b21-b4aa-4fe7-bc70-13f8621a322f", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Malware", + "properties": { + "malwareName": "Win32/Toga!rfn", + "category": "Trojan", + "friendlyName": "Win32/Toga!rfn" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetProcessEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetProcessEntityById.json new file mode 100644 index 000000000000..b2a90ae4b315 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetProcessEntityById.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "7264685c-038c-42c6-948c-38e14ef1fb98" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/7264685c-038c-42c6-948c-38e14ef1fb98", + "name": "7264685c-038c-42c6-948c-38e14ef1fb98", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Process", + "properties": { + "friendlyName": "cmd.exe", + "processId": "0x2aa48", + "commandLine": "\"cmd\"", + "imageFileEntityId": "bba7b47b-c1c1-4021-b568-5b07b9292f5e" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetQueries.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetQueries.json new file mode 100644 index 000000000000..8ff752a49bcd --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetQueries.json @@ -0,0 +1,456 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "kind": "Insight" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/6db7f5d1-f41e-46c2-b935-230b36a569e6", + "name": "6db7f5d1-f41e-46c2-b935-230b36a569e6", + "type": "Microsoft.SecurityInsights/entities/queries", + "kind": "Insight", + "properties": { + "displayName": "Actions on account", + "description": "Summary of actions taken on the specified account, grouped by action: password resets and changes, account lockouts (policy or admin), account creation and deletion, account enabled and disabled\n", + "baseQuery": "let GetAccountActions = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string, v_Account_AADUserId:string, v_Account_SID:string){\nAuditLogs\n| where OperationName in~ ('Delete user', 'Change user password', 'Reset user password', 'Change password (self-service)', 'Reset password (by admin)', 'Reset password (self-service)', 'Update user')\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| extend Account_Name = tostring(split(UserPrincipalName, '@')[0])\n| extend Account_UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n| extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\n| extend ModifiedProperty = parse_json(Action).displayName\n| extend ModifiedValue = parse_json(Action).newValue\n| extend Account_AADUserId = tostring(TargetResources[0].id)\n| extend DisableUser = iif(ModifiedProperty =~ 'AccountEnabled' and ModifiedValue =~ '[false]', 'True', 'False')\n| union isfuzzy=true (\nSecurityEvent\n| where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\n| extend OperationName = tostring(EventID)\n| where AccountType =~ \"user\" or isempty(AccountType)\n| extend Account_Name = TargetUserName, Account_NTDomain = TargetDomainName, Account_SID = TargetSid\n)\n| where (Account_Name =~ v_Account_Name and (Account_UPNSuffix =~ v_Account_UPNSuffix or Account_NTDomain =~ v_Account_NTDomain)) or Account_AADUserId =~ v_Account_AADUserId or Account_SID =~ v_Account_SID\n};\nGetAccountActions('CTFFUser4', '', 'seccxp.ninja', '', '')\n", + "tableQuery": { + "columnsDefinitions": [ + { + "header": "Action", + "outputType": "String", + "supportDeepLink": false + }, + { + "header": "Most Recent", + "outputType": "Date", + "supportDeepLink": false + }, + { + "header": "Count", + "outputType": "Number", + "supportDeepLink": true + } + ], + "queriesDefinitions": [ + { + "filter": "where OperationName in~ ('Change user password', 'Reset user password', 'Change password (self-service)', 'Reset password (by admin)', 'Reset password (self-service)', '4724', '4723')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('Blocked from self-service password reset', '4740')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName == '4725' or (OperationName =~ 'Update user' and DisableUser =~ 'True')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('Add user', '4720')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('Delete user', '4726')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('4725', 'Blocked from self-service password reset', '4740') or (OperationName =~ 'Update user' and DisableUser =~ 'True')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('4722', '4767') or (OperationName =~ 'Update user' and DisableUser =~ 'False')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('Update user','4738')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + } + ] + }, + "chartQuery": { + "title": "Actions by type", + "dataSets": [ + { + "query": "summarize Count = count() by bin(TimeGenerated, 1h), OperationName", + "xColumnName": "TimeGenerated", + "yColumnName": "Count", + "legendColumnName": "OperationName" + } + ], + "type": "BarChart" + }, + "additionalQuery": { + "text": "See all account activity", + "query": "project TimeGenerated, UserPrincipalName, Account_Name, OperationName, Activity, DisableUser, TargetSid, AADUserId, InitiatedBy, AADTenantId, AccountType, Computer, SubjectAccount, SubjectUserSid, EventData" + }, + "defaultTimeRange": { + "beforeRange": "12h", + "afterRange": "12h" + }, + "referenceTimeRange": null, + "dataTypes": [ + { + "dataType": "AuditLogs" + }, + { + "dataType": "SecurityEvent" + } + ], + "inputEntityType": "Account", + "requiredInputFieldsSets": [ + [ + "Account_Name", + "Account_NTDomain" + ], + [ + "Account_Name", + "Account_UPNSuffix" + ], + [ + "Account_AADUserId" + ], + [ + "Account_SID" + ] + ], + "entitiesFilter": {} + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/0a5d7b14-b485-450a-a0ac-4100c860ac32", + "name": "0a5d7b14-b485-450a-a0ac-4100c860ac32", + "type": "Microsoft.SecurityInsights/entities/queries", + "kind": "Insight", + "properties": { + "displayName": "Anomalously high office operation count", + "description": "Highlight office operations of the user with anomalously high count compared to those observed in the preceding 14 days.", + "baseQuery": "let AScoreThresh = 3; \nlet maxAnomalies = 3;\nlet BeforeRange = 12d; \nlet EndTime = todatetime('{{EndTimeUTC}}'); \nlet StartTime = todatetime('{{StartTimeUTC}}');\nlet numDays = tolong((EndTime-StartTime)/1d); \nlet userData = (v_Account_Name:string, v_Account_UPNSuffix:string) { \n OfficeActivity \n | extend splitUserId=split(UserId, '@')\n | extend Account_Name = tostring(splitUserId[0]), Account_UPNSuffix = tostring(splitUserId[1])\n | where Account_Name =~ v_Account_Name and Account_UPNSuffix =~ v_Account_UPNSuffix }; \nuserData('CTFFUser4', 'seccxp.ninja')\n", + "tableQuery": { + "columnsDefinitions": [ + { + "header": "Operation", + "outputType": "String", + "supportDeepLink": true + }, + { + "header": "Expected Count", + "outputType": "Number", + "supportDeepLink": false + }, + { + "header": "Actual Count", + "outputType": "Number", + "supportDeepLink": false + } + ], + "queriesDefinitions": [ + { + "filter": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by Operation \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost=maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore-maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc\n", + "summarize": "take 1", + "project": "project Operation, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)", + "linkColumnsDefinitions": [ + { + "projectedName": "Operation", + "Query": "{{BaseQuery}} \n| where TimeGenerated between (StartTime .. EndTime) \n| where Operation == ''\n" + } + ] + } + ] + }, + "chartQuery": { + "title": "Anomalous operation timeline", + "dataSets": [ + { + "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by Operation \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost=maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore-maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,round(postExpectedCount,2)) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc \n| take 1 \n| project Operation, TimeGenerated, count_\n| mvexpand TimeGenerated, count_ | project todatetime(TimeGenerated), toint(count_), Operation\n", + "xColumnName": "TimeGenerated", + "yColumnName": "count_", + "legendColumnName": "Operation" + } + ], + "type": "LineChart" + }, + "additionalQuery": { + "text": "Query all anomalous operations", + "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by Operation \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_\n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies\n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh | order by maxAnomalyScorePost desc \n| project Operation, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)\n" + }, + "defaultTimeRange": { + "beforeRange": "1d", + "afterRange": "0d" + }, + "referenceTimeRange": { + "beforeRange": "12d" + }, + "dataTypes": [ + { + "dataType": "OfficeActivity" + } + ], + "inputEntityType": "Account", + "requiredInputFieldsSets": [ + [ + "Account_Name", + "Account_UPNSuffix" + ] + ], + "entitiesFilter": {} + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/e6cf68e6-1eca-4fbb-9fad-6280f2a9476e", + "name": "e6cf68e6-1eca-4fbb-9fad-6280f2a9476e", + "type": "Microsoft.SecurityInsights/entities/queries", + "kind": "Insight", + "properties": { + "displayName": "Resource access", + "description": "Provides the count and distinct resource accesses by a given user account\n", + "baseQuery": "let Operations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet UserOperationToSharePoint = (v_Account_Name:string, v_Account_UPNSuffix:string) {\nOfficeActivity\n// Select sharepoint activity that is relevant\n| where RecordType in~ ('SharePointFileOperation')\n| where Operation in~ (Operations)\n| extend Account_Name = tostring(split(UserId, '@')[0])\n| extend Account_UPNSuffix = tostring(split(UserId, '@')[1])\n| where Account_Name =~ v_Account_Name and Account_UPNSuffix =~ v_Account_UPNSuffix\n| project TimeGenerated, Account_Name, Account_UPNSuffix, UserId, OfficeId, RecordType, Operation, OrganizationId, UserType, UserKey, OfficeWorkload, OfficeObjectId, ClientIP, ItemType, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName, SourceFileExtension , Start_Time , ElevationTime , TenantId, SourceSystem , Type\n};\nUserOperationToSharePoint ('CTFFUser4','seccxp.ninja')\n", + "tableQuery": { + "columnsDefinitions": [ + { + "header": "Resource Type", + "outputType": "String", + "supportDeepLink": false + }, + { + "header": "Distinct Resources", + "outputType": "Number", + "supportDeepLink": true + }, + { + "header": "Total Resources", + "outputType": "Number", + "supportDeepLink": true + }, + { + "header": "IPAddress(es)", + "outputType": "String", + "supportDeepLink": false + } + ], + "queriesDefinitions": [ + { + "filter": "where Operation =~ 'FileUploaded'", + "summarize": "summarize DistinctResources = dcount(SourceFileName), TotalResources = count(SourceFileName), IPAddresses = make_set(ClientIP) by Operation", + "project": "project Title = Operation, DistinctResources, TotalResources, IPAddresses = case(array_length(IPAddresses) == 1, tostring(IPAddresses[0]), array_length(IPAddresses) > 1, 'Many', 'None')", + "linkColumnsDefinitions": [ + { + "projectedName": "DistinctResources", + "Query": "{{BaseQuery}} | " + }, + { + "projectedName": "TotalResources", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where Operation =~ 'FileDownloaded'", + "summarize": "summarize DistinctResources = dcount(SourceFileName), TotalResources = count(SourceFileName), IPAddresses = make_set(ClientIP) by Operation", + "project": "project Title = Operation, DistinctResources, TotalResources, IPAddresses = case(array_length(IPAddresses) == 1, tostring(IPAddresses[0]), array_length(IPAddresses) > 1, 'Many', 'None')", + "linkColumnsDefinitions": [ + { + "projectedName": "DistinctResources", + "Query": "{{BaseQuery}} | " + }, + { + "projectedName": "TotalResources", + "Query": "{{BaseQuery}} | " + } + ] + } + ] + }, + "chartQuery": { + "title": "Resource access over time", + "dataSets": [ + { + "query": "summarize DistinctResources = dcountif(Operation, Operation =~ 'FileUploaded'), TotalResources = countif(Operation =~ 'FileUploaded') by bin(TimeGenerated, 1h) | extend Legend = 'File Uploads'", + "xColumnName": "TimeGenerated", + "yColumnName": "TotalResources", + "legendColumnName": "Legend" + }, + { + "query": "summarize DistinctResources = dcountif(Operation, Operation =~ 'FileDownloaded'), TotalResources = countif(Operation =~ 'FileDownloaded') by bin(TimeGenerated, 1h) | extend Legend = 'File Downloads'", + "xColumnName": "TimeGenerated", + "yColumnName": "TotalResources", + "legendColumnName": "Legend" + } + ], + "type": "LineChart" + }, + "additionalQuery": { + "text": "See all resource activity", + "query": "where Operation in~ (Operations)" + }, + "defaultTimeRange": { + "beforeRange": "12h", + "afterRange": "12h" + }, + "referenceTimeRange": null, + "dataTypes": [ + { + "dataType": "OfficeActivity" + } + ], + "inputEntityType": "Account", + "requiredInputFieldsSets": [ + [ + "Account_Name", + "Account_UPNSuffix" + ], + [ + "Account_AADUserId" + ] + ], + "entitiesFilter": {} + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4", + "name": "cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4", + "type": "Microsoft.SecurityInsights/entities/queries", + "kind": "Insight", + "properties": { + "displayName": "Anomalously high Azure sign-in result count", + "description": "Highlight Azure sign-in results by the user principal with anomalously high count compared to those observed in the preceding 14 days.", + "baseQuery": "let AScoreThresh=3; \nlet maxAnomalies=3; \nlet BeforeRange = 12d; \nlet EndTime=todatetime('{{EndTimeUTC}}');\nlet StartTime = todatetime('{{StartTimeUTC}}'); \nlet numDays = tolong((EndTime-StartTime)/1d); \nlet userData = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AADUserId:string) { \n SigninLogs \n | where TimeGenerated between ((StartTime-BeforeRange) .. EndTime)\n | extend splitUserId=split(UserPrincipalName, '@')\n | extend Account_Name = tostring(splitUserId[0]), Account_UPNSuffix = tostring(splitUserId[1])\n | where (Account_Name =~ v_Account_Name and Account_UPNSuffix =~ v_Account_UPNSuffix) or UserId =~ v_Account_AADUserId };\nuserData('CTFFUser4', 'seccxp.ninja', '')\n", + "tableQuery": { + "columnsDefinitions": [ + { + "header": "Result Description", + "outputType": "String", + "supportDeepLink": true + }, + { + "header": "Expected Count", + "outputType": "Number", + "supportDeepLink": false + }, + { + "header": "Actual Count", + "outputType": "Number", + "supportDeepLink": false + } + ], + "queriesDefinitions": [ + { + "filter": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by ResultDescription \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc\n", + "summarize": "take 1", + "project": "project ResultDescription, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)", + "linkColumnsDefinitions": [ + { + "projectedName": "ResultDescription", + "Query": "{{BaseQuery}} \n| where TimeGenerated between (StartTime .. EndTime) \n| where ResultDescription == ''\n" + } + ] + } + ] + }, + "chartQuery": { + "title": "Anomalous sign-in result timeline", + "dataSets": [ + { + "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by ResultDescription \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,round(postExpectedCount,2)) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc \n| take 1 \n| project ResultDescription, TimeGenerated, count_ \n| mvexpand TimeGenerated, count_ \n| project todatetime(TimeGenerated), toint(count_), ResultDescription \n", + "xColumnName": "TimeGenerated", + "yColumnName": "count_", + "legendColumnName": "ResultDescription" + } + ], + "type": "LineChart" + }, + "additionalQuery": { + "text": "Query all anomalous sign-in results", + "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by ResultDescription \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_\n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies\n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc \n| project ResultDescription, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)\n" + }, + "defaultTimeRange": { + "beforeRange": "1d", + "afterRange": "0d" + }, + "referenceTimeRange": { + "beforeRange": "12d" + }, + "dataTypes": [ + { + "dataType": "SigninLogs" + } + ], + "inputEntityType": "Account", + "requiredInputFieldsSets": [ + [ + "Account_Name", + "Account_UPNSuffix" + ], + [ + "Account_AADUserId" + ] + ], + "entitiesFilter": {} + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryKeyEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryKeyEntityById.json new file mode 100644 index 000000000000..e3f17c540477 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryKeyEntityById.json @@ -0,0 +1,24 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "RegistryKey", + "properties": { + "friendlyName": "SOFTWARE", + "hive": "HKEY_LOCAL_MACHINE", + "key": "SOFTWARE" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryValueEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryValueEntityById.json new file mode 100644 index 000000000000..f4fd02d97991 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryValueEntityById.json @@ -0,0 +1,26 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "dc44bd11-b348-4d76-ad29-37bf7aa41356" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/dc44bd11-b348-4d76-ad29-37bf7aa41356", + "name": "dc44bd11-b348-4d76-ad29-37bf7aa41356", + "type": "Microsoft.SecurityInsights/entities", + "kind": "RegistryValue", + "properties": { + "friendlyName": "Data", + "valueName": "Name", + "valueData": "Data", + "valueType": "String", + "keyEntityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityAlertEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityAlertEntityById.json new file mode 100644 index 000000000000..037c92f4e7b4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityAlertEntityById.json @@ -0,0 +1,51 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "4aa486e0-6f85-41af-99ea-7acdce7be6c8" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/4aa486e0-6f85-41af-99ea-7acdce7be6c8", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "SecurityAlert", + "properties": { + "systemAlertId": "4aa486e0-6f85-41af-99ea-7acdce7be6c8", + "intent": "Unknown", + "alertDisplayName": "Suspicious account detected", + "description": "", + "confidenceLevel": "Unknown", + "severity": "Medium", + "vendorName": "Microsoft", + "productName": "Azure Sentinel", + "productComponentName": "Scheduled Alerts", + "alertType": "c8c99641-985d-4e4e-8e91-fb3466cd0e5b_46c7b6c0-ff43-44dd-8b4d-ceffff7aa7df", + "providerAlertId": "c2bafff9-fb31-41d0-a177-ecbff7a02ffe", + "processingEndTime": "2019-07-06T13:56:53.5392366Z", + "status": "New", + "endTimeUtc": "2021-09-01T13:21:45.926185Z", + "startTimeUtc": "2021-09-01T08:21:45.926185Z", + "timeGenerated": "2021-09-01T13:56:53.5392366Z", + "tactics": [ + "Persistence", + "LateralMovement" + ], + "additionalData": { + "Query": "Heartbeat \n| extend AccountCustomEntity = \"administrator\"", + "Query Period": "05:00:00", + "Trigger Operator": "GreaterThan", + "Trigger Threshold": "200", + "Search Query Results Overall Count": "203", + "Total Account Entities": "1" + }, + "friendlyName": "Suspicious account detected", + "alertLink": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518119885989999999_4aa486e0-6f85-41af-99ea-7acdce7be6c8/subscriptionId/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/myRg/myWorkspace/referencedFrom/alertDeepLink/location/centralus" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityGroupEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityGroupEntityById.json new file mode 100644 index 000000000000..89e0a19176ab --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityGroupEntityById.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "SecurityGroup", + "properties": { + "friendlyName": "Name", + "distinguishedName": "Name", + "sid": "Sid", + "objectGuid": "fb1b8e04-d944-4986-b39a-1ce9adedcd98" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSubmissionMailEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSubmissionMailEntityById.json new file mode 100644 index 000000000000..db5c232a192c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSubmissionMailEntityById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "SubmissionMail", + "properties": { + "friendlyName": "recipient", + "submissionId": "5bb3d8fe-54bc-499c-bc21-86fe8df2a184", + "submitter": "submitter", + "recipient": "recipient", + "sender": "sender", + "senderIp": "1.4.35.34", + "subject": "subject", + "reportType": "report type" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetUrlEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetUrlEntityById.json new file mode 100644 index 000000000000..9087b96dc8f3 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetUrlEntityById.json @@ -0,0 +1,23 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Url", + "properties": { + "friendlyName": "https://bing.com", + "url": "https://bing.com" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/expand/PostExpandEntity.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/expand/PostExpandEntity.json new file mode 100644 index 000000000000..2295ca0a637a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/expand/PostExpandEntity.json @@ -0,0 +1,52 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "parameters": { + "expansionId": "a77992f3-25e9-4d01-99a4-5ff606cc410a", + "startTime": "2019-04-25T00:00:00.000Z", + "endTime": "2019-05-26T00:00:00.000Z" + } + }, + "responses": { + "200": { + "body": { + "value": { + "entities": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/entities", + "kind": "Ip", + "properties": { + "address": "13.89.108.248", + "friendlyName": "13.89.108.248" + } + } + ], + "edges": [ + { + "targetEntityId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/c1d60d86-5988-11eb-ae93-0242ac130002", + "additionalData": { + "EpochTimestamp": "1608289949", + "FirstSeen": "2021-09-01T11:12:29.597Z", + "Source": "Heartbeat" + } + } + ] + }, + "metaData": { + "aggregations": [ + { + "entityKind": "Account", + "count": 1 + } + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/insights/PostGetInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/insights/PostGetInsights.json new file mode 100644 index 000000000000..8851f2e450ec --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/insights/PostGetInsights.json @@ -0,0 +1,100 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "parameters": { + "addDefaultExtendedTimeRange": false, + "startTime": "2021-09-01T00:00:00.000Z", + "endTime": "2021-10-01T00:00:00.000Z", + "insightQueryIds": [ + "cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4" + ] + } + }, + "responses": { + "200": { + "body": { + "value": [ + { + "tableQueryResults": { + "columns": [ + { + "name": "Title", + "type": "string" + }, + { + "name": "NameCount", + "type": "long" + }, + { + "name": "SIDCount", + "type": "long" + }, + { + "name": "InternalOrder", + "type": "long" + }, + { + "name": "Index", + "type": "long" + } + ], + "rows": [ + [ + "MyTitle", + "15", + "SID", + "1", + "1" + ] + ] + }, + "chartQueryResults": [ + { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Count", + "type": "long" + }, + { + "name": "Legend", + "type": "string" + } + ], + "rows": [ + [ + "2021-09-01T00:00:00.000Z", + "55", + "SomeLegend" + ] + ] + } + ], + "queryTimeInterval": { + "startTime": "2021-09-01T23:35:20Z", + "endTime": "2021-09-01T23:35:20Z" + }, + "queryId": "e29ee1ef-7445-455e-85f1-269f2d536d61" + } + ], + "metaData": { + "totalCount": 7, + "errors": [ + { + "kind": "Insight", + "queryId": "4a70a63d-25c4-6312-b73e-4f302a90c06a", + "errorMessage": "Internal server error" + } + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetAllEntityRelations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetAllEntityRelations.json new file mode 100644 index 000000000000..47a13a0bb9b0 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetAllEntityRelations.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "afbd324f-6c48-459c-8710-8d1e1cd03812" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "type": "Microsoft.SecurityInsights/entities/relations", + "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceName": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceType": "Microsoft.SecurityInsights/incidents" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetEntityRelationByName.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetEntityRelationByName.json new file mode 100644 index 000000000000..31dd38867884 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetEntityRelationByName.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "type": "Microsoft.SecurityInsights/entities/relations", + "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceName": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceType": "Microsoft.SecurityInsights/incidents" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/timeline/PostTimelineEntity.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/timeline/PostTimelineEntity.json new file mode 100644 index 000000000000..d923f9b0da67 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/timeline/PostTimelineEntity.json @@ -0,0 +1,92 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "parameters": { + "numberOfBucket": 4, + "startTime": "2021-09-01T00:00:00.000Z", + "endTime": "2021-10-01T00:00:00.000Z" + } + }, + "responses": { + "200": { + "body": { + "value": [ + { + "kind": "SecurityAlert", + "description": "The alert description", + "azureResourceId": "4467341f-fb73-4f99-a9b3-29473532cf5a_bf7c3a2f-b743-6410-3ff0-ec64b5995d50", + "productName": "Azure Sentinel", + "displayName": "Alert display name", + "severity": "Medium", + "endTimeUtc": "2021-09-01T23:31:28.02Z", + "startTimeUtc": "2021-09-01T23:32:28.01Z", + "timeGenerated": "2021-09-01T23:37:25.8136594Z", + "alertType": "4467341f-fb73-4f99-a9b3-29473532cf5a_c93bf33e-055e-4972-9e7d-f84fe3fb61ae", + "Intent": "Discovery" + }, + { + "kind": "Activity", + "queryId": "e0459780-ac9d-4b72-8bd4-fecf6b46a0a1", + "bucketStartTimeUTC": "2021-09-01T21:31:28.02Z", + "bucketEndTimeUTC": "2021-09-01T23:31:28.02Z", + "firstActivityTimeUTC": "2021-09-01T21:35:28.02Z", + "lastActivityTimeUTC": "2021-09-01T21:35:28.02Z", + "content": "he user has deleted the account 3 time(s)", + "title": "The user has deleted an account" + }, + { + "kind": "Anomaly", + "azureResourceId": "4467341f-fb73-4f99-a9b3-29473532cf5a_d56430ef-f421-2c9c-0b7d-d082285843c6", + "description": "Anomalous private to public port scanning activity with high destination port count along with low port ratio. The ratios are normalized by multiplying them by 10,000 to get them to a more usable value between 0.0 and 1.0.", + "productName": "Azure Sentinel", + "displayName": "(Preview) Anomalous scanning activity", + "endTimeUtc": "2021-09-01T23:31:28.02Z", + "startTimeUtc": "2021-09-01T23:32:28.01Z", + "timeGenerated": "2021-09-01T23:37:25.8136594Z", + "vendor": "Microsoft", + "intent": "Discovery", + "techniques": [ + "T1046" + ], + "reasons": [ + "High destination port count", + "Low port ratio" + ] + } + ], + "metaData": { + "totalCount": 6, + "aggregations": [ + { + "count": 4, + "kind": "Activity" + }, + { + "count": 2, + "kind": "SecurityAlert" + }, + { + "count": 1, + "kind": "Anomaly" + } + ], + "errors": [ + { + "kind": "Activity", + "queryId": "11067f9f-d6a7-4488-887f-0ba564268879", + "errorMessage": "syntax error" + }, + { + "kind": "SecurityAlert", + "errorMessage": "internal server error" + } + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/CreateEntityQueryActivity.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/CreateEntityQueryActivity.json new file mode 100644 index 000000000000..ab41dc821a65 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/CreateEntityQueryActivity.json @@ -0,0 +1,133 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityQueryId": "07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "entityQuery": { + "kind": "Activity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "title": "An account was deleted on this host", + "content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'", + "description": "Account deleted on host", + "queryDefinitions": { + "query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 " + }, + "inputEntityType": "Host", + "requiredInputFieldsSets": [ + [ + "Host_HostName", + "Host_NTDomain" + ], + [ + "Host_HostName", + "Host_DnsDomain" + ], + [ + "Host_AzureID" + ], + [ + "Host_OMSAgentID" + ] + ], + "entitiesFilter": { + "Host_OsFamily": [ + "Windows" + ] + }, + "enabled": true, + "templateName": null + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "name": "07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "type": "Microsoft.SecurityInsights/entityQueries", + "kind": "Activity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "title": "An account was deleted on this host", + "content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'", + "description": "Account deleted on host", + "queryDefinitions": { + "query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 " + }, + "inputEntityType": "Host", + "requiredInputFieldsSets": [ + [ + "Host_HostName", + "Host_NTDomain" + ], + [ + "Host_HostName", + "Host_DnsDomain" + ], + [ + "Host_AzureID" + ], + [ + "Host_OMSAgentID" + ] + ], + "entitiesFilter": { + "Host_OsFamily": [ + "Windows" + ] + }, + "enabled": true, + "templateName": null, + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "name": "07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "type": "Microsoft.SecurityInsights/entityQueries", + "kind": "Activity", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "title": "An account was deleted on this host", + "content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'", + "description": "Account deleted on host", + "queryDefinitions": { + "query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 " + }, + "inputEntityType": "Host", + "requiredInputFieldsSets": [ + [ + "Host_HostName", + "Host_NTDomain" + ], + [ + "Host_HostName", + "Host_DnsDomain" + ], + [ + "Host_AzureID" + ], + [ + "Host_OMSAgentID" + ] + ], + "entitiesFilter": { + "Host_OsFamily": [ + "Windows" + ] + }, + "enabled": true, + "templateName": null, + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/DeleteEntityQuery.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/DeleteEntityQuery.json new file mode 100644 index 000000000000..7f79842d2661 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/DeleteEntityQuery.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityQueryId": "07da3cc8-c8ad-4710-a44e-334cdcb7882b" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetActivityEntityQueryById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetActivityEntityQueryById.json new file mode 100644 index 000000000000..7e0d279fb3ae --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetActivityEntityQueryById.json @@ -0,0 +1,54 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityQueryId": "07da3cc8-c8ad-4710-a44e-334cdcb7882b" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "name": "07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "type": "Microsoft.SecurityInsights/entityQueries", + "etag": null, + "kind": "Activity", + "properties": { + "title": "An account was deleted on this host", + "content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'", + "description": "Account deleted on host", + "queryDefinitions": { + "query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 " + }, + "inputEntityType": "Host", + "requiredInputFieldsSets": [ + [ + "Host_HostName", + "Host_NTDomain" + ], + [ + "Host_HostName", + "Host_DnsDomain" + ], + [ + "Host_AzureID" + ], + [ + "Host_OMSAgentID" + ] + ], + "entitiesFilter": { + "Host_OsFamily": [ + "Windows" + ] + }, + "enabled": true, + "templateName": null, + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetEntityQueries.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetEntityQueries.json new file mode 100644 index 000000000000..966d9e551e11 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetEntityQueries.json @@ -0,0 +1,59 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "kind": "Expansion", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/37ca3555-c135-4a73-a65e-9c1d00323f5d", + "name": "37ca3555-c135-4a73-a65e-9c1d00323f5d", + "type": "Microsoft.SecurityInsights/entityQueries", + "etag": null, + "kind": "Expansion", + "properties": { + "queryTemplate": "let AccountActivity_byIP = (v_IP_Address:string){\r\n AzureActivity\r\n | where Caller != '' and CallerIpAddress == v_IP_Address\r\n | summarize Account_Aux_StartTime = min(TimeGenerated), Account_Aux_EndTime = max(TimeGenerated), Count = count() by Caller, TenantId\r\n | top 10 by Count asc nulls last \r\n | extend UPN = iff(Caller contains '@', Caller, ''), Account_AadUserId = iff(Caller !contains '@', Caller,'')\r\n | extend Account_Name = split(UPN,'@')[0] , Account_UPNSuffix = split(UPN,'@')[1]\r\n | project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime};\r\n AccountActivity_byIP('
')", + "inputFields": [ + "address" + ], + "outputEntityTypes": [ + "Account" + ], + "dataSources": [ + "AzureActivity" + ], + "inputEntityType": "IP", + "displayName": "Least active accounts on Azure from this IP" + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/97a1d515-abf2-4231-9a35-985f9de0bb91", + "name": "97a1d515-abf2-4231-9a35-985f9de0bb91", + "type": "Microsoft.SecurityInsights/entityQueries", + "etag": null, + "kind": "Expansion", + "properties": { + "queryTemplate": "let AccountActivity_byIP = (v_IP_Address:string){\r\n AzureActivity\r\n | where Caller != '' and CallerIpAddress == v_IP_Address\r\n | summarize Account_Aux_StartTime = min(TimeGenerated), Account_Aux_EndTime = max(TimeGenerated), Count = count() by Caller, TenantId\r\n | top 10 by Count desc nulls last \r\n | extend UPN = iff(Caller contains '@', Caller, ''), Account_AadUserId = iff(Caller !contains '@', Caller,'')\r\n | extend Account_Name = split(UPN,'@')[0] , Account_UPNSuffix = split(UPN,'@')[1]\r\n | project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime};\r\n AccountActivity_byIP('
')", + "inputFields": [ + "address" + ], + "outputEntityTypes": [ + "Account" + ], + "dataSources": [ + "AzureActivity" + ], + "inputEntityType": "IP", + "displayName": "Most active accounts on Azure from this IP" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetExpansionEntityQueryById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetExpansionEntityQueryById.json new file mode 100644 index 000000000000..0fc6837dc132 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetExpansionEntityQueryById.json @@ -0,0 +1,34 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityQueryId": "07da3cc8-c8ad-4710-a44e-334cdcb7882b" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "name": "07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "type": "Microsoft.SecurityInsights/entityQueries", + "etag": null, + "kind": "Expansion", + "properties": { + "queryTemplate": "let GetParentProcessesOnHost = (v_Host_HostName:string){\r\n SecurityEvent \r\n | where EventID == 4688 \r\n | where isnotempty(ParentProcessName)\r\n | where NewProcessName !contains ':\\\\Windows\\\\System32\\\\conhost.exe' and ParentProcessName !contains ':\\\\Windows\\\\System32\\\\conhost.exe'\r\n and NewProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\csc.exe' and ParentProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\csc.exe'\r\n and NewProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\cvtres.exe' and ParentProcessName !contains ':\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\cvtres.exe'\r\n and NewProcessName!contains ':\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' and ParentProcessName !contains ':\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe'\r\n and ParentProcessName !contains ':\\\\Windows\\\\CCM\\\\CcmExec.exe'\r\n | where(ParentProcessName !contains ':\\\\Windows\\\\System32\\\\svchost.exe' and (NewProcessName !contains ':\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' or NewProcessName !contains ':\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe'))\r\n | where(ParentProcessName !contains ':\\\\Windows\\\\System32\\\\services.exe' and NewProcessName !contains ':\\\\Windows\\\\servicing\\\\TrustedInstaller.exe')\r\n | where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\r\n | summarize min(TimeGenerated), max(TimeGenerated) by Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\r\n | project min_TimeGenerated, max_TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\r\n | project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName, Process_ParentProcess_ImageFile_FullPath=ParentProcessName\r\n | top 10 by min_TimeGenerated asc};\r\n GetParentProcessesOnHost(toupper(''))", + "inputFields": [ + "hostName" + ], + "outputEntityTypes": [ + "Process" + ], + "dataSources": [ + "SecurityEvent" + ], + "inputEntityType": "Host", + "displayName": "Parent processes running on host" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetActivityEntityQueryTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetActivityEntityQueryTemplateById.json new file mode 100644 index 000000000000..5fb4e89a4da2 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetActivityEntityQueryTemplateById.json @@ -0,0 +1,57 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityQueryTemplateId": "07da3cc8-c8ad-4710-a44e-334cdcb7882b" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueryTemplates/07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "name": "07da3cc8-c8ad-4710-a44e-334cdcb7882b", + "type": "Microsoft.SecurityInsights/entityQueryTemplate", + "kind": "Activity", + "properties": { + "title": "An account was deleted on this host", + "content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'", + "description": "Account deleted on host", + "queryDefinitions": { + "query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 " + }, + "inputEntityType": "Host", + "requiredInputFieldsSets": [ + [ + "Host_HostName", + "Host_NTDomain" + ], + [ + "Host_HostName", + "Host_DnsDomain" + ], + [ + "Host_AzureID" + ], + [ + "Host_OMSAgentID" + ] + ], + "entitiesFilter": { + "Host_OsFamily": [ + "Windows" + ] + }, + "dataTypes": [ + { + "dataType": "AuditLogs" + }, + { + "dataType": "SecurityEvent" + } + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetEntityQueryTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetEntityQueryTemplates.json new file mode 100644 index 000000000000..722b38e6437a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetEntityQueryTemplates.json @@ -0,0 +1,105 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "kind": "Activity", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueryTemplates/37ca3555-c135-4a73-a65e-9c1d00323f5d", + "name": "37ca3555-c135-4a73-a65e-9c1d00323f5d", + "type": "Microsoft.SecurityInsights/entityQueryTemplates", + "kind": "Activity", + "properties": { + "title": "An account was deleted on this host", + "content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'", + "description": "Account deleted on host", + "queryDefinitions": { + "query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 " + }, + "inputEntityType": "Host", + "requiredInputFieldsSets": [ + [ + "Host_HostName", + "Host_NTDomain" + ], + [ + "Host_HostName", + "Host_DnsDomain" + ], + [ + "Host_AzureID" + ], + [ + "Host_OMSAgentID" + ] + ], + "entitiesFilter": { + "Host_OsFamily": [ + "Windows" + ] + }, + "dataTypes": [ + { + "dataType": "AuditLogs" + }, + { + "dataType": "SecurityEvent" + } + ] + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entityQueryTemplates/97a1d515-abf2-4231-9a35-985f9de0bb91", + "name": "97a1d515-abf2-4231-9a35-985f9de0bb91", + "type": "Microsoft.SecurityInsights/entityQueryTemplates", + "kind": "Activity", + "properties": { + "title": "An account was deleted on this host", + "content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'", + "description": "Account deleted on host", + "queryDefinitions": { + "query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 " + }, + "inputEntityType": "Host", + "requiredInputFieldsSets": [ + [ + "Host_HostName", + "Host_NTDomain" + ], + [ + "Host_HostName", + "Host_DnsDomain" + ], + [ + "Host_AzureID" + ], + [ + "Host_OMSAgentID" + ] + ], + "entitiesFilter": { + "Host_OsFamily": [ + "Windows" + ] + }, + "dataTypes": [ + { + "dataType": "AuditLogs" + }, + { + "dataType": "SecurityEvent" + } + ] + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/CreateFileImport.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/CreateFileImport.json new file mode 100644 index 000000000000..68ae4205369d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/CreateFileImport.json @@ -0,0 +1,49 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "fileImportId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "fileImport": { + "properties": { + "source": "mySource", + "importFile": { + "fileName": "myFile.json", + "fileSize": 4653, + "fileFormat": "JSON" + }, + "contentType": "StixIndicator", + "ingestionMode": "IngestAnyValidRecords" + } + } + }, + "responses": { + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/FileImports/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/FileImports", + "properties": { + "importFile": { + "fileName": "myFile.json", + "fileSize": 4653, + "fileFormat": "JSON", + "fileContentUri": "https://sentinelimportswus2.blob.core.windows.net/78c2e51a-3cd3-4ca0-a2d4-e7effb9a05fe/43967a5e-47a7-474e-afb8-2081e9b99ca1/fileName.json?skoid=40ca3ff4-ed1d-4c65-a409-8c6caff8a6d5&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-03-25T21%3A12%3A51Z&ske=2022-03-25T22%3A12%3A51Z&sks=b&skv=2020-10-02&sv=2020-08-04&st=2022-03-25T21%3A12%3A51Z&se=2022-03-25T22%3A12%3A51Z&sr=b&sp=c&sig=5n0D%2FERS6ZOQdfdO2adleeSVOM4b6mQeds%2FWYCGm9pU%3D", + "deleteStatus": "NotDeleted" + }, + "state": "WaitingForUpload", + "contentType": "StixIndicator", + "ingestionMode": "IngestAnyValidRecords", + "totalRecordCount": null, + "validRecordCount": null, + "ingestedRecordCount": null, + "createdTimeUTC": "2022-04-04T20:05:59.847136Z", + "filesValidUntilTimeUTC": "2022-04-05T20:05:59.8471361Z", + "importValidUntilTimeUTC": "2022-05-04T20:05:59.8471366Z", + "source": "mySource" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/DeleteFileImport.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/DeleteFileImport.json new file mode 100644 index 000000000000..c41aea4c128d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/DeleteFileImport.json @@ -0,0 +1,41 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "fileImportId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "202": { + "headers": { + "location": "https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/FileImports/73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/FileImports/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/FileImports", + "properties": { + "importFile": { + "fileName": "myFile.json", + "fileSize": 5146, + "fileFormat": "JSON", + "fileContentUri": null, + "deleteStatus": "NotDeleted" + }, + "state": "Ingested", + "contentType": "StixIndicator", + "ingestionMode": "IngestAnyValidRecords", + "totalRecordCount": 5, + "validRecordCount": 5, + "ingestedRecordCount": 5, + "createdTimeUTC": "2022-03-25T21:02:38.8350631Z", + "filesValidUntilTimeUTC": "2022-03-26T21:02:38.8350632Z", + "importValidUntilTimeUTC": "2022-04-24T21:02:38.8350636Z", + "source": "mySource" + } + } + }, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImportById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImportById.json new file mode 100644 index 000000000000..541cb2d08d56 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImportById.json @@ -0,0 +1,37 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "fileImportId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/FileImports/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/FileImports", + "properties": { + "importFile": { + "fileName": "myFile.json", + "fileSize": 5146, + "fileFormat": "JSON", + "fileContentUri": "https://sentinelimportswus2.blob.core.windows.net/78c2e51a-3cd3-4ca0-a2d4-e7effb9a05fe/43967a5e-47a7-474e-afb8-2081e9b99ca1/myFile.json?skoid=40ca3ff4-ed1d-4c65-a409-8c6caff8a6d5&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2022-03-25T21%3A12%3A51Z&ske=2022-03-25T22%3A12%3A51Z&sks=b&skv=2020-10-02&sv=2020-08-04&st=2022-03-25T21%3A12%3A51Z&se=2022-03-25T22%3A12%3A51Z&sr=b&sp=c&sig=5n0D%2FERS6ZOQdfdO2adleeSVOM4b6mQeds%2FWYCGm9pU%3D", + "deleteStatus": "NotDeleted" + }, + "state": "Ingested", + "contentType": "StixIndicator", + "ingestionMode": "IngestAnyValidRecords", + "totalRecordCount": 5, + "validRecordCount": 5, + "ingestedRecordCount": 5, + "createdTimeUTC": "2022-03-25T21:02:38.8350631Z", + "filesValidUntilTimeUTC": "2022-03-26T21:02:38.8350632Z", + "importValidUntilTimeUTC": "2022-04-24T21:02:38.8350636Z", + "source": "mySource" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImports.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImports.json new file mode 100644 index 000000000000..580be0c8bd6d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImports.json @@ -0,0 +1,42 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "$orderby": "properties/createdTimeUtc desc", + "$top": 1 + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/FileImports/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/FileImports", + "properties": { + "importFile": { + "fileName": "fileName.json", + "fileSize": 5146, + "fileFormat": "JSON", + "fileContentUri": null, + "deleteStatus": "NotDeleted" + }, + "state": "Ingested", + "contentType": "StixIndicator", + "ingestionMode": "IngestAnyValidRecords", + "totalRecordCount": 5, + "validRecordCount": 5, + "ingestedRecordCount": 5, + "createdTimeUTC": "2022-03-25T21:02:38.8350631Z", + "filesValidUntilTimeUTC": "2022-03-26T21:02:38.8350632Z", + "importValidUntilTimeUTC": "2022-04-24T21:02:38.8350636Z", + "source": "mySource" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json new file mode 100644 index 000000000000..a051049c83f9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json @@ -0,0 +1,50 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "69a30280-6a4c-4aa7-9af0-5d63f335d600" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Entities/baa8a239-6fde-4ab7-a093-d09f7b75c58c", + "name": "baa8a239-6fde-4ab7-a093-d09f7b75c58c", + "type": "Microsoft.SecurityInsights/Entities", + "kind": "SecurityAlert", + "properties": { + "systemAlertId": "baa8a239-6fde-4ab7-a093-d09f7b75c58c", + "tactics": [], + "alertDisplayName": "myAlert", + "confidenceLevel": "Unknown", + "severity": "Low", + "vendorName": "Microsoft", + "productName": "Azure Security Center", + "alertType": "myAlert", + "processingEndTime": "2020-07-20T18:21:53.615Z", + "status": "New", + "endTimeUtc": "2020-07-20T18:21:53.615Z", + "startTimeUtc": "2020-07-20T18:21:53.615Z", + "timeGenerated": "2020-07-20T18:21:53.615Z", + "resourceIdentifiers": [ + { + "type": "LogAnalytics", + "workspaceId": "c8c99641-985d-4e4e-8e91-fb3466cd0e5b", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroup": "myRG" + } + ], + "additionalData": { + "alertMessageEnqueueTime": "2020-07-20T18:21:57.304Z" + }, + "friendlyName": "myAlert" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json new file mode 100644 index 000000000000..0a658cb6da2e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json @@ -0,0 +1,47 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "69a30280-6a4c-4aa7-9af0-5d63f335d600" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/afbd324f-6c48-459c-8710-8d1e1cd03812", + "name": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "type": "Microsoft.SecurityInsights/Entities", + "kind": "Bookmark", + "properties": { + "displayName": "SecurityEvent - 868f40f4698d", + "created": "2020-06-17T15:34:01.426+00:00", + "updated": "2020-06-17T15:34:01.426+00:00", + "createdBy": { + "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd", + "email": "user@contoso.com", + "name": "user" + }, + "updatedBy": { + "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd", + "email": "user@contoso.com", + "name": "user" + }, + "eventTime": "2020-06-17T15:34:01.426+00:00", + "labels": [], + "query": "SecurityEvent\r\n| take 1\n", + "queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}", + "additionalData": { + "eTag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"", + "entityId": "afbd324f-6c48-459c-8710-8d1e1cd03812" + }, + "friendlyName": "SecurityEvent - 868f40f4698d" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json new file mode 100644 index 000000000000..cd341046a011 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json @@ -0,0 +1,55 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "incidentCommentId": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "incidentComment": { + "properties": { + "message": "Some message" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/comments", + "properties": { + "message": "Some message", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T13:15:30Z", + "author": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/comments", + "properties": { + "message": "Some message", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T13:15:30Z", + "author": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Delete.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Delete.json new file mode 100644 index 000000000000..715a920d4abc --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Delete.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "incidentCommentId": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json new file mode 100644 index 000000000000..fc28975380ac --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json @@ -0,0 +1,31 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "incidentCommentId": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/comments", + "properties": { + "message": "Some message", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "author": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json new file mode 100644 index 000000000000..a781085ccf0c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json @@ -0,0 +1,34 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/comments", + "properties": { + "message": "Some message", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "author": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json new file mode 100644 index 000000000000..15ac7b53ad9b --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json @@ -0,0 +1,34 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "69a30280-6a4c-4aa7-9af0-5d63f335d600" + }, + "responses": { + "200": { + "body": { + "entities": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Entities/e1d3d618-e11f-478b-98e3-bb381539a8e1", + "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "type": "Microsoft.SecurityInsights/Entities", + "kind": "Account", + "properties": { + "accountName": "administrator", + "ntDomain": "domain", + "friendlyName": "administrator" + } + } + ], + "metaData": [ + { + "entityKind": "Account", + "count": 1 + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json new file mode 100644 index 000000000000..42e5b2e07813 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json @@ -0,0 +1,73 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "incidentTaskId": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "incidentTask": { + "properties": { + "title": "Task title", + "description": "Task description", + "status": "New" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/tasks/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/tasks", + "properties": { + "title": "Task title", + "description": "Task description", + "status": "New", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/tasks/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/tasks", + "properties": { + "title": "Task title", + "description": "Task description", + "status": "New", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json new file mode 100644 index 000000000000..3b961d4c7d40 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "incidentTaskId": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json new file mode 100644 index 000000000000..2e8cbe348888 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json @@ -0,0 +1,39 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "incidentTaskId": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/tasks/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/tasks", + "properties": { + "title": "Task title", + "description": "Task description", + "status": "New", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json new file mode 100644 index 000000000000..5dca6eb6d8b2 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json @@ -0,0 +1,42 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/tasks/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/tasks", + "properties": { + "title": "Task title", + "description": "Task description", + "status": "New", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json new file mode 100644 index 000000000000..a5dbba962a15 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json @@ -0,0 +1,26 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "69a30280-6a4c-4aa7-9af0-5d63f335d600", + "teamProperties": { + "teamName": "Team name", + "teamDescription": "Team description", + "groupIds": null, + "memberIds": null + } + }, + "responses": { + "200": { + "body": { + "teamId": "99978838-9bda-4ad4-8f93-4cf7ebc50ca5", + "primaryChannelUrl": "https://teams.microsoft.com/l/team/19:80bf3b25485b4067b7d2dc4eec9e1578%40thread.tacv2/conversations?groupId=99978838-9bda-4ad4-8f93-4cf7ebc50ca5&tenantId=5b5a146c-eba8-46af-96f8-e31b50d15a3f", + "teamCreationTimeUtc": "2021-03-15T17:08:21.995Z", + "name": "Team name", + "description": "Team description" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_CreateOrUpdate.json new file mode 100644 index 000000000000..d776cd5f8515 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_CreateOrUpdate.json @@ -0,0 +1,136 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "incident": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "title": "My incident", + "description": "This is a demo incident", + "severity": "High", + "status": "Closed", + "classification": "FalsePositive", + "classificationReason": "InaccurateData", + "classificationComment": "Not a malicious activity", + "owner": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": null, + "assignedTo": null, + "userPrincipalName": null, + "ownerType": null + }, + "firstActivityTimeUtc": "2019-01-01T13:00:30Z", + "lastActivityTimeUtc": "2019-01-01T13:05:30Z" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"", + "type": "Microsoft.SecurityInsights/incidents", + "properties": { + "title": "My incident", + "description": "This is a demo incident", + "severity": "High", + "status": "Closed", + "classification": "FalsePositive", + "classificationReason": "InaccurateData", + "classificationComment": "Not a malicious activity", + "owner": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "assignedTo": "john doe", + "userPrincipalName": "john@contoso.com", + "ownerType": "User" + }, + "labels": [], + "firstActivityTimeUtc": "2019-01-01T13:00:30Z", + "lastActivityTimeUtc": "2019-01-01T13:05:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "incidentNumber": 3177, + "additionalData": { + "alertsCount": 0, + "bookmarksCount": 0, + "commentsCount": 3, + "alertProductNames": [], + "tactics": [ + "InitialAccess", + "Persistence" + ], + "techniques": [ + "T1091", + "T1133", + "T1053" + ], + "providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f" + }, + "relatedAnalyticRuleIds": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7" + ], + "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "providerName": "Azure Sentinel", + "providerIncidentId": "3177" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"", + "type": "Microsoft.SecurityInsights/incidents", + "properties": { + "title": "My incident", + "description": "This is a demo incident", + "severity": "High", + "status": "Closed", + "classification": "FalsePositive", + "classificationReason": "InaccurateData", + "classificationComment": "Not a malicious activity", + "owner": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "assignedTo": "john doe", + "userPrincipalName": "john@contoso.com", + "ownerType": "User" + }, + "labels": [], + "firstActivityTimeUtc": "2019-01-01T13:00:30Z", + "lastActivityTimeUtc": "2019-01-01T13:05:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "incidentNumber": 3177, + "additionalData": { + "alertsCount": 0, + "bookmarksCount": 0, + "commentsCount": 3, + "alertProductNames": [], + "tactics": [ + "InitialAccess", + "Persistence" + ], + "techniques": [ + "T1091", + "T1133", + "T1053" + ], + "providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f" + }, + "relatedAnalyticRuleIds": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7" + ], + "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "providerName": "Azure Sentinel", + "providerIncidentId": "3177" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Delete.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Delete.json new file mode 100644 index 000000000000..9800aa0d57b0 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Delete.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Get.json new file mode 100644 index 000000000000..d7dbf8bc9871 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Get.json @@ -0,0 +1,63 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/incidents", + "properties": { + "title": "My incident", + "description": "This is a demo incident", + "severity": "High", + "status": "Closed", + "classification": "FalsePositive", + "classificationReason": "InaccurateData", + "classificationComment": "Not a malicious activity", + "owner": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "assignedTo": "john doe", + "userPrincipalName": "john@contoso.com", + "ownerType": "User" + }, + "labels": [], + "firstActivityTimeUtc": "2019-01-01T13:00:30Z", + "lastActivityTimeUtc": "2019-01-01T13:05:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "incidentNumber": 3177, + "additionalData": { + "alertsCount": 0, + "bookmarksCount": 0, + "commentsCount": 3, + "alertProductNames": [], + "tactics": [ + "InitialAccess", + "Persistence" + ], + "techniques": [ + "T1091", + "T1133", + "T1053" + ], + "providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f" + }, + "relatedAnalyticRuleIds": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7" + ], + "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "providerName": "Azure Sentinel", + "providerIncidentId": "3177" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_List.json new file mode 100644 index 000000000000..a781403ae685 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_List.json @@ -0,0 +1,68 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "$orderby": "properties/createdTimeUtc desc", + "$top": 1 + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/incidents", + "properties": { + "title": "My incident", + "description": "This is a demo incident", + "severity": "High", + "status": "Closed", + "classification": "FalsePositive", + "classificationReason": "InaccurateData", + "classificationComment": "Not a malicious activity", + "owner": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "assignedTo": "john doe", + "userPrincipalName": "john@contoso.com", + "ownerType": "User" + }, + "labels": [], + "firstActivityTimeUtc": "2019-01-01T13:00:30Z", + "lastActivityTimeUtc": "2019-01-01T13:05:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "incidentNumber": 3177, + "additionalData": { + "alertsCount": 0, + "bookmarksCount": 0, + "commentsCount": 3, + "alertProductNames": [], + "tactics": [ + "InitialAccess", + "Persistence" + ], + "techniques": [ + "T1091", + "T1133", + "T1053" + ], + "providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f" + }, + "relatedAnalyticRuleIds": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7" + ], + "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "providerName": "Azure Sentinel", + "providerIncidentId": "3177" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/CreateIncidentRelation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/CreateIncidentRelation.json new file mode 100644 index 000000000000..0d560e1ce525 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/CreateIncidentRelation.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "relation": { + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "type": "Microsoft.SecurityInsights/incidents/relations", + "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceName": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceType": "Microsoft.SecurityInsights/bookmarks" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "type": "Microsoft.SecurityInsights/incidents/relations", + "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceName": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceType": "Microsoft.SecurityInsights/bookmarks" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/DeleteIncidentRelation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/DeleteIncidentRelation.json new file mode 100644 index 000000000000..d51d5d3b5fda --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/DeleteIncidentRelation.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetAllIncidentRelations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetAllIncidentRelations.json new file mode 100644 index 000000000000..bf7b0a413a44 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetAllIncidentRelations.json @@ -0,0 +1,40 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "type": "Microsoft.SecurityInsights/incidents/relations", + "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceName": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceType": "Microsoft.SecurityInsights/bookmarks" + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/9673a17d-8bc7-4ca6-88ee-38a4f3efc032", + "name": "9673a17d-8bc7-4ca6-88ee-38a4f3efc032", + "type": "Microsoft.SecurityInsights/incidents/relations", + "etag": "6f714025-dd7c-46aa-b5d0-b9857488d060", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/1dd267cd-8a1f-4f6f-b92c-da43ac8819af", + "relatedResourceName": "1dd267cd-8a1f-4f6f-b92c-da43ac8819af", + "relatedResourceType": "Microsoft.SecurityInsights/entities", + "relatedResourceKind": "SecurityAlert" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetIncidentRelationByName.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetIncidentRelationByName.json new file mode 100644 index 000000000000..3a2be91d9d27 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetIncidentRelationByName.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/relations/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "type": "Microsoft.SecurityInsights/incidents/relations", + "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", + "properties": { + "relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceName": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceType": "Microsoft.SecurityInsights/bookmarks" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Entities_RunPlaybook.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Entities_RunPlaybook.json new file mode 100644 index 000000000000..954d54217bef --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Entities_RunPlaybook.json @@ -0,0 +1,17 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "entityIdentifier": "72e01a22-5cd2-4139-a149-9f2736ff2ar2", + "manualTriggerRequestBody": { + "logicAppsResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/my-playbook-name", + "tenantId": "qwere6b2-9ac0-4464-9919-dccaee2e4ddd", + "incidentArmId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5" + } + }, + "responses": { + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Incidents_RunPlaybook.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Incidents_RunPlaybook.json new file mode 100644 index 000000000000..c83122b65aab --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Incidents_RunPlaybook.json @@ -0,0 +1,18 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentIdentifier": "73e01a99-5cd7-4139-a149-9f2736ff2ar4", + "manualTriggerRequestBody": { + "logicAppsResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/my-playbook-name", + "tenantId": "qwere6b2-9ac0-4464-9919-dccaee2e4ddd" + } + }, + "responses": { + "204": { + "body": {} + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/DeleteMetadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/DeleteMetadata.json new file mode 100644 index 000000000000..903353406af3 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/DeleteMetadata.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "metadataName": "metadataName" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadata.json new file mode 100644 index 000000000000..3e58aa8b417e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadata.json @@ -0,0 +1,64 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName1", + "name": "metadataName1", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0", + "version": "1.0.0.0", + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName", + "source": { + "kind": "Solution", + "name": "Contoso Solution 1.0", + "sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf" + } + } + }, + { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName2", + "name": "metadataName2", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "contentId": "f5160682-0e10-4e23-8fcf-df3df49c5522", + "version": "1.0.0.0", + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName2", + "source": { + "kind": "Solution", + "name": "Contoso Solution 1.0", + "sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf" + } + } + }, + { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.Insights/workbooks/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName3", + "name": "metadataName3", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "contentId": "f593501d-ec01-4057-8146-a1de35c461ef", + "version": "1.0.0.0", + "kind": "Workbook", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.Insights/workbooks/workbookName", + "source": { + "kind": "Solution", + "name": "Contoso Solution 1.0", + "sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf" + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadataOData.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadataOData.json new file mode 100644 index 000000000000..6353a8c6d7cb --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadataOData.json @@ -0,0 +1,52 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ODataFilter": "properties/kind eq 'AnalyticsRule'", + "ODataOrderBy": "properties/parentId desc", + "ODataSkip": "2", + "ODataTop": "2" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName1", + "name": "metadataName1", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0", + "version": "1.0.0.0", + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName1", + "source": { + "kind": "Solution", + "name": "Contoso Solution 1.0", + "sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf" + } + } + }, + { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName2", + "name": "metadataName2", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "contentId": "f5160682-0e10-4e23-8fcf-df3df49c5522", + "version": "1.0.0.0", + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName2", + "source": { + "kind": "Solution", + "name": "Contoso Solution 1.0", + "sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf" + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetMetadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetMetadata.json new file mode 100644 index 000000000000..80b255cf2d9c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetMetadata.json @@ -0,0 +1,104 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "2e1dc338-d04d-4443-b721-037eff4fdcac", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "metadataName": "metadataName" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName", + "name": "metadataName", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0", + "version": "1.0.0.0", + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName", + "source": { + "kind": "Solution", + "name": "Contoso Solution 1.0", + "sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf" + }, + "author": { + "name": "User Name", + "email": "email@microsoft.com" + }, + "support": { + "name": "Microsoft", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/", + "tier": "Partner" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "operator": "OR", + "criteria": [ + { + "contentId": "045d06d0-ee72-4794-aba4-cf5646e4c756", + "kind": "DataConnector" + }, + { + "contentId": "dbfcb2cc-d782-40ef-8d94-fe7af58a6f2d", + "kind": "DataConnector" + }, + { + "contentId": "de4dca9b-eb37-47d6-a56f-b8b06b261593", + "kind": "DataConnector", + "version": "2.0" + } + ] + }, + { + "kind": "Playbook", + "contentId": "31ee11cc-9989-4de8-b176-5e0ef5c4dbab", + "version": "1.0" + }, + { + "kind": "Parser", + "contentId": "21ba424a-9438-4444-953a-7059539a7a1b" + } + ] + }, + "categories": { + "domains": [ + "Application", + "Security – Insider Threat" + ], + "verticals": [ + "Healthcare" + ] + }, + "providers": [ + "Amazon", + "Microsoft" + ], + "firstPublishDate": "2021-05-18", + "lastPublishDate": "2021-05-18", + "previewImages": [ + "firstImage.png", + "secondImage.jpeg" + ], + "previewImagesDark": [ + "firstImageDark.png", + "secondImageDark.jpeg" + ], + "contentSchemaVersion": "2.0", + "customVersion": "1.0", + "threatAnalysisTactics": [ + "reconnaissance", + "commandandcontrol" + ], + "threatAnalysisTechniques": [ + "T1548", + "T1548.001" + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PatchMetadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PatchMetadata.json new file mode 100644 index 000000000000..8d2d74b5a694 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PatchMetadata.json @@ -0,0 +1,35 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "metadataName": "metadataName", + "metadataPatch": { + "properties": { + "author": { + "name": "User Name", + "email": "email@microsoft.com" + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName", + "name": "metadataName", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0", + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName", + "author": { + "name": "User Name", + "email": "email@microsoft.com" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadata.json new file mode 100644 index 000000000000..df2b397e5674 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadata.json @@ -0,0 +1,286 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "metadataName": "metadataName", + "metadata": { + "properties": { + "contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0", + "version": "1.0.0.0", + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName", + "source": { + "kind": "Solution", + "name": "Contoso Solution 1.0", + "sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf" + }, + "author": { + "name": "User Name", + "email": "email@microsoft.com" + }, + "support": { + "name": "Microsoft", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/", + "tier": "Partner" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "operator": "OR", + "criteria": [ + { + "contentId": "045d06d0-ee72-4794-aba4-cf5646e4c756", + "kind": "DataConnector", + "name": "Microsoft Defender for Endpoint" + }, + { + "contentId": "dbfcb2cc-d782-40ef-8d94-fe7af58a6f2d", + "kind": "DataConnector" + }, + { + "contentId": "de4dca9b-eb37-47d6-a56f-b8b06b261593", + "kind": "DataConnector", + "version": "2.0" + } + ] + }, + { + "kind": "Playbook", + "contentId": "31ee11cc-9989-4de8-b176-5e0ef5c4dbab", + "version": "1.0" + }, + { + "kind": "Parser", + "contentId": "21ba424a-9438-4444-953a-7059539a7a1b" + } + ] + }, + "categories": { + "domains": [ + "Application", + "Security – Insider Threat" + ], + "verticals": [ + "Healthcare" + ] + }, + "providers": [ + "Amazon", + "Microsoft" + ], + "firstPublishDate": "2021-05-18", + "lastPublishDate": "2021-05-18", + "previewImages": [ + "firstImage.png", + "secondImage.jpeg" + ], + "previewImagesDark": [ + "firstImageDark.png", + "secondImageDark.jpeg" + ], + "contentSchemaVersion": "2.0", + "customVersion": "1.0", + "threatAnalysisTactics": [ + "reconnaissance", + "commandandcontrol" + ], + "threatAnalysisTechniques": [ + "T1548", + "T1548.001" + ] + } + } + }, + "responses": { + "201": { + "body": { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName", + "name": "metadataName", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0", + "version": "1.0.0.0", + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName", + "source": { + "kind": "Solution", + "name": "Contoso Solution 1.0", + "sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf" + }, + "author": { + "name": "User Name", + "email": "email@microsoft.com" + }, + "support": { + "name": "Microsoft", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/", + "tier": "Partner" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "operator": "OR", + "criteria": [ + { + "contentId": "045d06d0-ee72-4794-aba4-cf5646e4c756", + "kind": "DataConnector" + }, + { + "contentId": "dbfcb2cc-d782-40ef-8d94-fe7af58a6f2d", + "kind": "DataConnector" + }, + { + "contentId": "de4dca9b-eb37-47d6-a56f-b8b06b261593", + "kind": "DataConnector", + "version": "2.0" + } + ] + }, + { + "kind": "Playbook", + "contentId": "31ee11cc-9989-4de8-b176-5e0ef5c4dbab", + "version": "1.0" + }, + { + "kind": "Parser", + "contentId": "21ba424a-9438-4444-953a-7059539a7a1b" + } + ] + }, + "categories": { + "domains": [ + "Application", + "Security – Insider Threat" + ], + "verticals": [ + "Healthcare" + ] + }, + "providers": [ + "Amazon", + "Microsoft" + ], + "firstPublishDate": "2021-05-18", + "lastPublishDate": "2021-05-18", + "previewImages": [ + "firstImage.png", + "secondImage.jpeg" + ], + "previewImagesDark": [ + "firstImageDark.png", + "secondImageDark.jpeg" + ], + "contentSchemaVersion": "2.0", + "customVersion": "1.0", + "threatAnalysisTactics": [ + "reconnaissance", + "commandandcontrol" + ], + "threatAnalysisTechniques": [ + "T1548", + "T1548.001" + ] + } + } + }, + "200": { + "body": { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName", + "name": "metadataName", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0", + "version": "1.0.0.0", + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName", + "source": { + "kind": "Solution", + "name": "Contoso Solution 1.0", + "sourceId": "b688a130-76f4-4a07-bf57-762222a3cadf" + }, + "author": { + "name": "User Name", + "email": "email@microsoft.com" + }, + "support": { + "name": "Microsoft", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/", + "tier": "Partner" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "operator": "OR", + "criteria": [ + { + "contentId": "045d06d0-ee72-4794-aba4-cf5646e4c756", + "kind": "DataConnector" + }, + { + "contentId": "dbfcb2cc-d782-40ef-8d94-fe7af58a6f2d", + "kind": "DataConnector" + }, + { + "contentId": "de4dca9b-eb37-47d6-a56f-b8b06b261593", + "kind": "DataConnector", + "version": "2.0" + } + ] + }, + { + "kind": "Playbook", + "contentId": "31ee11cc-9989-4de8-b176-5e0ef5c4dbab", + "version": "1.0" + }, + { + "kind": "Parser", + "contentId": "21ba424a-9438-4444-953a-7059539a7a1b" + } + ] + }, + "categories": { + "domains": [ + "Application", + "Security – Insider Threat" + ], + "verticals": [ + "Healthcare" + ] + }, + "providers": [ + "Amazon", + "Microsoft" + ], + "firstPublishDate": "2021-05-18", + "lastPublishDate": "2021-05-18", + "previewImages": [ + "firstImage.png", + "secondImage.jpeg" + ], + "previewImagesDark": [ + "firstImageDark.png", + "secondImageDark.jpeg" + ], + "contentSchemaVersion": "2.0", + "customVersion": "1.0", + "threatAnalysisTactics": [ + "reconnaissance", + "commandandcontrol" + ], + "threatAnalysisTechniques": [ + "T1548", + "T1548.001" + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadataMinimal.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadataMinimal.json new file mode 100644 index 000000000000..7486abdfb7b6 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadataMinimal.json @@ -0,0 +1,40 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "metadataName": "metadataName", + "metadata": { + "properties": { + "contentId": "c00ee137-7475-47c8-9cce-ec6f0f1bedd0", + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName" + } + } + }, + "responses": { + "201": { + "body": { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName", + "name": "metadataName", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName" + } + } + }, + "200": { + "body": { + "id": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/metadata/metadataName", + "name": "metadataName", + "type": "Microsoft.SecurityInsights/metadata", + "properties": { + "kind": "AnalyticsRule", + "parentId": "/subscriptions/2e1dc338-d04d-4443-b721-037eff4fdcac/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/ruleName" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/DeleteOfficeConsents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/DeleteOfficeConsents.json new file mode 100644 index 000000000000..15cc3e4e4e37 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/DeleteOfficeConsents.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "consentId": "04e5fd05-ff86-4b97-b8d2-1c20933cb46c" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsents.json new file mode 100644 index 000000000000..e14e00894df4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsents.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/officeConsents/04e5fd05-ff86-4b97-b8d2-1c20933cb46c", + "name": "04e5fd05-ff86-4b97-b8d2-1c20933cb46c", + "type": "Microsoft.SecurityInsights/officeConsents", + "properties": { + "tenantId": "5460b3d2-1e7b-4757-ad54-c858c7e3f252", + "consentId": "04e5fd05-ff86-4b97-b8d2-1c20933cb46c" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsentsById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsentsById.json new file mode 100644 index 000000000000..059e30cc60a8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsentsById.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "consentId": "04e5fd05-ff86-4b97-b8d2-1c20933cb46c" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/officeConsents/04e5fd05-ff86-4b97-b8d2-1c20933cb46c", + "name": "04e5fd05-ff86-4b97-b8d2-1c20933cb46c", + "type": "Microsoft.SecurityInsights/officeConsents", + "properties": { + "tenantId": "5460b3d2-1e7b-4757-ad54-c858c7e3f252", + "consentId": "04e5fd05-ff86-4b97-b8d2-1c20933cb46c" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/CreateSentinelOnboardingState.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/CreateSentinelOnboardingState.json new file mode 100644 index 000000000000..19214d142ad4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/CreateSentinelOnboardingState.json @@ -0,0 +1,36 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "sentinelOnboardingStateName": "default", + "sentinelOnboardingStateParameter": { + "properties": { + "customerManagedKey": false + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/onboardingStates/default", + "name": "default", + "type": "Microsoft.SecurityInsights/onboardingStates", + "properties": { + "customerManagedKey": false + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/onboardingStates/default", + "name": "default", + "type": "Microsoft.SecurityInsights/onboardingStates", + "properties": { + "customerManagedKey": false + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/DeleteSentinelOnboardingState.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/DeleteSentinelOnboardingState.json new file mode 100644 index 000000000000..13859b4909fd --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/DeleteSentinelOnboardingState.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "sentinelOnboardingStateName": "default" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetAllSentinelOnboardingStates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetAllSentinelOnboardingStates.json new file mode 100644 index 000000000000..adbbec7024a8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetAllSentinelOnboardingStates.json @@ -0,0 +1,24 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/onboardingStates/default", + "name": "default", + "type": "Microsoft.SecurityInsights/onboardingStates", + "properties": { + "customerManagedKey": false + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetSentinelOnboardingState.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetSentinelOnboardingState.json new file mode 100644 index 000000000000..675b5c47852c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetSentinelOnboardingState.json @@ -0,0 +1,21 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "sentinelOnboardingStateName": "default" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/onboardingStates/default", + "name": "default", + "type": "Microsoft.SecurityInsights/onboardingStates", + "properties": { + "customerManagedKey": false + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/operations/ListOperations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/operations/ListOperations.json new file mode 100644 index 000000000000..6a6ca38f9971 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/operations/ListOperations.json @@ -0,0 +1,563 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "name": "Microsoft.SecurityInsights/operations/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Operations", + "operation": "Get Operations", + "description": "Gets operations" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/automationRules/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "AutomationRules", + "operation": "Get Automation Rules", + "description": "Gets an automation rule" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/automationRules/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "AutomationRules", + "operation": "Update Automation Rules", + "description": "Updates an automation rule" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/automationRules/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "AutomationRules", + "operation": "Delete Automation Rules", + "description": "Deletes an automation rule" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/Bookmarks/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Bookmarks", + "operation": "Get Bookmarks", + "description": "Gets bookmarks" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/Bookmarks/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Bookmarks", + "operation": "Update Bookmarks", + "description": "Updates bookmarks" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/Bookmarks/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Bookmarks", + "operation": "Delete Bookmarks", + "description": "Deletes bookmarks" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/Bookmarks/expand/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Bookmarks", + "operation": "Expand on entity", + "description": "Gets related entities of an entity by a specific expansion" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/bookmarks/relations/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Bookmark Relations", + "operation": "Get Bookmark Relations", + "description": "Gets a bookmark relation" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/bookmarks/relations/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Bookmark Relations", + "operation": "Update Bookmark Relations", + "description": "Updates a bookmark relation" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/bookmarks/relations/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Bookmark Relations", + "operation": "Delete Bookmark Relations", + "description": "Deletes a bookmark relation" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/alertRules/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Alert Rules", + "operation": "Get Alert Rules", + "description": "Gets the alert rules" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/alertRules/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Alert Rules", + "operation": "Update Alert Rules", + "description": "Updates alert rules" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/alertRules/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Alert Rules", + "operation": "Delete Alert Rules", + "description": "Deletes alert rules" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/alertRules/actions/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Alert Rules Actions", + "operation": "Get Alert Rule Response Actions", + "description": "Gets the response actions of an alert rule" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/alertRules/actions/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Alert Rules Actions", + "operation": "Update Alert Rule Response Actions", + "description": "Updates the response actions of an alert rule" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/alertRules/actions/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Alert Rules Actions", + "operation": "Delete Alert Rule Response Actions", + "description": "Deletes the response actions of an alert rule" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/dataConnectors/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "DataConnectors", + "operation": "Get Data Connectors", + "description": "Gets the data connectors" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/dataConnectors/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "DataConnectors", + "operation": "Update Data Connectors", + "description": "Updates a data connector" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/dataConnectors/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "DataConnectors", + "operation": "Delete a Data Connector", + "description": "Deletes a data connector" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "DataConnectorsCheckRequirements", + "operation": "Check user authorization and license", + "description": "Check user authorization and license" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/incidents/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Incidents", + "operation": "Get Incidents", + "description": "Gets an incident" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/incidents/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Incidents", + "operation": "Update Incidents", + "description": "Updates an incident" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/incidents/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Incidents", + "operation": "Delete Incidents", + "description": "Deletes an incident" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/incidents/comments/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Incident Comments", + "operation": "Get Incident Comments", + "description": "Gets the incident comments" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/incidents/comments/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Incident Comments", + "operation": "Create Incident Comments", + "description": "Creates a comment on the incident" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/incidents/comments/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Incident Comments", + "operation": "Delete Incident Comment", + "description": "Deletes a comment on the incident" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/incidents/relations/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Incident Relations", + "operation": "Get Incident Relations", + "description": "Gets a relation between the incident and related resources" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/incidents/relations/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Incident Relations", + "operation": "Update Incident Relations", + "description": "Updates a relation between the incident and related resources" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/incidents/relations/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Incident Relations", + "operation": "Delete Incident Relations", + "description": "Deletes a relation between the incident and related resources" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Get Threat Intelligence", + "description": "Gets Threat Intelligence" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Update Threat Intelligence", + "description": "Updates Threat Intelligence" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Delete Threat Intelligence", + "description": "Deletes Threat Intelligence" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/query/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Query Threat Intelligence", + "description": "Query Threat Intelligence" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/metrics/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Collect Threat Intelligence Metrics", + "description": "Collect Threat Intelligence Metrics" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/bulkDelete/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Bulk Delete Threat Intelligence", + "description": "Bulk Delete Threat Intelligence" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/bulkTag/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Bulk Tags Threat Intelligence", + "description": "Bulk Tags Threat Intelligence" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/indicators/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Update Threat Intelligence Indicators", + "description": "Updates Threat Intelligence Indicators" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/indicators/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Delete Threat Intelligence Indicators", + "description": "Deletes Threat Intelligence Indicators" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/indicators/query/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Query Threat Intelligence Indicators", + "description": "Query Threat Intelligence Indicators" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/indicators/metrics/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Get Threat Intelligence Indicator Metrics", + "description": "Get Threat Intelligence Indicator Metrics" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/indicators/bulkDelete/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Bulk Delete Threat Intelligence Indicators", + "description": "Bulk Delete Threat Intelligence Indicators" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/indicators/bulkTag/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Bulk Tags Threat Intelligence Indicators", + "description": "Bulk Tags Threat Intelligence Indicators" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/indicators/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Get Threat Intelligence Indicators", + "description": "Gets Threat Intelligence Indicators" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/metrics/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Collect Threat Intelligence Metrics", + "description": "Collect Threat Intelligence Metrics" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/createIndicator/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Create Threat Intelligence Indicator", + "description": "Create Threat Intelligence Indicator" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/indicators/appendTags/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Append tags to Threat Intelligence Indicator", + "description": "Append tags to Threat Intelligence Indicator" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/indicators/replaceTags/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Replace Tags of Threat Intelligence Indicator", + "description": "Replace Tags of Threat Intelligence Indicator" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/threatintelligence/queryIndicators/action", + "display": { + "provider": "Microsoft Security Insights", + "resource": "ThreatIntelligence", + "operation": "Query Threat Intelligence Indicators", + "description": "Query Threat Intelligence Indicators" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/Watchlists/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Watchlists", + "operation": "Get Watchlists", + "description": "Gets Watchlists" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/Watchlists/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Watchlists", + "operation": "Create Watchlists", + "description": "Create Watchlists" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/Watchlists/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Watchlists", + "operation": "Delete Watchlists", + "description": "Deletes Watchlists" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/onboardingStates/read", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Onboarding States", + "operation": "Get Onboarding States", + "description": "Gets an onboarding state" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/onboardingStates/write", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Onboarding States", + "operation": "Update Onboarding States", + "description": "Updates an onboarding state" + }, + "origin": "user" + }, + { + "name": "Microsoft.SecurityInsights/onboardingStates/delete", + "display": { + "provider": "Microsoft Security Insights", + "resource": "Onboarding States", + "operation": "Delete Onboarding States", + "description": "Deletes an onboarding state" + }, + "origin": "user" + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendation.json new file mode 100644 index 000000000000..725c91fef371 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendation.json @@ -0,0 +1,48 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "recommendationId": "6d4b54eb-8684-4aa3-a156-3aa37b8014bc" + }, + "responses": { + "200": { + "body": { + "recommendationTypeId": "Swagger_Example", + "id": "6d4b54eb-8684-4aa3-a156-3aa37b8014bc", + "priority": "Medium", + "category": "Onboarding", + "context": "None", + "content": { + "title": "someText", + "description": "someText" + }, + "resourceId": "someId", + "recommendationTypeTitle": "someText", + "recommendationTypeDescription": "someText", + "instructions": { + "actionsToBePerformed": "someText", + "recommendationImportance": "someText" + }, + "additionalProperties": { + "someKey": "someValue" + }, + "title": "someText", + "description": "someText", + "workspaceId": "9a7711dc-40de-43b5-bf7e-ba25ec4592f3", + "actions": [ + { + "linkText": "someText", + "linkUrl": "https://www.someuri.com", + "state": "Active" + } + ], + "state": "CompletedByAction", + "hideUntilTimeUtc": "2022-02-19T03:09:03.4888396+00:00", + "displayUntilTimeUtc": "2022-02-19T03:57:31.7964447+00:00", + "lastEvaluatedTimeUtc": "2022-02-19T03:09:03.4888396+00:00" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendations.json new file mode 100644 index 000000000000..1a02c3e12c1d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendations.json @@ -0,0 +1,51 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "recommendationTypeId": "ThreatIntelligence_Example", + "id": "6d4b54eb-8684-4aa3-a156-3aa37b8014bc", + "priority": "Medium", + "category": "Onboarding", + "context": "None", + "content": { + "title": "someText", + "description": "someText" + }, + "resourceId": "someId", + "recommendationTypeTitle": "someText", + "recommendationTypeDescription": "someText", + "instructions": { + "actionsToBePerformed": "someText", + "recommendationImportance": "someText" + }, + "additionalProperties": { + "someKey": "someValue" + }, + "title": "someText", + "description": "someText", + "workspaceId": "9a7711dc-40de-43b5-bf7e-ba25ec4592f3", + "actions": [ + { + "linkText": "someText", + "linkUrl": "https://www.someuri.com", + "state": "Active" + } + ], + "state": "CompletedByAction", + "hideUntilTimeUtc": "2022-02-19T03:09:03.4888396+00:00", + "displayUntilTimeUtc": "2022-02-19T03:57:31.7964447+00:00", + "lastEvaluatedTimeUtc": "2022-02-19T03:09:03.4888396+00:00" + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/PatchRecommendation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/PatchRecommendation.json new file mode 100644 index 000000000000..b20049002b2e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/PatchRecommendation.json @@ -0,0 +1,56 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "recommendationId": "6d4b54eb-8684-4aa3-a156-3aa37b8014bc", + "recommendationPatch": [ + { + "state": "Active" + } + ] + }, + "responses": { + "202": { + "headers": { + "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.SecurityInsights/recommendations/6d4b54eb-8684-4aa3-a156-3aa37b8014bc?api-version=2023-03-01-preview" + }, + "body": { + "recommendationTypeId": "ThreatIntelligence_Example", + "id": "6d4b54eb-8684-4aa3-a156-3aa37b8014bc", + "priority": "Medium", + "category": "Onboarding", + "context": "None", + "content": { + "title": "someText", + "description": "someText" + }, + "resourceId": "someId", + "recommendationTypeTitle": "someText", + "recommendationTypeDescription": "someText", + "instructions": { + "actionsToBePerformed": "someText", + "recommendationImportance": "someText" + }, + "additionalProperties": { + "someKey": "someValue" + }, + "title": "someText", + "description": "someText", + "workspaceId": "9a7711dc-40de-43b5-bf7e-ba25ec4592f3", + "actions": [ + { + "linkText": "someText", + "linkUrl": "https://www.someuri.com", + "state": "Active" + } + ], + "state": "CompletedByUser", + "hideUntilTimeUtc": "2022-02-19T03:09:03.4888396+00:00", + "displayUntilTimeUtc": "2022-02-19T03:57:31.7964447+00:00", + "lastEvaluatedTimeUtc": "2022-02-19T03:09:03.4888396+00:00" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/repositories/GetRepositories.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/repositories/GetRepositories.json new file mode 100644 index 000000000000..2ca46c278576 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/repositories/GetRepositories.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "repoType": "Github", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "url": "https://api.github.com/repos/user/reponame", + "fullName": "reponame", + "branches": [ + "master", + "develop" + ] + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/CreateAnomalySecurityMLAnalyticsSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/CreateAnomalySecurityMLAnalyticsSetting.json new file mode 100644 index 000000000000..b69e9e8c9708 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/CreateAnomalySecurityMLAnalyticsSetting.json @@ -0,0 +1,245 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "settingsResourceName": "f209187f-1d17-4431-94af-c141bf5f23db", + "securityMLAnalyticsSetting": { + "kind": "Anomaly", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "properties": { + "displayName": "Login from unusual region", + "description": "When account logs from a source region that has rarely been logged in from during the last 14 days, an anomaly is triggered.", + "enabled": true, + "requiredDataConnectors": [ + { + "connectorId": "AWS", + "dataTypes": [ + "AWSCloudTrail" + ] + } + ], + "tactics": [ + "Exfiltration", + "CommandAndControl" + ], + "techniques": [ + "T1037", + "T1021" + ], + "anomalyVersion": "1.0.5", + "customizableObservations": { + "multiSelectObservations": null, + "singleSelectObservations": [ + { + "supportedValues": [ + "Palo Alto Networks", + "Fortinet", + "Check Point" + ], + "value": [ + "Palo Alto Networks" + ], + "supportedValuesKql": null, + "valuesKql": null, + "name": "Device vendor", + "description": "Select device vendor of network connection logs from CommonSecurityLog", + "sequenceNumber": 1, + "rerun": "RerunAlways" + } + ], + "prioritizeExcludeObservations": null, + "thresholdObservations": [ + { + "minimum": "1", + "maximum": "100", + "value": "25", + "name": "Daily data transfer threshold in MB", + "description": "Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value", + "sequenceNumber": 1, + "rerun": "RerunAlways" + }, + { + "minimum": "2", + "maximum": "10", + "value": "3", + "name": "Number of standard deviations", + "description": "Triggers anomalies when number of standard deviations is greater than the chosen value", + "sequenceNumber": 2, + "rerun": "RerunAlways" + } + ], + "singleValueObservations": null + }, + "frequency": "PT1H", + "settingsStatus": "Production", + "isDefaultSettings": true, + "anomalySettingsVersion": 0, + "settingsDefinitionId": "f209187f-1d17-4431-94af-c141bf5f23db" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/f209187f-1d17-4431-94af-c141bf5f23db", + "name": "f209187f-1d17-4431-94af-c141bf5f23db", + "etag": "\"01005144-0000-0d00-0000-6058632c0000\"", + "kind": "Anomaly", + "type": "Microsoft.SecurityInsights/securityMLAnalyticsSettings", + "properties": { + "displayName": "Login from unusual region", + "description": "When account logs from a source region that has rarely been logged in from during the last 14 days, an anomaly is triggered.", + "enabled": true, + "lastModifiedUtc": "2021-10-20T13:17:11.5340061Z", + "requiredDataConnectors": [ + { + "connectorId": "AWS", + "dataTypes": [ + "AWSCloudTrail" + ] + } + ], + "tactics": [ + "Exfiltration", + "CommandAndControl" + ], + "techniques": [ + "T1037", + "T1021" + ], + "anomalyVersion": "1.0.5", + "customizableObservations": { + "multiSelectObservations": null, + "singleSelectObservations": [ + { + "supportedValues": [ + "Palo Alto Networks", + "Fortinet", + "Check Point" + ], + "value": [ + "Palo Alto Networks" + ], + "supportedValuesKql": null, + "valuesKql": null, + "name": "Device vendor", + "description": "Select device vendor of network connection logs from CommonSecurityLog", + "sequenceNumber": 1, + "rerun": "RerunAlways" + } + ], + "prioritizeExcludeObservations": null, + "thresholdObservations": [ + { + "minimum": "1", + "maximum": "100", + "value": "25", + "name": "Daily data transfer threshold in MB", + "description": "Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value", + "sequenceNumber": 1, + "rerun": "RerunAlways" + }, + { + "minimum": "2", + "maximum": "10", + "value": "3", + "name": "Number of standard deviations", + "description": "Triggers anomalies when number of standard deviations is greater than the chosen value", + "sequenceNumber": 2, + "rerun": "RerunAlways" + } + ], + "singleValueObservations": null + }, + "frequency": "PT1H", + "settingsStatus": "Production", + "isDefaultSettings": true, + "anomalySettingsVersion": 0, + "settingsDefinitionId": "f209187f-1d17-4431-94af-c141bf5f23db" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/f209187f-1d17-4431-94af-c141bf5f23db", + "name": "f209187f-1d17-4431-94af-c141bf5f23db", + "etag": "\"01007444-0000-0d00-0000-605863a70000\"", + "kind": "Anomaly", + "type": "Microsoft.SecurityInsights/securityMLAnalyticsSettings", + "properties": { + "displayName": "Login from unusual region", + "description": "When account logs from a source region that has rarely been logged in from during the last 14 days, an anomaly is triggered.", + "enabled": true, + "lastModifiedUtc": "2021-10-20T13:17:11.5340061Z", + "requiredDataConnectors": [ + { + "connectorId": "AWS", + "dataTypes": [ + "AWSCloudTrail" + ] + } + ], + "tactics": [ + "Exfiltration", + "CommandAndControl" + ], + "techniques": [ + "T1037", + "T1021" + ], + "anomalyVersion": "1.0.5", + "customizableObservations": { + "multiSelectObservations": null, + "singleSelectObservations": [ + { + "supportedValues": [ + "Palo Alto Networks", + "Fortinet", + "Check Point" + ], + "value": [ + "Palo Alto Networks" + ], + "supportedValuesKql": null, + "valuesKql": null, + "name": "Device vendor", + "description": "Select device vendor of network connection logs from CommonSecurityLog", + "sequenceNumber": 1, + "rerun": "RerunAlways" + } + ], + "prioritizeExcludeObservations": null, + "thresholdObservations": [ + { + "minimum": "1", + "maximum": "100", + "value": "25", + "name": "Daily data transfer threshold in MB", + "description": "Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value", + "sequenceNumber": 1, + "rerun": "RerunAlways" + }, + { + "minimum": "2", + "maximum": "10", + "value": "3", + "name": "Number of standard deviations", + "description": "Triggers anomalies when number of standard deviations is greater than the chosen value", + "sequenceNumber": 2, + "rerun": "RerunAlways" + } + ], + "singleValueObservations": null + }, + "frequency": "PT1H", + "settingsStatus": "Production", + "isDefaultSettings": true, + "anomalySettingsVersion": 0, + "settingsDefinitionId": "f209187f-1d17-4431-94af-c141bf5f23db" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/DeleteSecurityMLAnalyticsSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/DeleteSecurityMLAnalyticsSetting.json new file mode 100644 index 000000000000..0befd7cee988 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/DeleteSecurityMLAnalyticsSetting.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "settingsResourceName": "f209187f-1d17-4431-94af-c141bf5f23db" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAllSecurityMLAnalyticsSettings.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAllSecurityMLAnalyticsSettings.json new file mode 100644 index 000000000000..644401f55e7e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAllSecurityMLAnalyticsSettings.json @@ -0,0 +1,94 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/f209187f-1d17-4431-94af-c141bf5f23db", + "name": "f209187f-1d17-4431-94af-c141bf5f23db", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/securityMLAnalyticsSettings", + "kind": "Anomaly", + "properties": { + "displayName": "Login from unusual region", + "description": "When account logs from a source region that has rarely been logged in from during the last 14 days, an anomaly is triggered.", + "enabled": true, + "lastModifiedUtc": "2021-10-20T13:13:11.5340061Z", + "requiredDataConnectors": [ + { + "connectorId": "AWS", + "dataTypes": [ + "AWSCloudTrail" + ] + } + ], + "tactics": [ + "Exfiltration", + "CommandAndControl" + ], + "techniques": [ + "T1037", + "T1021" + ], + "anomalyVersion": "1.0.5", + "customizableObservations": { + "multiSelectObservations": null, + "singleSelectObservations": [ + { + "supportedValues": [ + "Palo Alto Networks", + "Fortinet", + "Check Point" + ], + "value": [ + "Palo Alto Networks" + ], + "supportedValuesKql": null, + "valuesKql": null, + "name": "Device vendor", + "description": "Select device vendor of network connection logs from CommonSecurityLog", + "sequenceNumber": 1, + "rerun": "RerunAlways" + } + ], + "prioritizeExcludeObservations": null, + "thresholdObservations": [ + { + "minimum": "1", + "maximum": "100", + "value": "25", + "name": "Daily data transfer threshold in MB", + "description": "Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value", + "sequenceNumber": 1, + "rerun": "RerunAlways" + }, + { + "minimum": "2", + "maximum": "10", + "value": "3", + "name": "Number of standard deviations", + "description": "Triggers anomalies when number of standard deviations is greater than the chosen value", + "sequenceNumber": 2, + "rerun": "RerunAlways" + } + ], + "singleValueObservations": null + }, + "frequency": "PT1H", + "settingsStatus": "Production", + "isDefaultSettings": true, + "anomalySettingsVersion": 0, + "settingsDefinitionId": "f209187f-1d17-4431-94af-c141bf5f23db" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAnomalySecurityMLAnalyticsSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAnomalySecurityMLAnalyticsSetting.json new file mode 100644 index 000000000000..0f415bb091df --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAnomalySecurityMLAnalyticsSetting.json @@ -0,0 +1,91 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "settingsResourceName": "myFirstAnomalySettings" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/securityMLAnalyticsSettings/f209187f-1d17-4431-94af-c141bf5f23db", + "name": "f209187f-1d17-4431-94af-c141bf5f23db", + "etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"", + "type": "Microsoft.SecurityInsights/securityMLAnalyticsSettings", + "kind": "Anomaly", + "properties": { + "displayName": "Login from unusual region", + "description": "When account logs from a source region that has rarely been logged in from during the last 14 days, an anomaly is triggered.", + "enabled": true, + "lastModifiedUtc": "2021-10-20T13:13:11.5340061Z", + "requiredDataConnectors": [ + { + "connectorId": "AWS", + "dataTypes": [ + "AWSCloudTrail" + ] + } + ], + "tactics": [ + "Exfiltration", + "CommandAndControl" + ], + "techniques": [ + "T1037", + "T1021" + ], + "anomalyVersion": "1.0.5", + "customizableObservations": { + "multiSelectObservations": null, + "singleSelectObservations": [ + { + "supportedValues": [ + "Palo Alto Networks", + "Fortinet", + "Check Point" + ], + "value": [ + "Palo Alto Networks" + ], + "supportedValuesKql": null, + "valuesKql": null, + "name": "Device vendor", + "description": "Select device vendor of network connection logs from CommonSecurityLog", + "sequenceNumber": 1, + "rerun": "RerunAlways" + } + ], + "prioritizeExcludeObservations": null, + "thresholdObservations": [ + { + "minimum": "1", + "maximum": "100", + "value": "25", + "name": "Daily data transfer threshold in MB", + "description": "Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value", + "sequenceNumber": 1, + "rerun": "RerunAlways" + }, + { + "minimum": "2", + "maximum": "10", + "value": "3", + "name": "Number of standard deviations", + "description": "Triggers anomalies when number of standard deviations is greater than the chosen value", + "sequenceNumber": 2, + "rerun": "RerunAlways" + } + ], + "singleValueObservations": null + }, + "frequency": "PT1H", + "settingsStatus": "Production", + "isDefaultSettings": true, + "anomalySettingsVersion": 0, + "settingsDefinitionId": "f209187f-1d17-4431-94af-c141bf5f23db" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/DeleteEyesOnSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/DeleteEyesOnSetting.json new file mode 100644 index 000000000000..b71c262cbe1d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/DeleteEyesOnSetting.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "settingsName": "EyesOn" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetAllSettings.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetAllSettings.json new file mode 100644 index 000000000000..03bfebccf614 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetAllSettings.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirInt/providers/Microsoft.SecurityInsights/settings/EyesOn", + "name": "EyesOn", + "type": "Microsoft.SecurityInsights/settings", + "kind": "EyesOn", + "properties": { + "isEnabled": true + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetEyesOnSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetEyesOnSetting.json new file mode 100644 index 000000000000..20485861b2aa --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetEyesOnSetting.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "settingsName": "EyesOn" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirInt/providers/Microsoft.SecurityInsights/settings/EyesOn", + "name": "EyesOn", + "type": "Microsoft.SecurityInsights/settings", + "kind": "EyesOn", + "properties": { + "isEnabled": true + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/UpdateEyesOnSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/UpdateEyesOnSetting.json new file mode 100644 index 000000000000..ce1e106ca0bc --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/UpdateEyesOnSetting.json @@ -0,0 +1,28 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "settingsName": "EyesOn", + "settings": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "EyesOn", + "properties": {} + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirInt/providers/Microsoft.SecurityInsights/settings/EyesOn", + "name": "EyesOn", + "type": "Microsoft.SecurityInsights/settings", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "kind": "EyesOn", + "properties": { + "isEnabled": true + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/CreateSourceControl.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/CreateSourceControl.json new file mode 100644 index 000000000000..634316c3177a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/CreateSourceControl.json @@ -0,0 +1,168 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "sourceControlId": "789e0c1f-4a3d-43ad-809c-e713b677b04a", + "sourceControl": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "My Source Control", + "description": "This is a source control", + "repoType": "Github", + "contentTypes": [ + "AnalyticRules", + "Workbook" + ], + "repository": { + "url": "https://github.com/user/repo", + "branch": "master", + "displayUrl": "https://github.com/user/repo", + "pathMapping": [ + { + "contentType": "AnalyticRules", + "path": "path/to/rules" + }, + { + "contentType": "Workbook", + "path": "path/to/workbooks" + } + ] + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/sourcecontrols/789e0c1f-4a3d-43ad-809c-e713b677b04a", + "version": "V2", + "name": "789e0c1f-4a3d-43ad-809c-e713b677b04a", + "type": "Microsoft.SecurityInsights/SourceControls", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "id": "789e0c1f-4a3d-43ad-809c-e713b677b04a", + "displayName": "My Source Control", + "description": "this is a source control", + "repoType": "Github", + "contentTypes": [ + "AnalyticRules", + "Workbook" + ], + "repository": { + "url": "https://github.com/user/repo", + "branch": "master", + "displayUrl": "https://github.com/user/repo", + "deploymentLogsUrl": "https://github.com/user/repo/actions", + "pathMapping": [ + { + "contentType": "AnalyticRules", + "path": "path/to/rules" + }, + { + "contentType": "Workbook", + "path": "path/to/workbooks" + } + ] + }, + "repositoryResourceInfo": { + "webhook": { + "webhookId": "342768323", + "webhookUrl": "https://cac.sentinel.azure.com/workspaces/b7c525e9-1bfa-4435-88c0-817e13abb088/webhooks/ado/sourceControl/789e0c1f-4a3d-43ad-809c-e713b677b04a", + "webhookSecretUpdateTime": "2021-01-01T17:18:19.1234567Z" + }, + "gitHubResourceInfo": { + "appInstallationId": "123" + }, + "azureDevOpsResourceInfo": null + }, + "lastDeploymentInfo": { + "deploymentFetchStatus": "Success", + "deployment": { + "deploymentId": "4985046420", + "deploymentState": "Completed", + "deploymentResult": "Success", + "deploymentTime": "2021-01-01T17:18:19.1234567Z", + "deploymentLogsUrl": "https://github.com/user/repo/actions" + }, + "message": "Successful deployment" + } + }, + "systemData": { + "createdBy": "user1", + "createdByType": "User", + "createdAt": "2021-01-01T17:18:19.1234567Z", + "lastModifiedBy": "user2", + "lastModifiedByType": "User", + "lastModifiedAt": "2021-01-02T17:18:19.1234567Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/sourcecontrols/789e0c1f-4a3d-43ad-809c-e713b677b04a", + "version": "V2", + "name": "789e0c1f-4a3d-43ad-809c-e713b677b04a", + "type": "Microsoft.SecurityInsights/SourceControls", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "id": "789e0c1f-4a3d-43ad-809c-e713b677b04a", + "displayName": "My Source Control", + "description": "this is a source control", + "repoType": "Github", + "contentTypes": [ + "AnalyticRules", + "Workbook" + ], + "repository": { + "url": "https://github.com/user/repo", + "branch": "master", + "displayUrl": "https://github.com/user/repo", + "deploymentLogsUrl": "https://github.com/user/repo/actions", + "pathMapping": [ + { + "contentType": "AnalyticRules", + "path": "path/to/rules" + }, + { + "contentType": "Workbook", + "path": "path/to/workbooks" + } + ] + }, + "repositoryResourceInfo": { + "webhook": { + "webhookId": "342768323", + "webhookUrl": "https://cac.sentinel.azure.com/workspaces/b7c525e9-1bfa-4435-88c0-817e13abb088/webhooks/ado/sourceControl/789e0c1f-4a3d-43ad-809c-e713b677b04a", + "webhookSecretUpdateTime": "2021-01-01T17:18:19.1234567Z" + }, + "gitHubResourceInfo": { + "appInstallationId": "123" + }, + "azureDevOpsResourceInfo": null + }, + "lastDeploymentInfo": { + "deploymentFetchStatus": "Success", + "deployment": { + "deploymentId": "4985046420", + "deploymentState": "Completed", + "deploymentResult": "Success", + "deploymentTime": "2021-01-01T17:18:19.1234567Z", + "deploymentLogsUrl": "https://github.com/user/repo/actions" + }, + "message": "Successful deployment" + } + }, + "systemData": { + "createdBy": "user1", + "createdByType": "User", + "createdAt": "2021-01-01T17:18:19.1234567Z", + "lastModifiedBy": "user2", + "lastModifiedByType": "User", + "lastModifiedAt": "2021-01-02T17:18:19.1234567Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/DeleteSourceControl.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/DeleteSourceControl.json new file mode 100644 index 000000000000..b64481f4d532 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/DeleteSourceControl.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "sourceControlId": "789e0c1f-4a3d-43ad-809c-e713b677b04a" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControlById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControlById.json new file mode 100644 index 000000000000..f0f0a9eec82f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControlById.json @@ -0,0 +1,76 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "sourceControlId": "789e0c1f-4a3d-43ad-809c-e713b677b04a" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/sourcecontrols/789e0c1f-4a3d-43ad-809c-e713b677b04a", + "version": "V2", + "name": "789e0c1f-4a3d-43ad-809c-e713b677b04a", + "type": "Microsoft.SecurityInsights/SourceControls", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "id": "789e0c1f-4a3d-43ad-809c-e713b677b04a", + "displayName": "My Source Control", + "description": "this is a source control", + "repoType": "Github", + "contentTypes": [ + "AnalyticRules", + "Workbook" + ], + "repository": { + "url": "https://github.com/user/repo", + "branch": "master", + "displayUrl": "https://github.com/user/repo", + "deploymentLogsUrl": "https://github.com/user/repo/actions", + "pathMapping": [ + { + "contentType": "AnalyticRules", + "path": "path/to/rules" + }, + { + "contentType": "Workbook", + "path": "path/to/workbooks" + } + ] + }, + "repositoryResourceInfo": { + "webhook": { + "webhookId": "342768323", + "webhookUrl": "https://cac.sentinel.azure.com/workspaces/b7c525e9-1bfa-4435-88c0-817e13abb088/webhooks/ado/sourceControl/789e0c1f-4a3d-43ad-809c-e713b677b04a", + "webhookSecretUpdateTime": "2021-01-01T17:18:19.1234567Z" + }, + "gitHubResourceInfo": { + "appInstallationId": "123" + }, + "azureDevOpsResourceInfo": null + }, + "lastDeploymentInfo": { + "deploymentFetchStatus": "Success", + "deployment": { + "deploymentId": "4985046420", + "deploymentState": "Completed", + "deploymentResult": "Success", + "deploymentTime": "2021-01-01T17:18:19.1234567Z", + "deploymentLogsUrl": "https://github.com/user/repo/actions" + }, + "message": "Successful deployment" + } + }, + "systemData": { + "createdBy": "user1", + "createdByType": "User", + "createdAt": "2021-01-01T17:18:19.1234567Z", + "lastModifiedBy": "user2", + "lastModifiedByType": "User", + "lastModifiedAt": "2021-01-02T17:18:19.1234567Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControls.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControls.json new file mode 100644 index 000000000000..1fcff1c05936 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControls.json @@ -0,0 +1,79 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/sourcecontrols/789e0c1f-4a3d-43ad-809c-e713b677b04a", + "version": "V2", + "name": "789e0c1f-4a3d-43ad-809c-e713b677b04a", + "type": "Microsoft.SecurityInsights/SourceControls", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "id": "789e0c1f-4a3d-43ad-809c-e713b677b04a", + "displayName": "My Source Control", + "description": "this is a source control", + "repoType": "Github", + "contentTypes": [ + "AnalyticRules", + "Workbook" + ], + "repository": { + "url": "https://github.com/user/repo", + "branch": "master", + "displayUrl": "https://github.com/user/repo", + "deploymentLogsUrl": "https://github.com/user/repo/actions", + "pathMapping": [ + { + "contentType": "AnalyticRules", + "path": "path/to/rules" + }, + { + "contentType": "Workbook", + "path": "path/to/workbooks" + } + ] + }, + "repositoryResourceInfo": { + "webhook": { + "webhookId": "342768323", + "webhookUrl": "https://cac.sentinel.azure.com/workspaces/b7c525e9-1bfa-4435-88c0-817e13abb088/webhooks/ado/sourceControl/789e0c1f-4a3d-43ad-809c-e713b677b04a", + "webhookSecretUpdateTime": "2021-01-01T17:18:19.1234567Z" + }, + "gitHubResourceInfo": { + "appInstallationId": "123" + }, + "azureDevOpsResourceInfo": null + }, + "lastDeploymentInfo": { + "deploymentFetchStatus": "Success", + "deployment": { + "deploymentId": "4985046420", + "deploymentState": "Completed", + "deploymentResult": "Success", + "deploymentTime": "2021-01-01T17:18:19.1234567Z", + "deploymentLogsUrl": "https://github.com/user/repo/actions" + }, + "message": "Successful deployment" + } + }, + "systemData": { + "createdBy": "user1", + "createdByType": "User", + "createdAt": "2021-01-01T17:18:19.1234567Z", + "lastModifiedBy": "user2", + "lastModifiedByType": "User", + "lastModifiedAt": "2021-01-02T17:18:19.1234567Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json new file mode 100644 index 000000000000..ab59f760545e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json @@ -0,0 +1,18 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "name": "d9cd6f0b-96b9-3984-17cd-a779d1e15a93", + "ThreatIntelligenceAppendTags": { + "threatIntelligenceTags": [ + "tag1", + "tag2" + ] + } + }, + "responses": { + "200": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json new file mode 100644 index 000000000000..08575d0631e3 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "properties": { + "lastUpdatedTimeUtc": "2021-09-01T19:44:44.117403Z", + "threatTypeMetrics": [ + { + "metricName": "compromised", + "metricValue": 20 + } + ], + "patternTypeMetrics": [ + { + "metricName": "url", + "metricValue": 20 + } + ], + "sourceMetrics": [ + { + "metricName": "Azure Sentinel", + "metricValue": 10315 + }, + { + "metricName": "zinga", + "metricValue": 2 + } + ] + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CreateThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CreateThreatIntelligence.json new file mode 100644 index 000000000000..6bbfd6957dde --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CreateThreatIntelligence.json @@ -0,0 +1,100 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ThreatIntelligenceProperties": { + "kind": "indicator", + "properties": { + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "confidence": 78, + "createdByRef": "contoso@contoso.com", + "description": "debugging indicators", + "externalReferences": [], + "granularMarkings": [], + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "labels": [], + "modified": "", + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "revoked": false, + "validFrom": "2021-09-15T17:44:00.114052Z", + "validUntil": "" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "etag": "\"0000322c-0000-0800-0000-5e976c960000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2021-09-15T20:20:38.6160949Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2021-09-15T17:44:00.114052Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "etag": "\"0000322c-0000-0800-0000-5e976c960000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2021-09-15T20:20:38.6160949Z", + "createdByRef": "aztestConnectors@contoso.com", + "externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2021-09-15T20:20:38.6161887Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2021-09-15T17:44:00.114052Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json new file mode 100644 index 000000000000..4be35436670f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "name": "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligence.json new file mode 100644 index 000000000000..af23907e7f5c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligence.json @@ -0,0 +1,76 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8", + "name": "27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8", + "etag": "\"00002f2c-0000-0800-0000-5e976a8e0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 90, + "created": "2021-04-15T20:11:57.9666134Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--8516d567-0daa-4614-8745-e3591e1b48cf", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2021-04-15T20:15:11.0746926Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema 2", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2021-04-15T17:44:00.114052Z" + } + }, + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2021-04-15T19:51:17.1050923Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2021-04-15T20:15:11.074903Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "patching tags" + ], + "displayName": "updated indicator", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2021-04-15T17:44:00.114052Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json new file mode 100644 index 000000000000..727108eaa2f5 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2021-04-15T19:51:17.1050923Z", + "createdByRef": "aztestConnectors@dataconnector.ccsctp.net", + "externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2021-04-15T20:18:49.2259902Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "patching tags" + ], + "displayName": "updated indicator", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://abc.com']", + "patternType": "url", + "validFrom": "2021-04-15T17:44:00.114052Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/QueryThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/QueryThreatIntelligence.json new file mode 100644 index 000000000000..edf5669517b9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/QueryThreatIntelligence.json @@ -0,0 +1,107 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ThreatIntelligenceFilteringCriteria": { + "pageSize": 100, + "minConfidence": 25, + "maxConfidence": 80, + "minValidUntil": "2021-04-05T17:44:00.114052Z", + "maxValidUntil": "2021-04-25T17:44:00.114052Z", + "sources": [ + "Azure Sentinel" + ], + "sortBy": [ + { + "itemKey": "lastUpdatedTimeUtc", + "sortOrder": "descending" + } + ] + } + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8", + "name": "27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8", + "etag": "\"00002f2c-0000-0800-0000-5e976a8e0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 90, + "created": "2021-04-15T20:11:57.9666134Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--8516d567-0daa-4614-8745-e3591e1b48cf", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:15:11.0746926Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema 2", + "description": "debugging indicators 2", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2021-04-15T17:44:00.114052Z", + "parsedPattern": [ + { + "patternTypeKey": "network-traffic", + "patternTypeValues": [ + { + "valueType": "0", + "value": "SSH-2.0-PuTTY_Release_0.64" + }, + { + "valueType": "1", + "value": "194.88.106.146" + } + ] + } + ] + } + }, + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2021-04-15T19:51:17.1050923Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2021-04-15T20:15:11.074903Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "patching tags" + ], + "displayName": "updated indicator", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2021-04-15T17:44:00.114052Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json new file mode 100644 index 000000000000..b89bbc8e7309 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json @@ -0,0 +1,52 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "name": "d9cd6f0b-96b9-3984-17cd-a779d1e15a93", + "ThreatIntelligenceReplaceTags": { + "etag": "\"0000262c-0000-0800-0000-5e9767060000\"", + "kind": "indicator", + "properties": { + "threatIntelligenceTags": [ + "patching tags" + ] + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47", + "etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2021-04-15T19:51:17.1050923Z", + "createdByRef": "aztestConnectors@dataconnector.ccsctp.net", + "externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2021-04-15T19:56:08.828946Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "patching tags" + ], + "displayName": "updated indicator", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://abc.com']", + "patternType": "url", + "validFrom": "2021-04-15T17:44:00.114052Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/UpdateThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/UpdateThreatIntelligence.json new file mode 100644 index 000000000000..6116b1a59e1d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/UpdateThreatIntelligence.json @@ -0,0 +1,101 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "name": "d9cd6f0b-96b9-3984-17cd-a779d1e15a93", + "ThreatIntelligenceProperties": { + "kind": "indicator", + "properties": { + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "confidence": 78, + "createdByRef": "contoso@contoso.com", + "description": "debugging indicators", + "externalReferences": [], + "granularMarkings": [], + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "labels": [], + "modified": "", + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "revoked": false, + "validFrom": "2020-04-15T17:44:00.114052Z", + "validUntil": "" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "etag": "\"0000322c-0000-0800-0000-5e976c960000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2021-04-15T20:20:38.6160949Z", + "createdByRef": "contoso@contoso.com", + "externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2021-04-15T17:44:00.114052Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6", + "etag": "\"0000322c-0000-0800-0000-5e976c960000\"", + "type": "Microsoft.SecurityInsights/ThreatIntelligence", + "kind": "indicator", + "properties": { + "confidence": 78, + "created": "2021-04-15T20:20:38.6160949Z", + "createdByRef": "aztestConnectors@contoso.com", + "externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7", + "externalReferences": [], + "granularMarkings": [], + "lastUpdatedTimeUtc": "2021-04-15T20:20:38.6161887Z", + "revoked": false, + "source": "Azure Sentinel", + "threatIntelligenceTags": [ + "new schema" + ], + "displayName": "new schema", + "description": "debugging indicators", + "threatTypes": [ + "compromised" + ], + "killChainPhases": [], + "pattern": "[url:value = 'https://www.contoso.com']", + "patternType": "url", + "validFrom": "2021-04-15T17:44:00.114052Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggerRuleRun_Post.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggerRuleRun_Post.json new file mode 100644 index 000000000000..d3f2fc0ed83f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggerRuleRun_Post.json @@ -0,0 +1,23 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleId": "65360bb0-8986-4ade-a89d-af3cf44d28aa", + "analyticsRuleRunTriggerParameter": { + "properties": { + "executionTimeUtc": "2022-12-22T15:37:03.074Z" + } + } + }, + "responses": { + "202": { + "headers": { + "Code": "202", + "Message": "Accepted", + "Location": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns/5abbc58b-9655-4f9b-80ac-5a576753e4ec?api-version=2023-03-01-preview" + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRun_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRun_Get.json new file mode 100644 index 000000000000..6f8e46123beb --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRun_Get.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "ruleRunId": "65360bb0-8986-4ade-a89d-af3cf44d28aa" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns/65360bb0-8986-4ade-a89d-af3cf44d28aa", + "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa", + "type": "Microsoft.SecurityInsights/TriggeredAnalyticsRuleRuns", + "properties": { + "executionTimeUtc": "2022-12-22T15:37:03.074Z", + "ruleId": "358e16da-ab76-4027-89e1-15937a6ed401", + "triggeredAnalyticsRuleRunId": "65360bb0-8986-4ade-a89d-af3cf44d28aa", + "provisioningState": "InProgress", + "ruleRunAdditionalData": { + "auditCorrelationId": "b8540a76-cb05-4a9b-8d52-9959b509e4ad", + "createdBy": "user@microsoft.com", + "healthCorrelationId": "dadd8fdc-fc7a-4005-a289-4e164cb75093" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRuns_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRuns_Get.json new file mode 100644 index 000000000000..4a5d1643e081 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRuns_Get.json @@ -0,0 +1,48 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns/65360bb0-8986-4ade-a89d-af3cf44d28aa", + "name": "65360bb0-8986-4ade-a89d-af3cf44d28aa", + "type": "Microsoft.SecurityInsights/TriggeredAnalyticsRuleRuns", + "properties": { + "executionTimeUtc": "2022-12-22T15:37:03.074Z", + "ruleId": "358e16da-ab76-4027-89e1-15937a6ed401", + "triggeredAnalyticsRuleRunId": "65360bb0-8986-4ade-a89d-af3cf44d28aa", + "provisioningState": "InProgress", + "ruleRunAdditionalData": { + "auditCorrelationId": "b8540a76-cb05-4a9b-8d52-9959b509e4ad", + "createdBy": "user@microsoft.com", + "healthCorrelationId": "dadd8fdc-fc7a-4005-a289-4e164cb75093" + } + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns/1f62ea0f-2d25-4b65-bd4d-bb9114bcbd9c", + "name": "1f62ea0f-2d25-4b65-bd4d-bb9114bcbd9c", + "type": "Microsoft.SecurityInsights/TriggeredAnalyticsRuleRuns", + "properties": { + "executionTimeUtc": "2022-12-20T15:37:03.074Z", + "ruleId": "358e16da-ab76-4027-89e1-15937a6ed401", + "triggeredAnalyticsRuleRunId": "1f62ea0f-2d25-4b65-bd4d-bb9114bcbd9c", + "provisioningState": "Succeeded", + "ruleRunAdditionalData": { + "auditCorrelationId": "763f9dae-1027-44b9-a34a-589404693670", + "createdBy": "user2@microsoft.com", + "healthCorrelationId": "b3c165ec-f53e-48c1-9677-216d9e930912" + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlist.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlist.json new file mode 100644 index 000000000000..dd402e372970 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlist.json @@ -0,0 +1,88 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "watchlistAlias": "highValueAsset", + "watchlist": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "High Value Assets Watchlist", + "source": "watchlist.csv", + "sourceType": "Local file", + "provider": "Microsoft", + "description": "Watchlist from CSV content", + "itemsSearchKey": "header1" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/Watchlists", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "watchlist.csv", + "sourceType": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/Watchlists", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "watchlist.csv", + "sourceType": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistAndWatchlistItems.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistAndWatchlistItems.json new file mode 100644 index 000000000000..64afe3381014 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistAndWatchlistItems.json @@ -0,0 +1,92 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset", + "watchlist": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "High Value Assets Watchlist", + "source": "watchlist.csv", + "sourceType": "Local file", + "provider": "Microsoft", + "description": "Watchlist from CSV content", + "numberOfLinesToSkip": 1, + "rawContent": "This line will be skipped\nheader1,header2\nvalue1,value2", + "itemsSearchKey": "header1", + "contentType": "text/csv" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/Watchlists", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "watchlist.csv", + "sourceType": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/Watchlists", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "watchlist.csv", + "sourceType": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistItem.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistItem.json new file mode 100644 index 000000000000..a7fcc52625ec --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistItem.json @@ -0,0 +1,92 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset", + "watchlistItemId": "82ba292c-dc97-4dfc-969d-d4dd9e666842", + "watchlistItem": { + "etag": "0300bf09-0000-0000-0000-5c37296e0000", + "properties": { + "itemsKeyValue": { + "Gateway subnet": "10.0.255.224/27", + "Web Tier": "10.0.1.0/24", + "Business tier": "10.0.2.0/24", + "Data tier": "10.0.2.0/24", + "Private DMZ in": "10.0.0.0/27", + "Public DMZ out": "10.0.0.96/27" + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Watchlists/highValueAsset/WatchlistItems/82ba292c-dc97-4dfc-969d-d4dd9e666842", + "etag": "0300bf09-0000-0000-0000-5c37296e0000", + "type": "Microsoft.SecurityInsights/Watchlists/WatchlistItems", + "properties": { + "watchlistItemType": "watchlist-item", + "watchlistItemId": "82ba292c-dc97-4dfc-969d-d4dd9e666842", + "tenantId": "4008512e-1d30-48b2-9ee2-d3612ed9d3ea", + "isDeleted": false, + "created": "2020-11-15T04:58:56.0748363+00:00", + "updated": "2020-11-16T16:05:20+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "itemsKeyValue": { + "Gateway subnet": "10.0.255.224/27", + "Web Tier": "10.0.1.0/24", + "Business tier": "10.0.2.0/24", + "Data tier": "10.0.2.0/24", + "Private DMZ in": "10.0.0.0/27", + "Public DMZ out": "10.0.0.96/27" + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Watchlists/highValueAsset/WatchlistItems/82ba292c-dc97-4dfc-969d-d4dd9e666842", + "etag": "0300bf09-0000-0000-0000-5c37296e0000", + "type": "Microsoft.SecurityInsights/Watchlists/WatchlistItems", + "properties": { + "watchlistItemType": "watchlist-item", + "watchlistItemId": "82ba292c-dc97-4dfc-969d-d4dd9e666842", + "tenantId": "4008512e-1d30-48b2-9ee2-d3612ed9d3ea", + "isDeleted": false, + "created": "2020-11-15T04:58:56.0748363+00:00", + "updated": "2020-11-16T16:05:20+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "itemsKeyValue": { + "Gateway subnet": "10.0.255.224/27", + "Web Tier": "10.0.1.0/24", + "Business tier": "10.0.2.0/24", + "Data tier": "10.0.2.0/24", + "Private DMZ in": "10.0.0.0/27", + "Public DMZ out": "10.0.0.96/27" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlist.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlist.json new file mode 100644 index 000000000000..0894cae18891 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlist.json @@ -0,0 +1,18 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset" + }, + "responses": { + "200": { + "headers": { + "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.SecurityInsights/watchlists/1011-01/watchlistStatuses/00000000-0000-0000-0000-000000000000?api-version=2023-03-01-preview" + } + }, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlistItem.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlistItem.json new file mode 100644 index 000000000000..afed679969e2 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlistItem.json @@ -0,0 +1,15 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset", + "watchlistItemId": "4008512e-1d30-48b2-9ee2-d3612ed9d3ea" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistByAlias.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistByAlias.json new file mode 100644 index 000000000000..1804596fc587 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistByAlias.json @@ -0,0 +1,50 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "type": "Microsoft.SecurityInsights/Watchlists", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "watchlist.csv", + "sourceType": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "labels": [ + "Tag1", + "Tag2" + ], + "defaultDuration": "P1279DT12H30M5S", + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItemById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItemById.json new file mode 100644 index 000000000000..ed94bced0278 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItemById.json @@ -0,0 +1,47 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset", + "watchlistItemId": "3f8901fe-63d9-4875-9ad5-9fb3b8105797" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Watchlists/highValueAsset/WatchlistItems/fd37d325-7090-47fe-851a-5b5a00c3f576", + "name": "fd37d325-7090-47fe-851a-5b5a00c3f576", + "etag": "\"f2089bfa-0000-0d00-0000-601c58b42021\"", + "type": "Microsoft.SecurityInsights/Watchlists/WatchlistItems", + "properties": { + "watchlistItemType": "watchlist-item", + "watchlistItemId": "fd37d325-7090-47fe-851a-5b5a00c3f576", + "tenantId": "3f8901fe-63d9-4875-9ad5-9fb3b8105797", + "isDeleted": false, + "created": "2021-02-04T12:27:32.3783333-08:00", + "updated": "2021-02-04T12:27:32.3783333-08:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "itemsKeyValue": { + "Header-1": "v1_1", + "Header-2": "v1_2", + "Header-3": "v1_3", + "Header-4": "v1_4", + "Header-5": "v1_5" + }, + "entityMapping": {} + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItems.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItems.json new file mode 100644 index 000000000000..d851487e7b6c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItems.json @@ -0,0 +1,50 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Watchlists/highValueAsset/WatchlistItems/fd37d325-7090-47fe-851a-5b5a00c3f576", + "name": "fd37d325-7090-47fe-851a-5b5a00c3f576", + "etag": "\"f2089bfa-0000-0d00-0000-601c58b42021\"", + "type": "Microsoft.SecurityInsights/Watchlists/WatchlistItems", + "properties": { + "watchlistItemType": "watchlist-item", + "watchlistItemId": "fd37d325-7090-47fe-851a-5b5a00c3f576", + "tenantId": "3f8901fe-63d9-4875-9ad5-9fb3b8105797", + "isDeleted": false, + "created": "2021-02-04T12:27:32.3783333-08:00", + "updated": "2021-02-04T12:27:32.3783333-08:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "itemsKeyValue": { + "Header-1": "v1_1", + "Header-2": "v1_2", + "Header-3": "v1_3", + "Header-4": "v1_4", + "Header-5": "v1_5" + }, + "entityMapping": {} + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlists.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlists.json new file mode 100644 index 000000000000..77a258fa7f10 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlists.json @@ -0,0 +1,53 @@ +{ + "parameters": { + "api-version": "2023-03-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "type": "Microsoft.SecurityInsights/Watchlists", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "watchlist.csv", + "sourceType": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "labels": [ + "Tag1", + "Tag2" + ], + "defaultDuration": "P1279DT12H30M5S", + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json new file mode 100644 index 000000000000..837f7274dcc4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json @@ -0,0 +1,138 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-03-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/providers/Microsoft.SecurityInsights/operations": { + "get": { + "x-ms-examples": { + "Get all operations.": { + "$ref": "./examples/operations/ListOperations.json" + } + }, + "operationId": "Operations_List", + "description": "Lists all operations available Azure Security Insights Resource Provider.", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + } + ], + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "OK. Successfully retrieved operations list.", + "schema": { + "$ref": "#/definitions/OperationsList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + } + }, + "definitions": { + "OperationsList": { + "description": "Lists the operations available in the SecurityInsights RP.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of operations.", + "type": "string", + "readOnly": true + }, + "value": { + "description": "Array of operations", + "items": { + "$ref": "#/definitions/Operation" + }, + "type": "array" + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "Operation": { + "description": "Operation provided by provider", + "properties": { + "display": { + "description": "Properties of the operation", + "properties": { + "description": { + "description": "Description of the operation", + "type": "string" + }, + "operation": { + "description": "Operation name", + "type": "string" + }, + "provider": { + "description": "Provider name", + "type": "string" + }, + "resource": { + "description": "Resource name", + "type": "string" + } + }, + "type": "object" + }, + "name": { + "description": "Name of the operation", + "type": "string" + }, + "origin": { + "description": "The origin of the operation", + "type": "string" + }, + "isDataAction": { + "description": "Indicates whether the operation is a data action", + "type": "boolean" + } + }, + "type": "object" + } + }, + "parameters": {} +} From 43a193c811830e8dd89687861b12f9fdb59c144a Mon Sep 17 00:00:00 2001 From: Samuel Kuang Date: Wed, 15 Mar 2023 17:19:48 -0700 Subject: [PATCH 02/14] Updates readme --- .../resource-manager/readme.md | 36 +++++++++++++++++-- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index f0e8daa91048..198f37f944de 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -26,15 +26,45 @@ These are the global settings for the SecurityInsights API. ``` yaml openapi-type: arm -tag: package-preview-2023-03 +tag: package-preview-2023-04 ``` + --- + +### Tag: package-preview-2023-04 + +These settings apply only when `--tag=package-preview-2023-04` is specified on the command line. + +```yaml $(tag) == 'package-preview-2023-04' +input-file: + - Microsoft.SecurityInsights/preview/2023-04-01-preview/AlertRules.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/AutomationRules.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/Bookmarks.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/Enrichment.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueryTemplates.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/FileImports.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/Metadata.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/OfficeConsents.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/OnboardingStates.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/Recommendations.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/SecurityMLAnalyticsSettings.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/Settings.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/SourceControls.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json +``` ### Tag: package-preview-2023-03 These settings apply only when `--tag=package-preview-2023-03` is specified on the command line. -```yaml $(tag) == 'package-preview-2023-03' +``` yaml $(tag) == 'package-preview-2023-03' input-file: - Microsoft.SecurityInsights/preview/2023-03-01-preview/AlertRules.json - Microsoft.SecurityInsights/preview/2023-03-01-preview/AutomationRules.json @@ -63,7 +93,7 @@ input-file: These settings apply only when `--tag=package-2023-02` is specified on the command line. -```yaml $(tag) == 'package-2023-02' +``` yaml $(tag) == 'package-2023-02' input-file: - Microsoft.SecurityInsights/stable/2023-02-01/AlertRules.json - Microsoft.SecurityInsights/stable/2023-02-01/AutomationRules.json From 74dba76db847c793f6b731cdd8722c40db3ac841 Mon Sep 17 00:00:00 2001 From: Samuel Kuang Date: Wed, 15 Mar 2023 17:19:53 -0700 Subject: [PATCH 03/14] Updates API version in new specs and examples --- .../preview/2023-04-01-preview/AlertRules.json | 2 +- .../preview/2023-04-01-preview/AutomationRules.json | 2 +- .../preview/2023-04-01-preview/Bookmarks.json | 2 +- .../preview/2023-04-01-preview/Enrichment.json | 2 +- .../preview/2023-04-01-preview/Entities.json | 2 +- .../preview/2023-04-01-preview/EntityQueries.json | 2 +- .../preview/2023-04-01-preview/EntityQueryTemplates.json | 2 +- .../preview/2023-04-01-preview/FileImports.json | 2 +- .../preview/2023-04-01-preview/Incidents.json | 2 +- .../preview/2023-04-01-preview/Metadata.json | 2 +- .../preview/2023-04-01-preview/OfficeConsents.json | 2 +- .../preview/2023-04-01-preview/OnboardingStates.json | 2 +- .../preview/2023-04-01-preview/Recommendations.json | 2 +- .../2023-04-01-preview/SecurityMLAnalyticsSettings.json | 2 +- .../preview/2023-04-01-preview/Settings.json | 2 +- .../preview/2023-04-01-preview/SourceControls.json | 2 +- .../preview/2023-04-01-preview/ThreatIntelligence.json | 2 +- .../2023-04-01-preview/TriggeredAnalyticsRuleRuns.json | 2 +- .../preview/2023-04-01-preview/Watchlists.json | 2 +- .../preview/2023-04-01-preview/common/AlertTypes.json | 2 +- .../preview/2023-04-01-preview/common/EntityTypes.json | 2 +- .../preview/2023-04-01-preview/common/IncidentTypes.json | 2 +- .../preview/2023-04-01-preview/common/RelationTypes.json | 2 +- .../2023-04-01-preview/common/ThreatIntelligenceTypes.json | 2 +- .../preview/2023-04-01-preview/dataConnectors.json | 2 +- .../examples/actions/CreateActionOfAlertRule.json | 2 +- .../examples/actions/DeleteActionOfAlertRule.json | 2 +- .../examples/actions/GetActionOfAlertRuleById.json | 2 +- .../examples/actions/GetAllActionsByAlertRule.json | 2 +- .../examples/alertRuleTemplates/GetAlertRuleTemplateById.json | 2 +- .../examples/alertRuleTemplates/GetAlertRuleTemplates.json | 2 +- .../examples/alertRules/CreateFusionAlertRule.json | 2 +- .../CreateFusionAlertRuleWithFusionScenarioExclusion.json | 2 +- .../CreateMicrosoftSecurityIncidentCreationAlertRule.json | 2 +- .../examples/alertRules/CreateNrtAlertRule.json | 2 +- .../examples/alertRules/CreateScheduledAlertRule.json | 2 +- .../examples/alertRules/DeleteAlertRule.json | 2 +- .../examples/alertRules/GetAllAlertRules.json | 2 +- .../examples/alertRules/GetFusionAlertRule.json | 2 +- .../GetMicrosoftSecurityIncidentCreationAlertRule.json | 2 +- .../examples/alertRules/GetNrtAlertRule.json | 2 +- .../examples/alertRules/GetScheduledAlertRule.json | 2 +- .../automationRules/AutomationRules_CreateOrUpdate.json | 2 +- .../examples/automationRules/AutomationRules_Delete.json | 2 +- .../examples/automationRules/AutomationRules_Get.json | 2 +- .../examples/automationRules/AutomationRules_List.json | 2 +- .../2023-04-01-preview/examples/bookmarks/CreateBookmark.json | 2 +- .../2023-04-01-preview/examples/bookmarks/DeleteBookmark.json | 2 +- .../examples/bookmarks/GetBookmarkById.json | 2 +- .../2023-04-01-preview/examples/bookmarks/GetBookmarks.json | 2 +- .../examples/bookmarks/expand/PostExpandBookmark.json | 2 +- .../examples/bookmarks/relations/CreateBookmarkRelation.json | 2 +- .../examples/bookmarks/relations/DeleteBookmarkRelation.json | 2 +- .../examples/bookmarks/relations/GetAllBookmarkRelations.json | 2 +- .../bookmarks/relations/GetBookmarkRelationByName.json | 2 +- .../dataConnectors/CheckRequirementsAzureActiveDirectory.json | 2 +- .../CheckRequirementsAzureActiveDirectoryNoAuthorization.json | 2 +- .../CheckRequirementsAzureActiveDirectoryNoLicense.json | 2 +- .../dataConnectors/CheckRequirementsAzureSecurityCenter.json | 2 +- .../examples/dataConnectors/CheckRequirementsDynamics365.json | 2 +- .../examples/dataConnectors/CheckRequirementsIoT.json | 2 +- .../examples/dataConnectors/CheckRequirementsMdatp.json | 2 +- .../CheckRequirementsMicrosoftCloudAppSecurity.json | 2 +- ...heckRequirementsMicrosoftPurviewInformationProtection.json | 2 +- .../CheckRequirementsMicrosoftThreatIntelligence.json | 2 +- .../CheckRequirementsMicrosoftThreatProtection.json | 2 +- .../dataConnectors/CheckRequirementsOffice365Project.json | 2 +- .../examples/dataConnectors/CheckRequirementsOfficeATP.json | 2 +- .../examples/dataConnectors/CheckRequirementsOfficeIRM.json | 2 +- .../dataConnectors/CheckRequirementsOfficePowerBI.json | 2 +- .../dataConnectors/CheckRequirementsThreatIntelligence.json | 2 +- .../CheckRequirementsThreatIntelligenceTaxii.json | 2 +- .../examples/dataConnectors/ConnectAPIPolling.json | 2 +- .../examples/dataConnectors/ConnectAPIPollingV2Logs.json | 2 +- .../examples/dataConnectors/CreateAPIPolling.json | 2 +- .../dataConnectors/CreateDynamics365DataConnetor.json | 2 +- .../examples/dataConnectors/CreateGenericUI.json | 2 +- ...eateMicrosoftPurviewInformationProtectionDataConnetor.json | 2 +- .../CreateMicrosoftThreatIntelligenceDataConnector.json | 2 +- .../CreateMicrosoftThreatProtectionDataConnetor.json | 2 +- .../dataConnectors/CreateOffice365ProjectDataConnetor.json | 2 +- .../examples/dataConnectors/CreateOfficeDataConnetor.json | 2 +- .../dataConnectors/CreateOfficePowerBIDataConnector.json | 2 +- .../dataConnectors/CreateThreatIntelligenceDataConnector.json | 2 +- .../CreateThreatIntelligenceTaxiiDataConnector.json | 2 +- .../examples/dataConnectors/DeleteAPIPolling.json | 2 +- .../examples/dataConnectors/DeleteGenericUI.json | 2 +- ...leteMicrosoftPurviewInformationProtectionDataConnetor.json | 2 +- .../DeleteMicrosoftThreatIntelligenceDataConnector.json | 2 +- .../dataConnectors/DeleteOffice365ProjectDataConnetor.json | 2 +- .../examples/dataConnectors/DeleteOfficeDataConnetor.json | 2 +- .../dataConnectors/DeleteOfficePowerBIDataConnetor.json | 2 +- .../examples/dataConnectors/DisconnectAPIPolling.json | 2 +- .../examples/dataConnectors/GetAPIPolling.json | 2 +- .../dataConnectors/GetAmazonWebServicesCloudTrailById.json | 2 +- .../examples/dataConnectors/GetAmazonWebServicesS3ById.json | 2 +- .../examples/dataConnectors/GetAzureActiveDirectoryById.json | 2 +- .../dataConnectors/GetAzureAdvancedThreatProtectionById.json | 2 +- .../examples/dataConnectors/GetAzureSecurityCenterById.json | 2 +- .../examples/dataConnectors/GetDataConnectors.json | 2 +- .../dataConnectors/GetDynamics365DataConnectorById.json | 2 +- .../examples/dataConnectors/GetGenericUI.json | 2 +- .../examples/dataConnectors/GetIoTById.json | 2 +- .../dataConnectors/GetMicrosoftCloudAppSecurityById.json | 2 +- .../GetMicrosoftDefenderAdvancedThreatProtectionById.json | 2 +- .../dataConnectors/GetMicrosoftInsiderRiskManagementById.json | 2 +- ...MicrosoftPurviewInformationProtectionDataConnetorById.json | 2 +- .../dataConnectors/GetMicrosoftThreatIntelligenceById.json | 2 +- .../dataConnectors/GetMicrosoftThreatProtectionById.json | 2 +- .../GetOffice365AdvancedThreatProtectionById.json | 2 +- .../dataConnectors/GetOffice365ProjectDataConnetorById.json | 2 +- .../examples/dataConnectors/GetOfficeDataConnetorById.json | 2 +- .../dataConnectors/GetOfficePowerBIDataConnetorById.json | 2 +- .../examples/dataConnectors/GetThreatIntelligenceById.json | 2 +- .../dataConnectors/GetThreatIntelligenceTaxiiById.json | 2 +- .../examples/enrichment/GetGeodataByIp.json | 2 +- .../examples/enrichment/GetWhoisByDomainName.json | 2 +- .../examples/entities/GetAccountEntityById.json | 2 +- .../examples/entities/GetAzureResourceEntityById.json | 2 +- .../examples/entities/GetCloudApplicationEntityById.json | 2 +- .../examples/entities/GetDnsEntityById.json | 2 +- .../2023-04-01-preview/examples/entities/GetEntities.json | 2 +- .../examples/entities/GetFileEntityById.json | 2 +- .../examples/entities/GetFileHashEntityById.json | 2 +- .../examples/entities/GetHostEntityById.json | 2 +- .../examples/entities/GetIoTDeviceEntityById.json | 2 +- .../2023-04-01-preview/examples/entities/GetIpEntityById.json | 2 +- .../examples/entities/GetMailClusterEntityById.json | 2 +- .../examples/entities/GetMailMessageEntityById.json | 2 +- .../examples/entities/GetMailboxEntityById.json | 2 +- .../examples/entities/GetMalwareEntityById.json | 2 +- .../examples/entities/GetProcessEntityById.json | 2 +- .../2023-04-01-preview/examples/entities/GetQueries.json | 2 +- .../examples/entities/GetRegistryKeyEntityById.json | 2 +- .../examples/entities/GetRegistryValueEntityById.json | 2 +- .../examples/entities/GetSecurityAlertEntityById.json | 2 +- .../examples/entities/GetSecurityGroupEntityById.json | 2 +- .../examples/entities/GetSubmissionMailEntityById.json | 2 +- .../examples/entities/GetUrlEntityById.json | 2 +- .../examples/entities/expand/PostExpandEntity.json | 2 +- .../examples/entities/insights/PostGetInsights.json | 2 +- .../examples/entities/relations/GetAllEntityRelations.json | 2 +- .../examples/entities/relations/GetEntityRelationByName.json | 2 +- .../examples/entities/timeline/PostTimelineEntity.json | 2 +- .../examples/entityQueries/CreateEntityQueryActivity.json | 2 +- .../examples/entityQueries/DeleteEntityQuery.json | 2 +- .../examples/entityQueries/GetActivityEntityQueryById.json | 2 +- .../examples/entityQueries/GetEntityQueries.json | 2 +- .../examples/entityQueries/GetExpansionEntityQueryById.json | 2 +- .../GetActivityEntityQueryTemplateById.json | 2 +- .../entityQueryTemplates/GetEntityQueryTemplates.json | 2 +- .../examples/fileImports/CreateFileImport.json | 2 +- .../examples/fileImports/DeleteFileImport.json | 2 +- .../examples/fileImports/GetFileImportById.json | 2 +- .../examples/fileImports/GetFileImports.json | 2 +- .../incidents/IncidentAlerts/Incidents_ListAlerts.json | 2 +- .../incidents/IncidentBookmarks/Incidents_ListBookmarks.json | 2 +- .../IncidentComments/IncidentComments_CreateOrUpdate.json | 2 +- .../incidents/IncidentComments/IncidentComments_Delete.json | 2 +- .../incidents/IncidentComments/IncidentComments_Get.json | 2 +- .../incidents/IncidentComments/IncidentComments_List.json | 2 +- .../incidents/IncidentEntities/Incidents_ListEntities.json | 2 +- .../incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json | 2 +- .../incidents/IncidentTasks/IncidentTasks_Delete.json | 2 +- .../examples/incidents/IncidentTasks/IncidentTasks_Get.json | 2 +- .../examples/incidents/IncidentTasks/IncidentTasks_List.json | 2 +- .../examples/incidents/IncidentTeam/Incidents_CreateTeam.json | 2 +- .../examples/incidents/Incidents_CreateOrUpdate.json | 2 +- .../examples/incidents/Incidents_Delete.json | 2 +- .../2023-04-01-preview/examples/incidents/Incidents_Get.json | 2 +- .../2023-04-01-preview/examples/incidents/Incidents_List.json | 2 +- .../examples/incidents/relations/CreateIncidentRelation.json | 2 +- .../examples/incidents/relations/DeleteIncidentRelation.json | 2 +- .../examples/incidents/relations/GetAllIncidentRelations.json | 2 +- .../incidents/relations/GetIncidentRelationByName.json | 2 +- .../examples/manualTrigger/Entities_RunPlaybook.json | 2 +- .../examples/manualTrigger/Incidents_RunPlaybook.json | 2 +- .../2023-04-01-preview/examples/metadata/DeleteMetadata.json | 2 +- .../2023-04-01-preview/examples/metadata/GetAllMetadata.json | 2 +- .../examples/metadata/GetAllMetadataOData.json | 2 +- .../2023-04-01-preview/examples/metadata/GetMetadata.json | 2 +- .../2023-04-01-preview/examples/metadata/PatchMetadata.json | 2 +- .../2023-04-01-preview/examples/metadata/PutMetadata.json | 2 +- .../examples/metadata/PutMetadataMinimal.json | 2 +- .../examples/officeConsents/DeleteOfficeConsents.json | 2 +- .../examples/officeConsents/GetOfficeConsents.json | 2 +- .../examples/officeConsents/GetOfficeConsentsById.json | 2 +- .../onboardingStates/CreateSentinelOnboardingState.json | 2 +- .../onboardingStates/DeleteSentinelOnboardingState.json | 2 +- .../onboardingStates/GetAllSentinelOnboardingStates.json | 2 +- .../examples/onboardingStates/GetSentinelOnboardingState.json | 2 +- .../examples/operations/ListOperations.json | 2 +- .../examples/recommendations/GetRecommendation.json | 2 +- .../examples/recommendations/GetRecommendations.json | 2 +- .../examples/recommendations/PatchRecommendation.json | 4 ++-- .../examples/repositories/GetRepositories.json | 2 +- .../CreateAnomalySecurityMLAnalyticsSetting.json | 2 +- .../DeleteSecurityMLAnalyticsSetting.json | 2 +- .../GetAllSecurityMLAnalyticsSettings.json | 2 +- .../GetAnomalySecurityMLAnalyticsSetting.json | 2 +- .../examples/settings/DeleteEyesOnSetting.json | 2 +- .../2023-04-01-preview/examples/settings/GetAllSettings.json | 2 +- .../examples/settings/GetEyesOnSetting.json | 2 +- .../examples/settings/UpdateEyesOnSetting.json | 2 +- .../examples/sourcecontrols/CreateSourceControl.json | 2 +- .../examples/sourcecontrols/DeleteSourceControl.json | 2 +- .../examples/sourcecontrols/GetSourceControlById.json | 2 +- .../examples/sourcecontrols/GetSourceControls.json | 2 +- .../threatintelligence/AppendTagsThreatIntelligence.json | 2 +- .../threatintelligence/CollectThreatIntelligenceMetrics.json | 2 +- .../examples/threatintelligence/CreateThreatIntelligence.json | 2 +- .../examples/threatintelligence/DeleteThreatIntelligence.json | 2 +- .../examples/threatintelligence/GetThreatIntelligence.json | 2 +- .../threatintelligence/GetThreatIntelligenceById.json | 2 +- .../examples/threatintelligence/QueryThreatIntelligence.json | 2 +- .../threatintelligence/ReplaceTagsThreatIntelligence.json | 2 +- .../examples/threatintelligence/UpdateThreatIntelligence.json | 2 +- .../triggeredAnalyticsRuleRuns/triggerRuleRun_Post.json | 4 ++-- .../triggeredAnalyticsRuleRun_Get.json | 2 +- .../triggeredAnalyticsRuleRuns_Get.json | 2 +- .../examples/watchlists/CreateWatchlist.json | 2 +- .../examples/watchlists/CreateWatchlistAndWatchlistItems.json | 2 +- .../examples/watchlists/CreateWatchlistItem.json | 2 +- .../examples/watchlists/DeleteWatchlist.json | 4 ++-- .../examples/watchlists/DeleteWatchlistItem.json | 2 +- .../examples/watchlists/GetWatchlistByAlias.json | 2 +- .../examples/watchlists/GetWatchlistItemById.json | 2 +- .../examples/watchlists/GetWatchlistItems.json | 2 +- .../2023-04-01-preview/examples/watchlists/GetWatchlists.json | 2 +- .../preview/2023-04-01-preview/operations.json | 2 +- 230 files changed, 233 insertions(+), 233 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AlertRules.json index 6344b6a09e0a..2c0c82cc4987 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AlertRules.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AutomationRules.json index 100a75d6d720..7e0b082bfadb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AutomationRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/AutomationRules.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "paths": { "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Bookmarks.json index 2ad050d54c59..1d8838294a8a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Bookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Bookmarks.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Enrichment.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Enrichment.json index 73eef9ce1e00..1a394bc47497 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Enrichment.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Enrichment.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json index d7d3ae106837..0fb8bb7154a5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json index c858ce70c4e6..f981674f75c8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueryTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueryTemplates.json index 7fdacb007a4e..3559df00e523 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueryTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueryTemplates.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/FileImports.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/FileImports.json index 593dfbd7a08d..7b9fe5a399c4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/FileImports.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/FileImports.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json index af9619904225..db91c35f690b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "paths": { "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Metadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Metadata.json index e303e780b4e4..016d85241ce2 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Metadata.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Metadata.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OfficeConsents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OfficeConsents.json index 5e321ee38837..2d0beb5e27a5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OfficeConsents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OfficeConsents.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OnboardingStates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OnboardingStates.json index 47032ee9ea73..e76723df6b5d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OnboardingStates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/OnboardingStates.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Recommendations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Recommendations.json index 4a5201c23345..9f528306df1a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Recommendations.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Recommendations.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SecurityMLAnalyticsSettings.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SecurityMLAnalyticsSettings.json index 90a6b36036a3..d4667464cfda 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SecurityMLAnalyticsSettings.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SecurityMLAnalyticsSettings.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Settings.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Settings.json index cc7389676ab8..3a62283bcd3f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Settings.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Settings.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SourceControls.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SourceControls.json index 9ded499f5f19..7163ea89d58d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SourceControls.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/SourceControls.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json index bcd6ab025dc7..98de914f76c4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json index c927dd6098de..d0905defd84c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "paths": { "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns/{ruleRunId}": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json index ed0a8759fb35..d46f67009ddb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/AlertTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/AlertTypes.json index 24580a69e2f0..244fcf027c9f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/AlertTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/AlertTypes.json @@ -1,7 +1,7 @@ { "swagger": "2.0", "info": { - "version": "2023-03-01-preview", + "version": "2023-04-01-preview", "title": "Common Alert types" }, "paths": {}, diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json index b382fa069354..303bf44f9c2a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json @@ -1,7 +1,7 @@ { "swagger": "2.0", "info": { - "version": "2023-03-01-preview", + "version": "2023-04-01-preview", "title": "Common Entity types" }, "paths": {}, diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/IncidentTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/IncidentTypes.json index 363b9f74092f..9a6a20ca1c1e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/IncidentTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/IncidentTypes.json @@ -1,7 +1,7 @@ { "swagger": "2.0", "info": { - "version": "2023-03-01-preview", + "version": "2023-04-01-preview", "title": "Common Incident types" }, "paths": {}, diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/RelationTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/RelationTypes.json index 9db736c45d77..0517825acefc 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/RelationTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/RelationTypes.json @@ -1,7 +1,7 @@ { "swagger": "2.0", "info": { - "version": "2023-03-01-preview", + "version": "2023-04-01-preview", "title": "Common Relation types" }, "paths": {}, diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ThreatIntelligenceTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ThreatIntelligenceTypes.json index 4f11264f17eb..f6823fcf2379 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ThreatIntelligenceTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ThreatIntelligenceTypes.json @@ -1,7 +1,7 @@ { "swagger": "2.0", "info": { - "version": "2023-03-01-preview", + "version": "2023-04-01-preview", "title": "Common Relation types" }, "paths": {}, diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json index 4e0adcd8c9bf..c6074651bac3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/CreateActionOfAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/CreateActionOfAlertRule.json index 04fabc67bdec..85c93c8c9ba6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/CreateActionOfAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/CreateActionOfAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/DeleteActionOfAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/DeleteActionOfAlertRule.json index 700a235bf48d..0a54f6df5151 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/DeleteActionOfAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/DeleteActionOfAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetActionOfAlertRuleById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetActionOfAlertRuleById.json index a0473bd72eba..17b82f411d1e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetActionOfAlertRuleById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetActionOfAlertRuleById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetAllActionsByAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetAllActionsByAlertRule.json index f07446639bdb..40b083ad6ee5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetAllActionsByAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/actions/GetAllActionsByAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json index 1f51abf071fd..8065e9ad761c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json index 00cdd1378ef8..6eb1f5d975ff 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRule.json index e5e84bf7f54f..866632cf541f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRuleWithFusionScenarioExclusion.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRuleWithFusionScenarioExclusion.json index d14590320e97..80eff4dd75cb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRuleWithFusionScenarioExclusion.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateFusionAlertRuleWithFusionScenarioExclusion.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json index 9cca5b7342b7..5f6f9f2045f0 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateMicrosoftSecurityIncidentCreationAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateNrtAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateNrtAlertRule.json index b1f9b16573a7..79948fbd8681 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateNrtAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateNrtAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateScheduledAlertRule.json index fd9a8308b7cb..923beeae009f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/CreateScheduledAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/DeleteAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/DeleteAlertRule.json index 920630b681df..e16c87808e22 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/DeleteAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/DeleteAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetAllAlertRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetAllAlertRules.json index c7bd974176ad..7e477775c8be 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetAllAlertRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetAllAlertRules.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetFusionAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetFusionAlertRule.json index 8cdd5ad0dd71..e381901d3ece 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetFusionAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetFusionAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json index 549b0056502b..42e121af8973 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetMicrosoftSecurityIncidentCreationAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetNrtAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetNrtAlertRule.json index 131f808c4ee1..b5bea80611fe 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetNrtAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetNrtAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetScheduledAlertRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetScheduledAlertRule.json index 4a9726b6112a..8fc4fb611cab 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetScheduledAlertRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/alertRules/GetScheduledAlertRule.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json index 3dc09b8874e0..53313c8da470 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Delete.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Delete.json index 7cb3290977e3..19ba80a23160 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Delete.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Delete.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Get.json index 0f68eee1b9a1..3722d3d8e92e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Get.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_Get.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_List.json index e73d293badee..d8511836eab5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_List.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/automationRules/AutomationRules_List.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/CreateBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/CreateBookmark.json index a7d67a8d0a22..feb367db4f46 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/CreateBookmark.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/CreateBookmark.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/DeleteBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/DeleteBookmark.json index 0a9f3a816df4..06f0df203fa7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/DeleteBookmark.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/DeleteBookmark.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarkById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarkById.json index 2f5663594e1e..91f719b6b901 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarkById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarkById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarks.json index 79823611f67c..aec1ed70a8b7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/GetBookmarks.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/expand/PostExpandBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/expand/PostExpandBookmark.json index 47c4007d7b45..dcebfd1eaf72 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/expand/PostExpandBookmark.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/expand/PostExpandBookmark.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/CreateBookmarkRelation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/CreateBookmarkRelation.json index 21514b442a0f..397a0e9aeb2f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/CreateBookmarkRelation.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/CreateBookmarkRelation.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/DeleteBookmarkRelation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/DeleteBookmarkRelation.json index 1dc720c7cc48..8939d5c4aa91 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/DeleteBookmarkRelation.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/DeleteBookmarkRelation.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetAllBookmarkRelations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetAllBookmarkRelations.json index 92ea96943b2d..928d9ec2e484 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetAllBookmarkRelations.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetAllBookmarkRelations.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetBookmarkRelationByName.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetBookmarkRelationByName.json index 995e2fa5ae64..9771c6f111f9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetBookmarkRelationByName.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/bookmarks/relations/GetBookmarkRelationByName.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json index d617aa7d2f88..f23db4f4ffd6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json index d617aa7d2f88..f23db4f4ffd6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json index d617aa7d2f88..f23db4f4ffd6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json index ce40ca980e8c..9a38eb73173d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsDynamics365.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsDynamics365.json index d0e333c43111..ccc7f6c96ff7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsDynamics365.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsDynamics365.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsIoT.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsIoT.json index 1c29f84a6c85..1056eb1300de 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsIoT.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsIoT.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMdatp.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMdatp.json index 9a532d42a804..44624e56b606 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMdatp.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMdatp.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json index 9a532d42a804..44624e56b606 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftPurviewInformationProtection.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftPurviewInformationProtection.json index 9c8e1f60e24d..2b29664c1ecb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftPurviewInformationProtection.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftPurviewInformationProtection.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json index a45d6735f323..3112a2f153c5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json index 0533b1c342a1..54c2169f24c7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOffice365Project.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOffice365Project.json index 2b9348367570..52eff1ff6d41 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOffice365Project.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOffice365Project.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeATP.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeATP.json index 820ff1f60dae..38bff15bb5c0 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeATP.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeATP.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeIRM.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeIRM.json index 3a8ea01363bd..2303e17563e1 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeIRM.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficeIRM.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficePowerBI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficePowerBI.json index 06ac9914a16f..d931ec7afb0f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficePowerBI.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsOfficePowerBI.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligence.json index e7563c37e454..08145c8719ac 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligence.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json index 6dff99162784..f682b715af3a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPolling.json index c8f2197dca6f..3ddb55878fec 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPolling.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPolling.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPollingV2Logs.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPollingV2Logs.json index 360ebb10aa17..85fbf661c240 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPollingV2Logs.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/ConnectAPIPollingV2Logs.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateAPIPolling.json index 62b036db776f..75e1140a25ca 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateAPIPolling.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateAPIPolling.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json index 5b316202307b..cf3a3110ea60 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateDynamics365DataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateGenericUI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateGenericUI.json index 5047be982cd4..800947077e84 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateGenericUI.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateGenericUI.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftPurviewInformationProtectionDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftPurviewInformationProtectionDataConnetor.json index feac6ff72c04..f5f55f9917a5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftPurviewInformationProtectionDataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftPurviewInformationProtectionDataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatIntelligenceDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatIntelligenceDataConnector.json index 470c3238a993..c27c7f1d8c7a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatIntelligenceDataConnector.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatIntelligenceDataConnector.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatProtectionDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatProtectionDataConnetor.json index 91cf0220c7db..c446a35b1a6a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatProtectionDataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateMicrosoftThreatProtectionDataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOffice365ProjectDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOffice365ProjectDataConnetor.json index e07600516d77..ff8dcd923404 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOffice365ProjectDataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOffice365ProjectDataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json index 204ba2a92256..c46d32465b58 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficeDataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficePowerBIDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficePowerBIDataConnector.json index 959742f2f00f..6850852687d2 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficePowerBIDataConnector.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateOfficePowerBIDataConnector.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json index 65f78cd6161f..3222c3513165 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceDataConnector.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json index 82fcf47519e2..84d7ad95f12c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteAPIPolling.json index 3c0dbf9cf4ca..0bd22f3e31c4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteAPIPolling.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteAPIPolling.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteGenericUI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteGenericUI.json index 3c0dbf9cf4ca..0bd22f3e31c4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteGenericUI.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteGenericUI.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftPurviewInformationProtectionDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftPurviewInformationProtectionDataConnetor.json index 27c0bb8f2a97..1d71c74fd811 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftPurviewInformationProtectionDataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftPurviewInformationProtectionDataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftThreatIntelligenceDataConnector.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftThreatIntelligenceDataConnector.json index 1e907be7ae1d..5e4e15238bcf 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftThreatIntelligenceDataConnector.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteMicrosoftThreatIntelligenceDataConnector.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOffice365ProjectDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOffice365ProjectDataConnetor.json index 27c0bb8f2a97..1d71c74fd811 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOffice365ProjectDataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOffice365ProjectDataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json index 27c0bb8f2a97..1d71c74fd811 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficeDataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficePowerBIDataConnetor.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficePowerBIDataConnetor.json index 27c0bb8f2a97..1d71c74fd811 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficePowerBIDataConnetor.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DeleteOfficePowerBIDataConnetor.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DisconnectAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DisconnectAPIPolling.json index 8c60edd00ea1..9eb0bae5fff5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DisconnectAPIPolling.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/DisconnectAPIPolling.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAPIPolling.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAPIPolling.json index 7991c461841d..8e42446afe82 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAPIPolling.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAPIPolling.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json index c419b8afe827..b1728c8ca838 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesS3ById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesS3ById.json index f3c5f32b7874..e5583e77615b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesS3ById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAmazonWebServicesS3ById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json index 40fe42b274c9..59a02e17fe7c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureActiveDirectoryById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json index d699cc5ffbdd..a7a78ea252fa 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json index 166fe5583f1e..e2be952fdac8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetAzureSecurityCenterById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDataConnectors.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDataConnectors.json index fbb4ca55f4bb..731c9873272f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDataConnectors.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDataConnectors.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json index 7767f9ef970f..9b425939a5d1 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetDynamics365DataConnectorById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetGenericUI.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetGenericUI.json index 8d52fb3d6128..2b42bc70238d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetGenericUI.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetGenericUI.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetIoTById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetIoTById.json index 8fd734a483cf..9f7dea07ff83 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetIoTById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetIoTById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json index db200a3d8739..f7429b1e3f7a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json index f3d2ad7012ed..98dcc1648f39 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftInsiderRiskManagementById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftInsiderRiskManagementById.json index 4927cdcba056..ad6a5bc41643 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftInsiderRiskManagementById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftInsiderRiskManagementById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftPurviewInformationProtectionDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftPurviewInformationProtectionDataConnetorById.json index a1b7a0ad295b..f57369763d78 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftPurviewInformationProtectionDataConnetorById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftPurviewInformationProtectionDataConnetorById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json index 3b1cbdbaba7e..b73bbfbef366 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json index bd7c6269c8c8..6a3aed02a7d8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetMicrosoftThreatProtectionById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json index 0bdbe481ff44..6fda3e05ee94 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365ProjectDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365ProjectDataConnetorById.json index ecac96a605e9..c4ec6ef285ef 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365ProjectDataConnetorById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOffice365ProjectDataConnetorById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json index 51a5ae6e08d7..b585ef998819 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficeDataConnetorById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficePowerBIDataConnetorById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficePowerBIDataConnetorById.json index ad2210561c45..ebb1663f95f8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficePowerBIDataConnetorById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetOfficePowerBIDataConnetorById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json index 38c52188cf6b..33c3e2bc8865 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json index 6f0cdd2d6069..3c9c4db5f7b3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/dataConnectors/GetThreatIntelligenceTaxiiById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetGeodataByIp.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetGeodataByIp.json index 449e742fee24..ed4561466856 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetGeodataByIp.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetGeodataByIp.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "ipAddress": "1.2.3.4" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetWhoisByDomainName.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetWhoisByDomainName.json index 33bb49275d66..9b2547577fef 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetWhoisByDomainName.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/enrichment/GetWhoisByDomainName.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "domain": "microsoft.com" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAccountEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAccountEntityById.json index 76d42a475151..5e7f0e4a75f9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAccountEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAccountEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAzureResourceEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAzureResourceEntityById.json index 20db326a109d..d921a19ce5b8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAzureResourceEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetAzureResourceEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetCloudApplicationEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetCloudApplicationEntityById.json index 42177681da3a..64d52143e34a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetCloudApplicationEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetCloudApplicationEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetDnsEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetDnsEntityById.json index 59741321be80..fe7a0db382ea 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetDnsEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetDnsEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetEntities.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetEntities.json index c99045d3f836..4a1ba6a3cd90 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetEntities.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetEntities.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileEntityById.json index 9e7091d4036d..10965a8c3cd6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileHashEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileHashEntityById.json index 513385c8673b..3235680edb9d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileHashEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetFileHashEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetHostEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetHostEntityById.json index ee92058a24c0..2695831ed861 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetHostEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetHostEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIoTDeviceEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIoTDeviceEntityById.json index f88f49348183..4bd87b4079bc 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIoTDeviceEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIoTDeviceEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIpEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIpEntityById.json index 96225553f23e..43fc4e957697 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIpEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetIpEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailClusterEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailClusterEntityById.json index 43cc718fd635..6e5a143a6228 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailClusterEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailClusterEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailMessageEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailMessageEntityById.json index 37a8d3bd1ce9..67659404c0d0 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailMessageEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailMessageEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailboxEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailboxEntityById.json index 5b07027770f4..56d04e2fe1a1 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailboxEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMailboxEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMalwareEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMalwareEntityById.json index bb72b3d084d4..9a150f385a54 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMalwareEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetMalwareEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetProcessEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetProcessEntityById.json index b2a90ae4b315..9eb674b95b6d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetProcessEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetProcessEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetQueries.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetQueries.json index 8ff752a49bcd..ade031f30381 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetQueries.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetQueries.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryKeyEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryKeyEntityById.json index e3f17c540477..fb8ca44bdbe3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryKeyEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryKeyEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryValueEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryValueEntityById.json index f4fd02d97991..04c32993e5bc 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryValueEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetRegistryValueEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityAlertEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityAlertEntityById.json index 037c92f4e7b4..13413d641b39 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityAlertEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityAlertEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityGroupEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityGroupEntityById.json index 89e0a19176ab..af1191bbbfc4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityGroupEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSecurityGroupEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSubmissionMailEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSubmissionMailEntityById.json index db5c232a192c..e6453c7671c8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSubmissionMailEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetSubmissionMailEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetUrlEntityById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetUrlEntityById.json index 9087b96dc8f3..d7f8fa45ba21 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetUrlEntityById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/GetUrlEntityById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/expand/PostExpandEntity.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/expand/PostExpandEntity.json index 2295ca0a637a..fbc57e485b5d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/expand/PostExpandEntity.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/expand/PostExpandEntity.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/insights/PostGetInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/insights/PostGetInsights.json index 8851f2e450ec..583c4ae40a0a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/insights/PostGetInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/insights/PostGetInsights.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetAllEntityRelations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetAllEntityRelations.json index 47a13a0bb9b0..6c0114becc2a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetAllEntityRelations.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetAllEntityRelations.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetEntityRelationByName.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetEntityRelationByName.json index 31dd38867884..b3be8339ccbb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetEntityRelationByName.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/relations/GetEntityRelationByName.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/timeline/PostTimelineEntity.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/timeline/PostTimelineEntity.json index d923f9b0da67..6ac121dac362 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/timeline/PostTimelineEntity.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entities/timeline/PostTimelineEntity.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/CreateEntityQueryActivity.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/CreateEntityQueryActivity.json index ab41dc821a65..e4a713f035a3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/CreateEntityQueryActivity.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/CreateEntityQueryActivity.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/DeleteEntityQuery.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/DeleteEntityQuery.json index 7f79842d2661..3cfa3810d839 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/DeleteEntityQuery.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/DeleteEntityQuery.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetActivityEntityQueryById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetActivityEntityQueryById.json index 7e0d279fb3ae..5dc6254f5e50 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetActivityEntityQueryById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetActivityEntityQueryById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetEntityQueries.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetEntityQueries.json index 966d9e551e11..917045b0afbf 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetEntityQueries.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetEntityQueries.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "kind": "Expansion", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetExpansionEntityQueryById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetExpansionEntityQueryById.json index 0fc6837dc132..a5b34051698d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetExpansionEntityQueryById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueries/GetExpansionEntityQueryById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetActivityEntityQueryTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetActivityEntityQueryTemplateById.json index 5fb4e89a4da2..c4c3a399c82d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetActivityEntityQueryTemplateById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetActivityEntityQueryTemplateById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetEntityQueryTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetEntityQueryTemplates.json index 722b38e6437a..924dfcb18c76 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetEntityQueryTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/entityQueryTemplates/GetEntityQueryTemplates.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "kind": "Activity", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/CreateFileImport.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/CreateFileImport.json index 68ae4205369d..8e89bba0c4aa 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/CreateFileImport.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/CreateFileImport.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/DeleteFileImport.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/DeleteFileImport.json index c41aea4c128d..c5cb4cf02145 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/DeleteFileImport.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/DeleteFileImport.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImportById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImportById.json index 541cb2d08d56..4b54bc0ea5d7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImportById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImportById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImports.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImports.json index 580be0c8bd6d..4929181976ba 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImports.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/fileImports/GetFileImports.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json index a051049c83f9..eea313a176cb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json index 0a658cb6da2e..2c2ec95efa7e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json index cd341046a011..f7ecffb2444b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Delete.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Delete.json index 715a920d4abc..b5691b3f1506 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Delete.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Delete.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json index fc28975380ac..001512a91dec 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json index a781085ccf0c..b70c87c43882 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json index 15ac7b53ad9b..c1e8a9869841 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json index 42e5b2e07813..cb31df7e4a30 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json index 3b961d4c7d40..00f3b7eb575b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json index 2e8cbe348888..fbeeaf7288ad 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json index 5dca6eb6d8b2..6b317190c60f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json index a5dbba962a15..41a4e9c2f1c6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_CreateOrUpdate.json index d776cd5f8515..ed91491afaa1 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_CreateOrUpdate.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_CreateOrUpdate.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Delete.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Delete.json index 9800aa0d57b0..2ce48100b8a7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Delete.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Delete.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Get.json index d7dbf8bc9871..c7ab669853a8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Get.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_Get.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_List.json index a781403ae685..b5fa62dcfde4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_List.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/Incidents_List.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/CreateIncidentRelation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/CreateIncidentRelation.json index 0d560e1ce525..46774f13b3ee 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/CreateIncidentRelation.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/CreateIncidentRelation.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/DeleteIncidentRelation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/DeleteIncidentRelation.json index d51d5d3b5fda..0562567a4542 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/DeleteIncidentRelation.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/DeleteIncidentRelation.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetAllIncidentRelations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetAllIncidentRelations.json index bf7b0a413a44..e51c47aece3b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetAllIncidentRelations.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetAllIncidentRelations.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetIncidentRelationByName.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetIncidentRelationByName.json index 3a2be91d9d27..5c9a4647678c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetIncidentRelationByName.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/incidents/relations/GetIncidentRelationByName.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Entities_RunPlaybook.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Entities_RunPlaybook.json index 954d54217bef..0d57bee18731 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Entities_RunPlaybook.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Entities_RunPlaybook.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Incidents_RunPlaybook.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Incidents_RunPlaybook.json index c83122b65aab..7a2213583829 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Incidents_RunPlaybook.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/manualTrigger/Incidents_RunPlaybook.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/DeleteMetadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/DeleteMetadata.json index 903353406af3..ab14134416fb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/DeleteMetadata.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/DeleteMetadata.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadata.json index 3e58aa8b417e..0982a7880496 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadata.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadata.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadataOData.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadataOData.json index 6353a8c6d7cb..15177567851f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadataOData.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetAllMetadataOData.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetMetadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetMetadata.json index 80b255cf2d9c..4a50703d76fa 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetMetadata.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/GetMetadata.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "2e1dc338-d04d-4443-b721-037eff4fdcac", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PatchMetadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PatchMetadata.json index 8d2d74b5a694..f8608bd8f5ca 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PatchMetadata.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PatchMetadata.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadata.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadata.json index df2b397e5674..e36bdec05e06 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadata.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadata.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadataMinimal.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadataMinimal.json index 7486abdfb7b6..e65304cd5f70 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadataMinimal.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/metadata/PutMetadataMinimal.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/DeleteOfficeConsents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/DeleteOfficeConsents.json index 15cc3e4e4e37..58c247fc04c9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/DeleteOfficeConsents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/DeleteOfficeConsents.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsents.json index e14e00894df4..90cbf97db37e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsents.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsentsById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsentsById.json index 059e30cc60a8..6a2d8de3d5cd 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsentsById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/officeConsents/GetOfficeConsentsById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/CreateSentinelOnboardingState.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/CreateSentinelOnboardingState.json index 19214d142ad4..322fadbace76 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/CreateSentinelOnboardingState.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/CreateSentinelOnboardingState.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/DeleteSentinelOnboardingState.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/DeleteSentinelOnboardingState.json index 13859b4909fd..05da63fbba9b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/DeleteSentinelOnboardingState.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/DeleteSentinelOnboardingState.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetAllSentinelOnboardingStates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetAllSentinelOnboardingStates.json index adbbec7024a8..0b171bec8a6e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetAllSentinelOnboardingStates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetAllSentinelOnboardingStates.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetSentinelOnboardingState.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetSentinelOnboardingState.json index 675b5c47852c..7767973100a8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetSentinelOnboardingState.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/onboardingStates/GetSentinelOnboardingState.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/operations/ListOperations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/operations/ListOperations.json index 6a6ca38f9971..1e569f4f9a5a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/operations/ListOperations.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/operations/ListOperations.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview" + "api-version": "2023-04-01-preview" }, "responses": { "200": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendation.json index 725c91fef371..6b800fcdc48a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendation.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendation.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendations.json index 1a02c3e12c1d..d1ecac4c664b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendations.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/GetRecommendations.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/PatchRecommendation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/PatchRecommendation.json index b20049002b2e..cbe06403bd67 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/PatchRecommendation.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/recommendations/PatchRecommendation.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", @@ -14,7 +14,7 @@ "responses": { "202": { "headers": { - "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.SecurityInsights/recommendations/6d4b54eb-8684-4aa3-a156-3aa37b8014bc?api-version=2023-03-01-preview" + "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.SecurityInsights/recommendations/6d4b54eb-8684-4aa3-a156-3aa37b8014bc?api-version=2023-04-01-preview" }, "body": { "recommendationTypeId": "ThreatIntelligence_Example", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/repositories/GetRepositories.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/repositories/GetRepositories.json index 2ca46c278576..bf043503eb12 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/repositories/GetRepositories.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/repositories/GetRepositories.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "repoType": "Github", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/CreateAnomalySecurityMLAnalyticsSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/CreateAnomalySecurityMLAnalyticsSetting.json index b69e9e8c9708..ddf3e34f4f70 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/CreateAnomalySecurityMLAnalyticsSetting.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/CreateAnomalySecurityMLAnalyticsSetting.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/DeleteSecurityMLAnalyticsSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/DeleteSecurityMLAnalyticsSetting.json index 0befd7cee988..31f85196947d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/DeleteSecurityMLAnalyticsSetting.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/DeleteSecurityMLAnalyticsSetting.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAllSecurityMLAnalyticsSettings.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAllSecurityMLAnalyticsSettings.json index 644401f55e7e..895b4edd893a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAllSecurityMLAnalyticsSettings.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAllSecurityMLAnalyticsSettings.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAnomalySecurityMLAnalyticsSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAnomalySecurityMLAnalyticsSetting.json index 0f415bb091df..3a44f85d35e9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAnomalySecurityMLAnalyticsSetting.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/securityMLAnalyticsSettings/GetAnomalySecurityMLAnalyticsSetting.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/DeleteEyesOnSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/DeleteEyesOnSetting.json index b71c262cbe1d..373371c5983b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/DeleteEyesOnSetting.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/DeleteEyesOnSetting.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetAllSettings.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetAllSettings.json index 03bfebccf614..a07c0eb99f83 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetAllSettings.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetAllSettings.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetEyesOnSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetEyesOnSetting.json index 20485861b2aa..80777c89f172 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetEyesOnSetting.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/GetEyesOnSetting.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/UpdateEyesOnSetting.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/UpdateEyesOnSetting.json index ce1e106ca0bc..100e4d6fc16a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/UpdateEyesOnSetting.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/settings/UpdateEyesOnSetting.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/CreateSourceControl.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/CreateSourceControl.json index 634316c3177a..df3e18542bbf 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/CreateSourceControl.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/CreateSourceControl.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/DeleteSourceControl.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/DeleteSourceControl.json index b64481f4d532..fc949d18881a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/DeleteSourceControl.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/DeleteSourceControl.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControlById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControlById.json index f0f0a9eec82f..c64efb8b88a5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControlById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControlById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControls.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControls.json index 1fcff1c05936..a160e76ec4b9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControls.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/sourcecontrols/GetSourceControls.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json index ab59f760545e..28c65fd56964 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/AppendTagsThreatIntelligence.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json index 08575d0631e3..9f5e7b340210 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CollectThreatIntelligenceMetrics.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CreateThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CreateThreatIntelligence.json index 6bbfd6957dde..7f6a61ef626a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CreateThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/CreateThreatIntelligence.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json index 4be35436670f..ea75afea62c5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/DeleteThreatIntelligence.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligence.json index af23907e7f5c..ca19d045312e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligence.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json index 727108eaa2f5..36362942a526 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/GetThreatIntelligenceById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/QueryThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/QueryThreatIntelligence.json index edf5669517b9..22202506a4f7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/QueryThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/QueryThreatIntelligence.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json index b89bbc8e7309..e54417cabb0a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/ReplaceTagsThreatIntelligence.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/UpdateThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/UpdateThreatIntelligence.json index 6116b1a59e1d..ce37a9b8e36b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/UpdateThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/threatintelligence/UpdateThreatIntelligence.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggerRuleRun_Post.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggerRuleRun_Post.json index d3f2fc0ed83f..6d70d83b45b7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggerRuleRun_Post.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggerRuleRun_Post.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", @@ -16,7 +16,7 @@ "headers": { "Code": "202", "Message": "Accepted", - "Location": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns/5abbc58b-9655-4f9b-80ac-5a576753e4ec?api-version=2023-03-01-preview" + "Location": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/triggeredAnalyticsRuleRuns/5abbc58b-9655-4f9b-80ac-5a576753e4ec?api-version=2023-04-01-preview" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRun_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRun_Get.json index 6f8e46123beb..fbe470427c69 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRun_Get.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRun_Get.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRuns_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRuns_Get.json index 4a5d1643e081..446877bd301d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRuns_Get.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/triggeredAnalyticsRuleRuns/triggeredAnalyticsRuleRuns_Get.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlist.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlist.json index dd402e372970..8b654d1e275c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlist.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlist.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistAndWatchlistItems.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistAndWatchlistItems.json index 64afe3381014..366ad04440f6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistAndWatchlistItems.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistAndWatchlistItems.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistItem.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistItem.json index a7fcc52625ec..c8582f7cf3c8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistItem.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/CreateWatchlistItem.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlist.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlist.json index 0894cae18891..bfa619ddd02f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlist.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlist.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", @@ -10,7 +10,7 @@ "responses": { "200": { "headers": { - "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.SecurityInsights/watchlists/1011-01/watchlistStatuses/00000000-0000-0000-0000-000000000000?api-version=2023-03-01-preview" + "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.SecurityInsights/watchlists/1011-01/watchlistStatuses/00000000-0000-0000-0000-000000000000?api-version=2023-04-01-preview" } }, "204": {} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlistItem.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlistItem.json index afed679969e2..c68a3bb87ba6 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlistItem.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/DeleteWatchlistItem.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistByAlias.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistByAlias.json index 1804596fc587..678f6e698ceb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistByAlias.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistByAlias.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItemById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItemById.json index ed94bced0278..75d85386426e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItemById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItemById.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItems.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItems.json index d851487e7b6c..e06a21621cc9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItems.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlistItems.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlists.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlists.json index 77a258fa7f10..bdea742a73e4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlists.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/watchlists/GetWatchlists.json @@ -1,6 +1,6 @@ { "parameters": { - "api-version": "2023-03-01-preview", + "api-version": "2023-04-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json index 837f7274dcc4..d422b2a3a4d8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json @@ -3,7 +3,7 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2023-03-01-preview" + "version": "2023-04-01-preview" }, "host": "management.azure.com", "schemes": [ From 09513c84d004d61a8e906f85858efce8de440fc7 Mon Sep 17 00:00:00 2001 From: rheabansal <93624991+rheabansal@users.noreply.github.com> Date: Fri, 17 Mar 2023 01:26:33 -0700 Subject: [PATCH 04/14] Workspace Manager Members (#23134) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * Workspace Manager Members * udpate pattern --- .../WorkspaceManagerMembers.json | 310 ++++++++++++++++++ .../CreateOrUpdateWorkspaceManagerMember.json | 41 +++ .../DeleteWorkspaceManagerMember.json | 13 + .../GetAllWorkspaceManagerMembers.json | 26 ++ .../GetWorkspaceManagerMember.json | 23 ++ .../resource-manager/readme.md | 1 + 6 files changed, 414 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/CreateOrUpdateWorkspaceManagerMember.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/DeleteWorkspaceManagerMember.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/GetAllWorkspaceManagerMembers.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/GetWorkspaceManagerMember.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json new file mode 100644 index 000000000000..74c1a9296c95 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json @@ -0,0 +1,310 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-04-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workspaceManagerMembers/": { + "get": { + "x-ms-examples": { + "Get all workspace manager members": { + "$ref": "./examples/workspaceManagerMembers/GetAllWorkspaceManagerMembers.json" + } + }, + "tags": [ + "workspaceManagerMember" + ], + "description": "Gets all workspace manager members that exist for the given Sentinel workspace manager", + "operationId": "WorkspaceManagerMembers_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerMembersList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workspaceManagerMembers/{workspaceManagerMemberName}": { + "get": { + "x-ms-examples": { + "Get a workspace manager member": { + "$ref": "./examples/workspaceManagerMembers/GetWorkspaceManagerMember.json" + } + }, + "tags": [ + "workspaceManagerMember" + ], + "description": "Gets a workspace manager member", + "operationId": "WorkspaceManagerMembers_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerMemberName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerMember" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + }, + "put": { + "x-ms-examples": { + "Create or Update a workspace manager member": { + "$ref": "./examples/workspaceManagerMembers/CreateOrUpdateWorkspaceManagerMember.json" + } + }, + "tags": [ + "workspaceManagerMember" + ], + "description": "Creates or updates a workspace manager member", + "operationId": "WorkspaceManagerMembers_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerMemberName" + }, + { + "$ref": "#/parameters/WorkspaceManagerMember" + } + ], + "responses": { + "200": { + "description": "Updated", + "schema": { + "$ref": "#/definitions/WorkspaceManagerMember" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/WorkspaceManagerMember" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a workspace manager member": { + "$ref": "./examples/workspaceManagerMembers/DeleteWorkspaceManagerMember.json" + } + }, + "tags": [ + "workspaceManagerMember" + ], + "description": "Deletes a workspace manager member", + "operationId": "WorkspaceManagerMembers_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerMemberName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + } + } + }, + "definitions": { + "WorkspaceManagerMemberProperties": { + "description": "The workspace manager member properties", + "properties": { + "targetWorkspaceId": { + "description": "Fully qualified resource ID of the target Sentinel workspace joining the given Sentinel workspace manager", + "type": "string" + }, + "targetWorkspaceTenantId": { + "description": "Tenant id of the target Sentinel workspace joining the given Sentinel workspace manager", + "type": "string" + } + }, + "required": [ + "targetWorkspaceId", + "targetWorkspaceTenantId" + ], + "type": "object" + }, + "WorkspaceManagerMember": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/AzureEntityResource" + } + ], + "description": "The workspace manager member", + "properties": { + "properties": { + "$ref": "#/definitions/WorkspaceManagerMemberProperties", + "description": "The workspace manager member object", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "WorkspaceManagerMembersList": { + "description": "List of workspace manager members", + "type": "object", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of workspace manager members", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of workspace manager members", + "items": { + "$ref": "#/definitions/WorkspaceManagerMember" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + } + }, + "parameters": { + "WorkspaceManagerMemberName": { + "description": "The name of the workspace manager member", + "in": "path", + "name": "workspaceManagerMemberName", + "required": true, + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$", + "x-ms-parameter-location": "method" + }, + "WorkspaceManagerMember": { + "description": "The workspace manager member object", + "in": "body", + "name": "workspaceManagerMember", + "required": true, + "schema": { + "$ref": "#/definitions/WorkspaceManagerMember" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/CreateOrUpdateWorkspaceManagerMember.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/CreateOrUpdateWorkspaceManagerMember.json new file mode 100644 index 000000000000..4ccd4adb8c42 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/CreateOrUpdateWorkspaceManagerMember.json @@ -0,0 +1,41 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerMemberName": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "workspaceManagerMember": { + "properties": { + "targetWorkspaceId": "/subscriptions/7aef9d48-814f-45ad-b644-b0343316e174/resourceGroups/otherRg/providers/Microsoft.OperationalInsights/workspaces/Example_Workspace", + "targetWorkspaceTenantId": "f676d436-8d16-42db-81b7-ab578e110ccd" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerMembers/afbd324f-6c48-459c-8710-8d1e1cd03812", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "name": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "type": "Microsoft.SecurityInsights/workspaceManagerMembers", + "properties": { + "targetWorkspaceId": "/subscriptions/7aef9d48-814f-45ad-b644-b0343316e174/resourceGroups/otherRg/providers/Microsoft.OperationalInsights/workspaces/Example_Workspace", + "targetWorkspaceTenantId": "f676d436-8d16-42db-81b7-ab578e110ccd" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerMembers/afbd324f-6c48-459c-8710-8d1e1cd03812", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "name": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "type": "Microsoft.SecurityInsights/workspaceManagerMembers", + "properties": { + "targetWorkspaceId": "/subscriptions/7aef9d48-814f-45ad-b644-b0343316e174/resourceGroups/otherRg/providers/Microsoft.OperationalInsights/workspaces/Example_Workspace", + "targetWorkspaceTenantId": "f676d436-8d16-42db-81b7-ab578e110ccd" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/DeleteWorkspaceManagerMember.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/DeleteWorkspaceManagerMember.json new file mode 100644 index 000000000000..6a40382ee184 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/DeleteWorkspaceManagerMember.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerMemberName": "afbd324f-6c48-459c-8710-8d1e1cd03812" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/GetAllWorkspaceManagerMembers.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/GetAllWorkspaceManagerMembers.json new file mode 100644 index 000000000000..2fa49a5856a9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/GetAllWorkspaceManagerMembers.json @@ -0,0 +1,26 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerMembers/afbd324f-6c48-459c-8710-8d1e1cd03812", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "name": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "type": "Microsoft.SecurityInsights/workspaceManagerMembers", + "properties": { + "targetWorkspaceId": "/subscriptions/7aef9d48-814f-45ad-b644-b0343316e174/resourceGroups/otherRg/providers/Microsoft.OperationalInsights/workspaces/Example_Workspace", + "targetWorkspaceTenantId": "f676d436-8d16-42db-81b7-ab578e110ccd" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/GetWorkspaceManagerMember.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/GetWorkspaceManagerMember.json new file mode 100644 index 000000000000..6730db8eabc9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerMembers/GetWorkspaceManagerMember.json @@ -0,0 +1,23 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerMemberName": "afbd324f-6c48-459c-8710-8d1e1cd03812" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerMembers/afbd324f-6c48-459c-8710-8d1e1cd03812", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "name": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "type": "Microsoft.SecurityInsights/workspaceManagerMembers", + "properties": { + "targetWorkspaceId": "/subscriptions/7aef9d48-814f-45ad-b644-b0343316e174/resourceGroups/otherRg/providers/Microsoft.OperationalInsights/workspaces/Example_Workspace", + "targetWorkspaceTenantId": "f676d436-8d16-42db-81b7-ab578e110ccd" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 198f37f944de..794e6dabcc06 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -57,6 +57,7 @@ input-file: - Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json ``` From d34d82beec5954515dc28a5c5ec0cedf48eb58d6 Mon Sep 17 00:00:00 2001 From: rheabansal <93624991+rheabansal@users.noreply.github.com> Date: Mon, 20 Mar 2023 20:04:58 -0700 Subject: [PATCH 05/14] Workspace manager configurations (#23133) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * adding april configurations swagger * update pattern * prettier update * update readme --- .../WorkspaceManagerConfigurations.json | 323 ++++++++++++++++++ ...OrUpdateWorkspaceManagerConfiguration.json | 38 +++ .../DeleteWorkspaceManagerConfiguration.json | 13 + .../GetAllWorkspaceManagerConfigurations.json | 25 ++ .../GetWorkspaceManagerConfiguration.json | 22 ++ .../resource-manager/readme.md | 1 + 6 files changed, 422 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/CreateOrUpdateWorkspaceManagerConfiguration.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/DeleteWorkspaceManagerConfiguration.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/GetAllWorkspaceManagerConfigurations.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/GetWorkspaceManagerConfiguration.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json new file mode 100644 index 000000000000..8ca6d636eeaf --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json @@ -0,0 +1,323 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-04-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workspaceManagerConfigurations": { + "get": { + "x-ms-examples": { + "Get all workspace manager configurations for a Sentinel workspace.": { + "$ref": "./examples/workspaceManagerConfigurations/GetAllWorkspaceManagerConfigurations.json" + } + }, + "tags": [ + "workspaceManagerConfigurations" + ], + "description": "Gets all workspace manager configurations for a Sentinel workspace.", + "operationId": "WorkspaceManagerConfigurations_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerConfigurationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workspaceManagerConfigurations/{workspaceManagerConfigurationName}": { + "get": { + "x-ms-examples": { + "Get a workspace manager configuration.": { + "$ref": "./examples/workspaceManagerConfigurations/GetWorkspaceManagerConfiguration.json" + } + }, + "tags": [ + "workspaceManagerConfigurations" + ], + "description": "Gets a workspace manager configuration", + "operationId": "WorkspaceManagerConfigurations_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerConfigurationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerConfiguration" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a workspace manager configuration.": { + "$ref": "./examples/workspaceManagerConfigurations/DeleteWorkspaceManagerConfiguration.json" + } + }, + "tags": [ + "workspaceManagerConfigurations" + ], + "description": "Deletes a workspace manager configuration", + "operationId": "WorkspaceManagerConfigurations_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerConfigurationName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + }, + "put": { + "x-ms-examples": { + "Create or Update a workspace manager Configuration": { + "$ref": "./examples/workspaceManagerConfigurations/CreateOrUpdateWorkspaceManagerConfiguration.json" + } + }, + "tags": [ + "workspaceManagerConfigurations" + ], + "description": "Creates or updates a workspace manager configuration.", + "operationId": "WorkspaceManagerConfigurations_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerConfigurationName" + }, + { + "$ref": "#/parameters/WorkspaceManagerConfiguration" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerConfiguration" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/WorkspaceManagerConfiguration" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + } + } + }, + "definitions": { + "WorkspaceManagerConfiguration": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/AzureEntityResource" + } + ], + "description": "The workspace manager configuration", + "properties": { + "properties": { + "$ref": "#/definitions/WorkspaceManagerConfigurationProperties", + "description": "The workspace manager configuration object", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "WorkspaceManagerConfigurationProperties": { + "description": "The workspace manager configuration properties", + "properties": { + "mode": { + "description": "The current mode of the workspace manager configuration", + "enum": [ + "Enabled", + "Disabled" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "mode", + "values": [ + { + "description": "The workspace manager configuration is enabled", + "value": "Enabled" + }, + { + "description": "The workspace manager configuration is disabled", + "value": "Disabled" + } + ] + } + } + }, + "required": [ + "mode" + ], + "type": "object" + }, + "WorkspaceManagerConfigurationList": { + "description": "List all the workspace manager configurations for the workspace.", + "type": "object", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of workspace manager configurations.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of workspace manager configurations.", + "items": { + "$ref": "#/definitions/WorkspaceManagerConfiguration" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + } + }, + "parameters": { + "WorkspaceManagerConfigurationName": { + "description": "The name of the workspace manager configuration", + "in": "path", + "name": "workspaceManagerConfigurationName", + "required": true, + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$", + "x-ms-parameter-location": "method" + }, + "WorkspaceManagerConfiguration": { + "description": "The workspace manager configuration", + "in": "body", + "name": "workspaceManagerConfiguration", + "required": true, + "schema": { + "$ref": "#/definitions/WorkspaceManagerConfiguration" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/CreateOrUpdateWorkspaceManagerConfiguration.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/CreateOrUpdateWorkspaceManagerConfiguration.json new file mode 100644 index 000000000000..9eef6aa6da19 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/CreateOrUpdateWorkspaceManagerConfiguration.json @@ -0,0 +1,38 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerConfigurationName": "default", + "workspaceManagerConfiguration": { + "properties": { + "mode": "Enabled" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerConfigurations/default", + "etag": "\"3f6451dd-1b58-4bef-bce7-72eba6b354d7\"", + "name": "default", + "type": "Microsoft.SecurityInsights/workspaceManagerConfigurations", + "properties": { + "mode": "Enabled" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerConfigurations/default", + "etag": "\"3f6451dd-1b58-4bef-bce7-72eba6b354d7\"", + "name": "default", + "type": "Microsoft.SecurityInsights/workspaceManagerConfigurations", + "properties": { + "mode": "Enabled" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/DeleteWorkspaceManagerConfiguration.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/DeleteWorkspaceManagerConfiguration.json new file mode 100644 index 000000000000..62f09aa3de26 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/DeleteWorkspaceManagerConfiguration.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerConfigurationName": "default" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/GetAllWorkspaceManagerConfigurations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/GetAllWorkspaceManagerConfigurations.json new file mode 100644 index 000000000000..9394f6b0edf8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/GetAllWorkspaceManagerConfigurations.json @@ -0,0 +1,25 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerConfigurations/default", + "etag": "\"3f6451dd-1b58-4bef-bce7-72eba6b354d7\"", + "name": "default", + "type": "Microsoft.SecurityInsights/workspaceManagerConfigurations", + "properties": { + "mode": "Enabled" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/GetWorkspaceManagerConfiguration.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/GetWorkspaceManagerConfiguration.json new file mode 100644 index 000000000000..f449bf76501e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerConfigurations/GetWorkspaceManagerConfiguration.json @@ -0,0 +1,22 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerConfigurationName": "default" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerConfigurations/default", + "etag": "\"3f6451dd-1b58-4bef-bce7-72eba6b354d7\"", + "name": "default", + "type": "Microsoft.SecurityInsights/workspaceManagerConfigurations", + "properties": { + "mode": "Enabled" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 794e6dabcc06..6275f764b9b4 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -57,6 +57,7 @@ input-file: - Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/operations.json From 9e9e7ba49d3def2f865ca25e0bc3e4a37b50b09f Mon Sep 17 00:00:00 2001 From: rheabansal <93624991+rheabansal@users.noreply.github.com> Date: Tue, 21 Mar 2023 18:27:19 -0700 Subject: [PATCH 06/14] Workspace manager assignments (#23130) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * Workspace Manager Assignments/Jobs * update readme * updated from comments * update from lint diff errors * updated descriptions --- .../WorkspaceManagerAssignments.json | 737 ++++++++++++++++++ .../CreateJob.json | 24 + ...ateOrUpdateWorkspaceManagerAssignment.json | 62 ++ .../DeleteJob.json | 14 + .../DeleteWorkspaceManagerAssignment.json | 13 + .../GetAllJobs.json | 46 ++ .../GetAllWorkspaceManagerAssignments.json | 35 + .../workspaceManagerAssignments/GetJob.json | 43 + .../GetWorkspaceManagerAssignment.json | 32 + .../resource-manager/readme.md | 2 + 10 files changed, 1008 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerAssignments.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/CreateJob.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/CreateOrUpdateWorkspaceManagerAssignment.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/DeleteJob.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/DeleteWorkspaceManagerAssignment.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetAllJobs.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetAllWorkspaceManagerAssignments.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetJob.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetWorkspaceManagerAssignment.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerAssignments.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerAssignments.json new file mode 100644 index 000000000000..d46494931447 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerAssignments.json @@ -0,0 +1,737 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-04-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workspaceManagerAssignments": { + "get": { + "x-ms-examples": { + "Get all workspace manager assignments for the Sentinel workspace manager.": { + "$ref": "./examples/workspaceManagerAssignments/GetAllWorkspaceManagerAssignments.json" + } + }, + "tags": [ + "workspaceManagerAssignments" + ], + "description": "Get all workspace manager assignments for the Sentinel workspace manager.", + "operationId": "WorkspaceManagerAssignments_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerAssignmentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workspaceManagerAssignments/{workspaceManagerAssignmentName}": { + "get": { + "x-ms-examples": { + "Get a workspace manager assignment": { + "$ref": "./examples/workspaceManagerAssignments/GetWorkspaceManagerAssignment.json" + } + }, + "tags": [ + "workspaceManagerAssignments" + ], + "description": "Gets a workspace manager assignment", + "operationId": "WorkspaceManagerAssignments_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerAssignmentName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerAssignment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a workspace manager assignment.": { + "$ref": "./examples/workspaceManagerAssignments/CreateOrUpdateWorkspaceManagerAssignment.json" + } + }, + "tags": [ + "workspaceManagerAssignments" + ], + "description": "Creates or updates a workspace manager assignment.", + "operationId": "WorkspaceManagerAssignments_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerAssignmentName" + }, + { + "$ref": "#/parameters/WorkspaceManagerAssignment" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerAssignment" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/WorkspaceManagerAssignment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a workspace manager assignment.": { + "$ref": "./examples/workspaceManagerAssignments/DeleteWorkspaceManagerAssignment.json" + } + }, + "tags": [ + "workspaceManagerAssignments" + ], + "description": "Deletes a workspace manager assignment", + "operationId": "WorkspaceManagerAssignments_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerAssignmentName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workspaceManagerAssignments/{workspaceManagerAssignmentName}/jobs": { + "get": { + "x-ms-examples": { + "Get all jobs for the specified Sentinel workspace manager assignment.": { + "$ref": "./examples/workspaceManagerAssignments/GetAllJobs.json" + } + }, + "tags": [ + "workspaceManagerAssignments" + ], + "description": "Get all jobs for the specified workspace manager assignment", + "operationId": "WorkspaceManagerAssignmentJobs_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerAssignmentName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/JobList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + }, + "post": { + "x-ms-examples": { + "Creates a job for the specified workspace manager assignment": { + "$ref": "./examples/workspaceManagerAssignments/CreateJob.json" + } + }, + "tags": [ + "workspaceManagerAssignments" + ], + "description": "Create a job for the specified workspace manager assignment", + "operationId": "WorkspaceManagerAssignmentJobs_Create", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerAssignmentName" + } + ], + "responses": { + "200": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Job" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workspaceManagerAssignments/{workspaceManagerAssignmentName}/jobs/{jobName}": { + "get": { + "x-ms-examples": { + "Get a workspace manager job": { + "$ref": "./examples/workspaceManagerAssignments/GetJob.json" + } + }, + "tags": [ + "workspaceManagerAssignments" + ], + "description": "Gets a job", + "operationId": "WorkspaceManagerAssignmentJobs_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerAssignmentName" + }, + { + "$ref": "#/parameters/JobName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Job" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a workspace manager job.": { + "$ref": "./examples/workspaceManagerAssignments/DeleteJob.json" + } + }, + "tags": [ + "workspaceManagerAssignments" + ], + "description": "Deletes the specified job from the specified workspace manager assignment", + "operationId": "WorkspaceManagerAssignmentJobs_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerAssignmentName" + }, + { + "$ref": "#/parameters/JobName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + } + } + }, + "definitions": { + "WorkspaceManagerAssignment": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/AzureEntityResource" + } + ], + "description": "The workspace manager assignment", + "properties": { + "properties": { + "$ref": "#/definitions/WorkspaceManagerAssignmentProperties", + "description": "The workspace manager assignment object", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "WorkspaceManagerAssignmentProperties": { + "description": "The workspace manager assignment properties", + "properties": { + "targetResourceName": { + "description": "The resource name of the workspace manager group targeted by the workspace manager assignment", + "type": "string" + }, + "lastJobEndTime": { + "description": "The time the last job associated to this assignment ended at", + "format": "date-time", + "type": "string", + "readOnly": true + }, + "lastJobProvisioningState": { + "description": "State of the last job associated to this assignment", + "enum": [ + "Succeeded", + "InProgress", + "Canceled", + "Failed" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "provisioningState", + "values": [ + { + "description": "The job succeeded", + "value": "Succeeded" + }, + { + "description": "The job was canceled", + "value": "Canceled" + }, + { + "description": "The job is in progress", + "value": "InProgress" + }, + { + "description": "The job failed", + "value": "Failed" + } + ] + } + }, + "items": { + "description": "List of resources included in this workspace manager assignment", + "items": { + "$ref": "#/definitions/assignmentItem" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "required": [ + "targetResourceName", + "items" + ], + "type": "object" + }, + "assignmentItem": { + "description": "An entity describing a content item.", + "properties": { + "resourceId": { + "description": "The resource id of the content item", + "type": "string" + } + }, + "type": "object" + }, + "WorkspaceManagerAssignmentList": { + "description": "List of all the workspace manager assignments.", + "type": "object", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of workspace manager assignments.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of workspace manager assignments.", + "items": { + "$ref": "#/definitions/WorkspaceManagerAssignment" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Job": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "The assignment job", + "properties": { + "properties": { + "$ref": "#/definitions/JobProperties", + "description": "The job object", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "JobProperties": { + "description": "The job properties", + "properties": { + "endTime": { + "description": "The time the job completed", + "format": "date-time", + "type": "string", + "readOnly": true + }, + "items": { + "description": "List of items published by the job", + "items": { + "$ref": "#/definitions/jobItem" + }, + "x-ms-identifiers": [], + "type": "array" + }, + "provisioningState": { + "description": "State of the job", + "enum": [ + "Succeeded", + "InProgress", + "Canceled", + "Failed" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "provisioningState", + "values": [ + { + "description": "The job succeeded", + "value": "Succeeded" + }, + { + "description": "The job was canceled", + "value": "Canceled" + }, + { + "description": "The job is in progress", + "value": "InProgress" + }, + { + "description": "The job failed", + "value": "Failed" + } + ] + } + }, + "startTime": { + "description": "The time the job started", + "format": "date-time", + "type": "string", + "readOnly": true + }, + "errorMessage": { + "description": "Message to describe error, if an error exists", + "type": "string", + "readOnly": true + } + }, + "type": "object" + }, + "jobItem": { + "description": "An entity describing the publish status of a content item.", + "properties": { + "resourceId": { + "description": "The resource id of the content item", + "type": "string" + }, + "status": { + "description": "Status of the item publication", + "enum": [ + "Succeeded", + "Failed", + "InProgress" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "status", + "values": [ + { + "description": "The item publication succeeded", + "value": "Succeeded" + }, + { + "description": "The item publication failed", + "value": "Failed" + }, + { + "description": "The item publication is in progress", + "value": "InProgress" + } + ] + } + }, + "executionTime": { + "description": "The time the item publishing was completed", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "errors": { + "description": "The list of error descriptions if the item publication fails.", + "items": { + "$ref": "#/definitions/error" + }, + "x-ms-identifiers": [], + "type": "array" + } + }, + "type": "object" + }, + "error": { + "description": "The error description for why a publication failed", + "type": "object", + "properties": { + "memberResourceName": { + "description": "The member resource name for which the publication error occured", + "type": "string" + }, + "errorMessage": { + "description": "The error message", + "type": "string" + } + }, + "required": [ + "memberResourceName", + "errorMessage" + ] + }, + "JobList": { + "description": "List of all the jobs", + "type": "object", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of jobs.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of jobs.", + "items": { + "$ref": "#/definitions/Job" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + } + }, + "parameters": { + "WorkspaceManagerAssignmentName": { + "description": "The name of the workspace manager assignment", + "in": "path", + "name": "workspaceManagerAssignmentName", + "required": true, + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$", + "x-ms-parameter-location": "method" + }, + "WorkspaceManagerAssignment": { + "description": "The workspace manager assignment", + "in": "body", + "name": "workspaceManagerAssignment", + "required": true, + "schema": { + "$ref": "#/definitions/WorkspaceManagerAssignment" + }, + "x-ms-parameter-location": "method" + }, + "JobName": { + "description": "The job name", + "in": "path", + "name": "jobName", + "required": true, + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/CreateJob.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/CreateJob.json new file mode 100644 index 000000000000..eae27a4b63c5 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/CreateJob.json @@ -0,0 +1,24 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerAssignmentName": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "jobName": "cfbe1338-8276-4d5d-8b96-931117f9fa0e" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerAssignments/47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58/jobs/cfbe1338-8276-4d5d-8b96-931117f9fa0e", + "etag": "\"f20a2523-7817-47b5-a3b2-21539c00c788\"", + "name": "cfbe1338-8276-4d5d-8b96-931117f9fa0e", + "type": "Microsoft.SecurityInsights/workspaceManagerAssignments/jobs", + "properties": { + "startTime": "2022-06-14T04:47:52.9614956Z", + "provisioningState": "InProgress" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/CreateOrUpdateWorkspaceManagerAssignment.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/CreateOrUpdateWorkspaceManagerAssignment.json new file mode 100644 index 000000000000..1bcd16f189d4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/CreateOrUpdateWorkspaceManagerAssignment.json @@ -0,0 +1,62 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerAssignmentName": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "workspaceManagerAssignment": { + "properties": { + "items": [ + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspac-es/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleOne" + }, + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspac-es/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleTwo" + } + ], + "targetResourceName": "37207a7a-3b8a-438f-a559-c7df400e1b96" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerAssignments/47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "name": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "type": "Microsoft.SecurityInsights/workspaceManagerAssignments", + "properties": { + "items": [ + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspac-es/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleOne" + }, + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspac-es/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleTwo" + } + ], + "targetResourceName": "37207a7a-3b8a-438f-a559-c7df400e1b96" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerAssignments/47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "name": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "type": "Microsoft.SecurityInsights/workspaceManagerAssignments", + "properties": { + "items": [ + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspac-es/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleOne" + }, + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspac-es/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleTwo" + } + ], + "targetResourceName": "37207a7a-3b8a-438f-a559-c7df400e1b96" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/DeleteJob.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/DeleteJob.json new file mode 100644 index 000000000000..d125feb00229 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/DeleteJob.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerAssignmentName": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "jobName": "cfbe1338-8276-4d5d-8b96-931117f9fa0e" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/DeleteWorkspaceManagerAssignment.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/DeleteWorkspaceManagerAssignment.json new file mode 100644 index 000000000000..39440070a0f5 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/DeleteWorkspaceManagerAssignment.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerAssignmentName": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetAllJobs.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetAllJobs.json new file mode 100644 index 000000000000..a06133b4553c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetAllJobs.json @@ -0,0 +1,46 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerAssignmentName": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerAssignments/47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58/jobs/cfbe1338-8276-4d5d-8b96-931117f9fa0e", + "etag": "\"f20a2523-7817-47b5-a3b2-21539c00c788\"", + "name": "cfbe1338-8276-4d5d-8b96-931117f9fa0e", + "type": "Microsoft.SecurityInsights/workspaceManagerAssignments/jobs", + "properties": { + "endTime": "2022-06-14T04:52:52.9614956Z", + "items": [ + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleOne", + "status": "Succeeded", + "executionTime": "2022-06-14T04:49:52.9614956Z" + }, + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleTwo", + "status": "Failed", + "executionTime": "2022-06-14T04:50:52.9614956Z", + "errors": [ + { + "memberResourceName": "f5fa104e-c0e3-4747-9182-d342dc048a9e", + "errorMessage": "Failed to write. Status code: Forbidden." + } + ] + } + ], + "startTime": "2022-06-14T04:47:52.9614956Z", + "provisioningState": "Failed" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetAllWorkspaceManagerAssignments.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetAllWorkspaceManagerAssignments.json new file mode 100644 index 000000000000..d148f0f222a9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetAllWorkspaceManagerAssignments.json @@ -0,0 +1,35 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerAssignments/47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "name": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "type": "Microsoft.SecurityInsights/workspaceManagerAssignments", + "properties": { + "items": [ + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspac-es/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleOne" + }, + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspac-es/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleTwo" + } + ], + "targetResourceName": "37207a7a-3b8a-438f-a559-c7df400e1b96", + "lastJobEndTime": "2022-06-14T04:52:52.9614956Z", + "lastJobProvisioningState": "Failed" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetJob.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetJob.json new file mode 100644 index 000000000000..9cade0b18e95 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetJob.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerAssignmentName": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "jobName": "cfbe1338-8276-4d5d-8b96-931117f9fa0e" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerAssignments/47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58/jobs/cfbe1338-8276-4d5d-8b96-931117f9fa0e", + "etag": "\"f20a2523-7817-47b5-a3b2-21539c00c788\"", + "name": "cfbe1338-8276-4d5d-8b96-931117f9fa0e", + "type": "Microsoft.SecurityInsights/workspaceManagerAssignments/jobs", + "properties": { + "endTime": "2022-06-14T04:52:52.9614956Z", + "items": [ + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleOne", + "status": "Succeeded", + "executionTime": "2022-06-14T04:49:52.9614956Z" + }, + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleTwo", + "status": "Failed", + "executionTime": "2022-06-14T04:50:52.9614956Z", + "errors": [ + { + "memberResourceName": "f5fa104e-c0e3-4747-9182-d342dc048a9e", + "errorMessage": "Failed to write. Status code: Forbidden." + } + ] + } + ], + "startTime": "2022-06-14T04:47:52.9614956Z", + "provisioningState": "Failed" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetWorkspaceManagerAssignment.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetWorkspaceManagerAssignment.json new file mode 100644 index 000000000000..ada394c33a4d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerAssignments/GetWorkspaceManagerAssignment.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerAssignmentName": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerAssignments/47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "name": "47cdc5f5-37c4-47b5-bd5f-83c84b8bdd58", + "type": "Microsoft.SecurityInsights/workspaceManagerAssignments", + "properties": { + "items": [ + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspac-es/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleOne" + }, + { + "resourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspac-es/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExampleTwo" + } + ], + "targetResourceName": "37207a7a-3b8a-438f-a559-c7df400e1b96", + "lastJobEndTime": "2022-06-14T04:52:52.9614956Z", + "lastJobProvisioningState": "Failed" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 6275f764b9b4..a51631e02449 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -29,6 +29,7 @@ openapi-type: arm tag: package-preview-2023-04 ``` + --- @@ -57,6 +58,7 @@ input-file: - Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerAssignments.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/dataConnectors.json From 8a0624b2fde6cb2abe8e3c0e5f13a7a466784eb2 Mon Sep 17 00:00:00 2001 From: rheabansal <93624991+rheabansal@users.noreply.github.com> Date: Tue, 21 Mar 2023 22:12:08 -0700 Subject: [PATCH 07/14] Workspace manager groups (#23135) * Adds base for updating Microsoft.SecurityInsights from version preview/2023-02-01-preview to version 2023-04-01-preview * Updates readme * Updates API version in new specs and examples * april swagger for groups * update path name & pattern --- .../WorkspaceManagerGroups.json | 318 ++++++++++++++++++ .../CreateOrUpdateWorkspaceManagerGroup.json | 53 +++ .../DeleteWorkspaceManagerGroup.json | 13 + .../GetAllWorkspaceManagerGroups.json | 30 ++ .../GetWorkspaceManagerGroup.json | 27 ++ .../resource-manager/readme.md | 1 + 6 files changed, 442 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerGroups.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/CreateOrUpdateWorkspaceManagerGroup.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/DeleteWorkspaceManagerGroup.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/GetAllWorkspaceManagerGroups.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/GetWorkspaceManagerGroup.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerGroups.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerGroups.json new file mode 100644 index 000000000000..cdf63b2dccd7 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerGroups.json @@ -0,0 +1,318 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-04-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workspaceManagerGroups": { + "get": { + "x-ms-examples": { + "Get all workspace manager groups in the Sentinel workspace manager.": { + "$ref": "./examples/workspaceManagerGroups/GetAllWorkspaceManagerGroups.json" + } + }, + "tags": [ + "workspaceManagerGroups" + ], + "description": "Gets all workspace manager groups in the Sentinel workspace manager", + "operationId": "WorkspaceManagerGroups_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerGroupList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workspaceManagerGroups/{workspaceManagerGroupName}": { + "get": { + "x-ms-examples": { + "Get a workspace manager group": { + "$ref": "./examples/workspaceManagerGroups/GetWorkspaceManagerGroup.json" + } + }, + "tags": [ + "workspaceManagerGroups" + ], + "description": "Gets a workspace manager group", + "operationId": "WorkspaceManagerGroups_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerGroupName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerGroup" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a workspace manager group.": { + "$ref": "./examples/workspaceManagerGroups/CreateOrUpdateWorkspaceManagerGroup.json" + } + }, + "tags": [ + "workspaceManagerGroups" + ], + "description": "Creates or updates a workspace manager group.", + "operationId": "WorkspaceManagerGroups_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerGroupName" + }, + { + "$ref": "#/parameters/WorkspaceManagerGroup" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WorkspaceManagerGroup" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/WorkspaceManagerGroup" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a workspace manager group.": { + "$ref": "./examples/workspaceManagerGroups/DeleteWorkspaceManagerGroup.json" + } + }, + "tags": [ + "workspaceManagerGroups" + ], + "description": "Deletes a workspace manager group", + "operationId": "WorkspaceManagerGroups_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WorkspaceManagerGroupName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/ErrorResponse" + } + } + } + } + } + }, + "definitions": { + "WorkspaceManagerGroup": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/definitions/AzureEntityResource" + } + ], + "description": "The workspace manager group", + "properties": { + "properties": { + "$ref": "#/definitions/WorkspaceManagerGroupProperties", + "description": "The workspace manager group object", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "WorkspaceManagerGroupProperties": { + "description": "The workspace manager group properties", + "properties": { + "description": { + "description": "The description of the workspace manager group", + "type": "string" + }, + "displayName": { + "description": "The display name of the workspace manager group", + "type": "string" + }, + "memberResourceNames": { + "description": "The names of the workspace manager members participating in this group.", + "items": { + "description": "memberResourceName", + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "memberResourceNames" + ], + "type": "object" + }, + "WorkspaceManagerGroupList": { + "description": "List of all the workspace manager groups.", + "type": "object", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of workspace manager groups.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of workspace manager groups.", + "items": { + "$ref": "#/definitions/WorkspaceManagerGroup" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + } + }, + "parameters": { + "WorkspaceManagerGroupName": { + "description": "The name of the workspace manager group", + "in": "path", + "name": "workspaceManagerGroupName", + "required": true, + "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$", + "x-ms-parameter-location": "method" + }, + "WorkspaceManagerGroup": { + "description": "The workspace manager group object", + "in": "body", + "name": "workspaceManagerGroup", + "required": true, + "schema": { + "$ref": "#/definitions/WorkspaceManagerGroup" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/CreateOrUpdateWorkspaceManagerGroup.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/CreateOrUpdateWorkspaceManagerGroup.json new file mode 100644 index 000000000000..6c6d41cbe218 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/CreateOrUpdateWorkspaceManagerGroup.json @@ -0,0 +1,53 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerGroupName": "37207a7a-3b8a-438f-a559-c7df400e1b96", + "workspaceManagerGroup": { + "properties": { + "description": "Group of all financial and banking institutions", + "displayName": "Banks", + "memberResourceNames": [ + "afbd324f-6c48-459c-8710-8d1e1cd03812", + "f5fa104e-c0e3-4747-9182-d342dc048a9e" + ] + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerGroups/37207a7a-3b8a-438f-a559-c7df400e1b96", + "etag": "\"ac04c9ad-4b3c-4e13-b511-8c2225e46521\"", + "name": "37207a7a-3b8a-438f-a559-c7df400e1b96", + "type": "Microsoft.SecurityInsights/workspaceManagerGroups", + "properties": { + "description": "Group of all financial and banking institutions", + "displayName": "Banks", + "memberResourceNames": [ + "afbd324f-6c48-459c-8710-8d1e1cd03812", + "f5fa104e-c0e3-4747-9182-d342dc048a9e" + ] + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerGroups/37207a7a-3b8a-438f-a559-c7df400e1b96", + "etag": "\"ac04c9ad-4b3c-4e13-b511-8c2225e46521\"", + "name": "37207a7a-3b8a-438f-a559-c7df400e1b96", + "type": "Microsoft.SecurityInsights/workspaceManagerGroups", + "properties": { + "description": "Group of all financial and banking institutions", + "displayName": "Banks", + "memberResourceNames": [ + "afbd324f-6c48-459c-8710-8d1e1cd03812", + "f5fa104e-c0e3-4747-9182-d342dc048a9e" + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/DeleteWorkspaceManagerGroup.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/DeleteWorkspaceManagerGroup.json new file mode 100644 index 000000000000..27a690af4aff --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/DeleteWorkspaceManagerGroup.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerGroupName": "37207a7a-3b8a-438f-a559-c7df400e1b96" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/GetAllWorkspaceManagerGroups.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/GetAllWorkspaceManagerGroups.json new file mode 100644 index 000000000000..27b0ad202614 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/GetAllWorkspaceManagerGroups.json @@ -0,0 +1,30 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerGroups/37207a7a-3b8a-438f-a559-c7df400e1b96", + "etag": "\"ac04c9ad-4b3c-4e13-b511-8c2225e46521\"", + "name": "37207a7a-3b8a-438f-a559-c7df400e1b96", + "type": "Microsoft.SecurityInsights/workspaceManagerGroups", + "properties": { + "description": "Group of all financial and banking institutions", + "displayName": "Banks", + "memberResourceNames": [ + "afbd324f-6c48-459c-8710-8d1e1cd03812", + "f5fa104e-c0e3-4747-9182-d342dc048a9e" + ] + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/GetWorkspaceManagerGroup.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/GetWorkspaceManagerGroup.json new file mode 100644 index 000000000000..fd16dfc01923 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/workspaceManagerGroups/GetWorkspaceManagerGroup.json @@ -0,0 +1,27 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "workspaceManagerGroupName": "37207a7a-3b8a-438f-a559-c7df400e1b96" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/workspaceManagerGroups/37207a7a-3b8a-438f-a559-c7df400e1b96", + "etag": "\"ac04c9ad-4b3c-4e13-b511-8c2225e46521\"", + "name": "37207a7a-3b8a-438f-a559-c7df400e1b96", + "type": "Microsoft.SecurityInsights/workspaceManagerGroups", + "properties": { + "description": "Group of all financial and banking institutions", + "displayName": "Banks", + "memberResourceNames": [ + "afbd324f-6c48-459c-8710-8d1e1cd03812", + "f5fa104e-c0e3-4747-9182-d342dc048a9e" + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index a51631e02449..2d15641d9690 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -58,6 +58,7 @@ input-file: - Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/TriggeredAnalyticsRuleRuns.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/Watchlists.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerGroups.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerAssignments.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json From ac6b0d633c75756f8c3e6fed27c0f2ab84e16c90 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Sun, 26 Mar 2023 20:07:54 -0700 Subject: [PATCH 08/14] [Hunts] Add hunts to Sentinel 2023-04-01-preview version (#23139) * Add hunts files * Include update in 200 description and add defaults * Add back 201 * Update relation properties * Update example --------- Co-authored-by: Derrick Lee --- .../preview/2023-04-01-preview/Hunts.json | 992 ++++++++++++++++++ .../examples/hunts/CreateHunt.json | 100 ++ .../examples/hunts/CreateHuntComment.json | 56 + .../examples/hunts/CreateHuntRelation.json | 53 + .../examples/hunts/DeleteHunt.json | 14 + .../examples/hunts/DeleteHuntComment.json | 15 + .../examples/hunts/DeleteHuntRelation.json | 15 + .../examples/hunts/GetHuntById.json | 43 + .../examples/hunts/GetHuntCommentById.json | 32 + .../examples/hunts/GetHuntComments.json | 27 + .../examples/hunts/GetHuntRelationById.json | 29 + .../examples/hunts/GetHuntRelations.json | 32 + .../examples/hunts/GetHunts.json | 46 + .../resource-manager/readme.md | 1 + 14 files changed, 1455 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Hunts.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHunt.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHuntComment.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHuntRelation.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHunt.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHuntComment.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHuntRelation.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntCommentById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntComments.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntRelationById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntRelations.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHunts.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Hunts.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Hunts.json new file mode 100644 index 000000000000..8a56ee4b05d2 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Hunts.json @@ -0,0 +1,992 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-04-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/hunts": { + "get": { + "x-ms-examples": { + "Get all hunts.": { + "$ref": "./examples/hunts/GetHunts.json" + } + }, + "tags": [ + "Hunts" + ], + "description": "Gets all hunts, without relations and comments.", + "operationId": "Hunts_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/HuntList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/hunts/{huntId}": { + "get": { + "x-ms-examples": { + "Get a hunt.": { + "$ref": "./examples/hunts/GetHuntById.json" + } + }, + "tags": [ + "Hunts" + ], + "description": "Gets a hunt, without relations and comments.", + "operationId": "Hunts_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Hunt" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a hunt.": { + "$ref": "./examples/hunts/DeleteHunt.json" + } + }, + "tags": [ + "Hunts" + ], + "description": "Delete a hunt.", + "operationId": "Hunts_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a hunt.": { + "$ref": "./examples/hunts/CreateHunt.json" + } + }, + "tags": [ + "Hunts" + ], + "description": "Create or update a hunt", + "operationId": "Hunts_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + }, + { + "$ref": "#/parameters/Hunt" + } + ], + "responses": { + "200": { + "description": "Create or update the Hunt", + "schema": { + "$ref": "#/definitions/Hunt" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Hunt" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/hunts/{huntId}/relations": { + "get": { + "x-ms-examples": { + "Get all hunt relations.": { + "$ref": "./examples/hunts/GetHuntRelations.json" + } + }, + "tags": [ + "HuntRelations" + ], + "description": "Gets all hunt relations", + "operationId": "HuntRelations_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/HuntRelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/hunts/{huntId}/relations/{huntRelationId}": { + "get": { + "x-ms-examples": { + "Get a hunt relation.": { + "$ref": "./examples/hunts/GetHuntRelationById.json" + } + }, + "tags": [ + "HuntRelations" + ], + "description": "Gets a hunt relation", + "operationId": "HuntRelations_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + }, + { + "$ref": "#/parameters/HuntRelationId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/HuntRelation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a hunt relation.": { + "$ref": "./examples/hunts/DeleteHuntRelation.json" + } + }, + "tags": [ + "HuntRelations" + ], + "description": "Delete a hunt relation.", + "operationId": "HuntRelations_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + }, + { + "$ref": "#/parameters/HuntRelationId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a hunt relation.": { + "$ref": "./examples/hunts/CreateHuntRelation.json" + } + }, + "tags": [ + "HuntRelations" + ], + "description": "Creates or updates a hunt relation.", + "operationId": "HuntRelations_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + }, + { + "$ref": "#/parameters/HuntRelationId" + }, + { + "$ref": "#/parameters/HuntRelation" + } + ], + "responses": { + "200": { + "description": "Create or update the hunt relation", + "schema": { + "$ref": "#/definitions/HuntRelation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/HuntRelation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/hunts/{huntId}/comments": { + "get": { + "x-ms-examples": { + "Get all hunt comments.": { + "$ref": "./examples/hunts/GetHuntComments.json" + } + }, + "tags": [ + "HuntComments" + ], + "description": "Gets all hunt comments", + "operationId": "HuntComments_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/HuntCommentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/hunts/{huntId}/comments/{huntCommentId}": { + "get": { + "x-ms-examples": { + "Get a hunt comment.": { + "$ref": "./examples/hunts/GetHuntCommentById.json" + } + }, + "tags": [ + "HuntComments" + ], + "description": "Gets a hunt comment", + "operationId": "HuntComments_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + }, + { + "$ref": "#/parameters/HuntCommentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/HuntComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a hunt comment.": { + "$ref": "./examples/hunts/DeleteHuntComment.json" + } + }, + "tags": [ + "HuntComments" + ], + "description": "Delete a hunt comment.", + "operationId": "HuntComments_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + }, + { + "$ref": "#/parameters/HuntCommentId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a hunt comment.": { + "$ref": "./examples/hunts/CreateHuntComment.json" + } + }, + "tags": [ + "HuntComments" + ], + "description": "Creates or updates a hunt relation.", + "operationId": "HuntComments_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/HuntId" + }, + { + "$ref": "#/parameters/HuntCommentId" + }, + { + "$ref": "#/parameters/HuntComment" + } + ], + "responses": { + "200": { + "description": "Create or update the hunt comment", + "schema": { + "$ref": "#/definitions/HuntComment" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/HuntComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "HuntList": { + "description": "List all the hunts.", + "type": "object", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of hunts.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of hunts.", + "items": { + "$ref": "#/definitions/Hunt" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Hunt": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Hunt in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/HuntProperties", + "description": "Hunt properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "HuntProperties": { + "description": "Describes hunt properties", + "properties": { + "displayName": { + "description": "The display name of the hunt", + "type": "string" + }, + "description": { + "description": "The description of the hunt", + "type": "string" + }, + "status": { + "description": "The status of the hunt.", + "enum": [ + "New", + "Active", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "status" + }, + "default": "New" + }, + "hypothesisStatus": { + "description": "The hypothesis status of the hunt.", + "enum": [ + "Unknown", + "Invalidated", + "Validated" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "hypothesisStatus" + }, + "default": "Unknown" + }, + "attackTactics": { + "description": "A list of mitre attack tactics the hunt is associated with", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "type": "array" + }, + "attackTechniques": { + "description": "A list of a mitre attack techniques the hunt is associated with", + "items": { + "description": "Attack Technique", + "type": "string" + }, + "type": "array" + }, + "labels": { + "description": "List of labels relevant to this hunt ", + "items": { + "$ref": "../../../common/2.0/types.json#/definitions/Label" + }, + "type": "array" + }, + "owner": { + "$ref": "#/definitions/HuntOwner" + } + }, + "required": [ + "displayName", + "description" + ], + "type": "object" + }, + "HuntRelationList": { + "description": "List of all the hunt relations", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of hunt relations.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of hunt relations", + "items": { + "$ref": "#/definitions/HuntRelation" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "HuntRelation": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Hunt Relation in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/HuntRelationProperties", + "description": "Hunt Relation properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "HuntRelationProperties": { + "description": "Describes hunt relation properties", + "properties": { + "relatedResourceId": { + "description": "The id of the related resource", + "type": "string" + }, + "relatedResourceName": { + "description": "The name of the related resource", + "type": "string", + "readOnly": true + }, + "relationType": { + "description": "The type of the hunt relation", + "type": "string", + "readOnly": true + }, + "relatedResourceKind": { + "description": "The resource that the relation is related to", + "type": "string", + "readOnly": true + }, + "labels": { + "description": "List of labels relevant to this hunt", + "items": { + "$ref": "../../../common/2.0/types.json#/definitions/Label" + }, + "type": "array" + } + }, + "required": [ + "relatedResourceId" + ], + "type": "object" + }, + "HuntCommentList": { + "description": "List of all hunt comments", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of hunt comments.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of hunt comments", + "items": { + "$ref": "#/definitions/HuntComment" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value" + ] + }, + "HuntComment": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Hunt Comment in Azure Security Insights", + "properties": { + "properties": { + "$ref": "#/definitions/HuntCommentProperties", + "description": "Hunt Comment properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "HuntCommentProperties": { + "description": "Describes a hunt comment properties", + "properties": { + "message": { + "description": "The message for the comment", + "type": "string" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "HuntOwner": { + "description": "Describes a user that the hunt is assigned to", + "type": "object", + "properties": { + "email": { + "description": "The email of the user the hunt is assigned to.", + "type": "string" + }, + "assignedTo": { + "description": "The name of the user the hunt is assigned to.", + "type": "string" + }, + "objectId": { + "description": "The object id of the user the hunt is assigned to.", + "format": "uuid", + "type": "string", + "x-nullable": true + }, + "userPrincipalName": { + "description": "The user principal name of the user the hunt is assigned to.", + "type": "string" + }, + "ownerType": { + "description": "The type of the owner the hunt is assigned to.", + "type": "string", + "enum": [ + "Unknown", + "User", + "Group" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "OwnerType", + "values": [ + { + "description": "The hunt owner type is unknown", + "value": "Unknown" + }, + { + "description": "The hunt owner type is an AAD user", + "value": "User" + }, + { + "description": "The hunt owner type is an AAD group", + "value": "Group" + } + ] + } + } + } + } + }, + "parameters": { + "Hunt": { + "description": "The hunt", + "name": "hunt", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/Hunt" + }, + "x-ms-parameter-location": "method" + }, + "HuntId": { + "description": "The hunt id (GUID)", + "in": "path", + "name": "huntId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "HuntRelation": { + "description": "The hunt relation", + "in": "body", + "name": "huntRelation", + "required": true, + "schema": { + "$ref": "#/definitions/HuntRelation" + }, + "x-ms-parameter-location": "method" + }, + "HuntRelationId": { + "description": "The hunt relation id (GUID)", + "in": "path", + "name": "huntRelationId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "HuntComment": { + "description": "The hunt comment", + "in": "body", + "name": "huntComment", + "required": true, + "schema": { + "$ref": "#/definitions/HuntComment" + }, + "x-ms-parameter-location": "method" + }, + "HuntCommentId": { + "description": "The hunt comment id (GUID)", + "in": "path", + "name": "huntCommentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHunt.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHunt.json new file mode 100644 index 000000000000..a1c2ee4c0fe8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHunt.json @@ -0,0 +1,100 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f", + "hunt": { + "properties": { + "displayName": "Log4J new hunt", + "description": "Log4J Hunt Description", + "status": "New", + "hypothesisStatus": "Unknown", + "attackTactics": [ + "Reconnaissance" + ], + "attackTechniques": [ + "T1595" + ], + "labels": [ + "Label1", + "Label2" + ], + "owner": { + "objectId": "873b5263-5d34-4149-b356-ad341b01e123" + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f", + "name": "163e7b2a-a2ec-4041-aaba-d878a38f265f", + "etag": "\"de00c408-0000-0c00-0000-62741e350000\"", + "type": "Microsoft.SecurityInsights/hunts", + "properties": { + "displayName": "Log4J new hunt", + "description": "Log4J Hunt Description", + "status": "New", + "hypothesisStatus": "Unknown", + "attackTactics": [ + "Reconnaissance" + ], + "attackTechniques": [ + "T1595" + ], + "huntStartTimeUtc": "2022-03-11T09:47:15.438Z", + "huntEndTimeUtc": "2022-03-12T09:47:15.438Z", + "labels": [ + "Label1", + "Label2" + ], + "owner": { + "objectId": "873b5263-5d34-4149-b356-ad341b01e123", + "email": "testemail@microsoft.com", + "assignedTo": null, + "userPrincipalName": "John Doe", + "ownerType": "User" + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f", + "name": "163e7b2a-a2ec-4041-aaba-d878a38f265f", + "etag": "\"de00c408-0000-0c00-0000-62741e350000\"", + "type": "Microsoft.SecurityInsights/hunts", + "properties": { + "displayName": "Log4J new hunt", + "description": "Log4J Hunt Description", + "status": "New", + "hypothesisStatus": "Unknown", + "attackTactics": [ + "Reconnaissance" + ], + "attackTechniques": [ + "T1595" + ], + "huntSequenceNumber": 0, + "huntStartTimeUtc": "2022-03-11T09:47:15.438Z", + "huntEndTimeUtc": "2022-03-12T09:47:15.438Z", + "labels": [ + "Label1", + "Label2" + ], + "owner": { + "objectId": "873b5263-5d34-4149-b356-ad341b01e123", + "email": "testemail@microsoft.com", + "assignedTo": null, + "userPrincipalName": "John Doe", + "ownerType": "User" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHuntComment.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHuntComment.json new file mode 100644 index 000000000000..da777a0eff38 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHuntComment.json @@ -0,0 +1,56 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f", + "huntCommentId": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "huntComment": { + "properties": { + "message": "This is a test comment." + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f/comments/2216d0e1-91e3-4902-89fd-d2df8c123456", + "name": "2216d0e1-91e3-4902-89fd-d2df8c123456", + "etag": "\"3102f74d-0000-0c00-0000-629e6e050000\"", + "type": "Microsoft.SecurityInsights/hunts/comments", + "systemData": { + "createdAt": "2021-08-15T16:42:38.8709453Z", + "createdBy": "testuser@microsoft.com", + "createdByType": "User", + "lastModifiedAt": "2021-08-19T16:42:38.8709453Z", + "lastModifiedBy": "testuser@microsoft.com", + "lastModifiedByType": "User" + }, + "properties": { + "message": "This is a test comment." + } + } + }, + "201": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f/comments/2216d0e1-91e3-4902-89fd-d2df8c123456", + "name": "2216d0e1-91e3-4902-89fd-d2df8c123456", + "etag": "\"3102f74d-0000-0c00-0000-629e6e050000\"", + "type": "Microsoft.SecurityInsights/hunts/comments", + "systemData": { + "createdAt": "2021-08-15T16:42:38.8709453Z", + "createdBy": "testuser@microsoft.com", + "createdByType": "User", + "lastModifiedAt": "2021-08-19T16:42:38.8709453Z", + "lastModifiedBy": "testuser@microsoft.com", + "lastModifiedByType": "User" + }, + "properties": { + "message": "This is a test comment." + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHuntRelation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHuntRelation.json new file mode 100644 index 000000000000..726b97588a43 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/CreateHuntRelation.json @@ -0,0 +1,53 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f", + "huntRelationId": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "huntRelation": { + "properties": { + "relatedResourceId": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096", + "labels": [ + "Test Label" + ] + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f/relations/2216d0e1-91e3-4902-89fd-d2df8c535096", + "name": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "etag": "\"26012da2-0000-0c00-0000-627ad2760000\"", + "type": "Microsoft.SecurityInsights/hunts/relations", + "properties": { + "relatedResourceId": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceName": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceType": "Microsoft.SecurityInsights/Bookmarks", + "labels": [ + "Test Label" + ] + } + } + }, + "201": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f/relations/2216d0e1-91e3-4902-89fd-d2df8c535096", + "name": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "etag": "\"26012da2-0000-0c00-0000-627ad2760000\"", + "type": "Microsoft.SecurityInsights/hunts/relations", + "properties": { + "relatedResourceId": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceName": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceType": "Microsoft.SecurityInsights/Bookmarks", + "labels": [ + "Test Label" + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHunt.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHunt.json new file mode 100644 index 000000000000..9b3629f8dbd6 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHunt.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHuntComment.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHuntComment.json new file mode 100644 index 000000000000..d7d06a1e93f2 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHuntComment.json @@ -0,0 +1,15 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f", + "huntCommentId": "2216d0e1-91e3-4902-89fd-d2df8c123456" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHuntRelation.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHuntRelation.json new file mode 100644 index 000000000000..5c0f6c22d7a8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/DeleteHuntRelation.json @@ -0,0 +1,15 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f", + "huntRelationId": "2216d0e1-91e3-4902-89fd-d2df8c535096" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntById.json new file mode 100644 index 000000000000..5d0d0c8fa2ab --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntById.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f", + "name": "163e7b2a-a2ec-4041-aaba-d878a38f265f", + "etag": "\"de00c408-0000-0c00-0000-62741e350000\"", + "type": "Microsoft.SecurityInsights/hunts", + "properties": { + "displayName": "Log4J new hunt ", + "description": "Log4J Hunt Description", + "status": "New", + "hypothesisStatus": "Unknown", + "attackTactics": [ + "Reconnaissance" + ], + "attackTechniques": [ + "T1595" + ], + "labels": [ + "Label1", + "Label2" + ], + "owner": { + "objectId": "873b5263-5d34-4149-b356-ad341b01e123", + "email": "testemail@microsoft.com", + "assignedTo": null, + "userPrincipalName": "John Doe", + "ownerType": "User" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntCommentById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntCommentById.json new file mode 100644 index 000000000000..696da8abc75e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntCommentById.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f", + "huntCommentId": "2216d0e1-91e3-4902-89fd-d2df8c535096" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f/comments/2216d0e1-91e3-4902-89fd-d2df8c123456", + "name": "2216d0e1-91e3-4902-89fd-d2df8c123456", + "etag": "\"3102f74d-0000-0c00-0000-629e6e050000\"", + "type": "Microsoft.SecurityInsights/hunts/comments", + "systemData": { + "createdAt": "2021-08-15T16:42:38.8709453Z", + "createdBy": "testuser@microsoft.com", + "createdByType": "User", + "lastModifiedAt": "2021-08-19T16:42:38.8709453Z", + "lastModifiedBy": "testuser@microsoft.com", + "lastModifiedByType": "User" + }, + "properties": { + "message": "This is a comment." + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntComments.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntComments.json new file mode 100644 index 000000000000..d742876058fc --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntComments.json @@ -0,0 +1,27 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f/comments/2216d0e1-91e3-4902-89fd-d2df8c123456", + "name": "2216d0e1-91e3-4902-89fd-d2df8c123456", + "etag": "\"3102f74d-0000-0c00-0000-629e6e050000\"", + "type": "Microsoft.SecurityInsights/hunts/comments", + "properties": { + "message": "This is a test comment." + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntRelationById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntRelationById.json new file mode 100644 index 000000000000..f50b08fc89bd --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntRelationById.json @@ -0,0 +1,29 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f", + "huntRelationId": "2216d0e1-91e3-4902-89fd-d2df8c535096" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f/relations/2216d0e1-91e3-4902-89fd-d2df8c535096", + "name": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "etag": "\"26012da2-0000-0c00-0000-627ad2760000\"", + "type": "Microsoft.SecurityInsights/hunts/relations", + "properties": { + "relatedResourceId": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceName": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceType": "Microsoft.SecurityInsights/Bookmarks", + "labels": [ + "label1" + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntRelations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntRelations.json new file mode 100644 index 000000000000..fa64afc4600f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHuntRelations.json @@ -0,0 +1,32 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "huntId": "163e7b2a-a2ec-4041-aaba-d878a38f265f" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/hunts/163e7b2a-a2ec-4041-aaba-d878a38f265f/relations/2216d0e1-91e3-4902-89fd-d2df8c535096", + "name": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "etag": "\"26012da2-0000-0c00-0000-627ad2760000\"", + "type": "Microsoft.SecurityInsights/hunts/relations", + "properties": { + "relatedResourceId": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/mms-eus/providers/Microsoft.OperationalInsights/workspaces/avdvirint/providers/Microsoft.SecurityInsights/Bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceName": "2216d0e1-91e3-4902-89fd-d2df8c535096", + "relatedResourceType": "Microsoft.SecurityInsights/Bookmarks", + "labels": [ + "label1" + ] + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHunts.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHunts.json new file mode 100644 index 000000000000..5f61b5ffb5e4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/hunts/GetHunts.json @@ -0,0 +1,46 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/hunts/b372ee75-2cad-4b71-8917-d5d5df9315b5", + "name": "b372ee75-2cad-4b71-8917-d5d5df9315b5", + "etag": "\"de00c408-0000-0c00-0000-62741e350000\"", + "type": "Microsoft.SecurityInsights/hunts", + "properties": { + "displayName": "Log4J new hunt", + "description": "Log4J Hunt Description", + "status": "New", + "hypothesisStatus": "Unknown", + "attackTactics": [ + "Reconnaissance" + ], + "attackTechniques": [ + "T1595" + ], + "labels": [ + "Label1", + "Label2" + ], + "owner": { + "objectId": "873b5263-5d34-4149-b356-ad341b01e123", + "email": "testemail@microsoft.com", + "assignedTo": null, + "userPrincipalName": "John Doe", + "ownerType": "User" + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 2d15641d9690..1d4bf91ce786 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -47,6 +47,7 @@ input-file: - Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueryTemplates.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/FileImports.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/Hunts.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/Metadata.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/OfficeConsents.json From 57522675ad9c4e9174d50679469308ddae990f42 Mon Sep 17 00:00:00 2001 From: Anat Gilenson <53407600+anat-gilenson@users.noreply.github.com> Date: Fri, 31 Mar 2023 05:14:46 +0300 Subject: [PATCH 09/14] Add readonly flag to providerName property (#23259) --- .../preview/2023-04-01-preview/Incidents.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json index db91c35f690b..e97b5fea8391 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Incidents.json @@ -1386,7 +1386,8 @@ }, "providerName": { "description": "The name of the source provider that generated the incident", - "type": "string" + "type": "string", + "readOnly": true }, "providerIncidentId": { "description": "The incident ID assigned by the incident provider", From dff7fe5dd60ba810f1c67d4e509a1f129ae60084 Mon Sep 17 00:00:00 2001 From: xuhumsft <116764429+xuhumsft@users.noreply.github.com> Date: Mon, 3 Apr 2023 00:01:41 -0700 Subject: [PATCH 10/14] sentinel content hub package and template API (#23151) * commit for content template and content package API * fix issues reported by swagger lint * add 201 for put requests in template service * resolve the comments * resolve comments in packageId * resolve comments --- .../2023-04-01-preview/ContentPackages.json | 453 ++++++++++++++++++ .../ContentProductPackages.json | 297 ++++++++++++ .../ContentProductTemplates.json | 298 ++++++++++++ .../2023-04-01-preview/ContentTemplates.json | 400 ++++++++++++++++ .../common/ContentCommonTypes.json | 429 +++++++++++++++++ .../contentPackages/GetPackageById.json | 33 ++ .../examples/contentPackages/GetPackages.json | 38 ++ .../GetProductPackageById.json | 75 +++ .../contentPackages/GetProductPackages.json | 77 +++ .../contentPackages/InstallPackage.json | 148 ++++++ .../contentPackages/UninstallPackage.json | 13 + .../contentTemplates/DeleteTemplate.json | 13 + .../GetProductTemplateById.json | 41 ++ .../contentTemplates/GetProductTemplates.json | 43 ++ .../contentTemplates/GetTemplateById.json | 39 ++ .../contentTemplates/GetTemplates.json | 41 ++ .../contentTemplates/InstallTemplate.json | 222 +++++++++ .../resource-manager/readme.md | 4 + 18 files changed, 2664 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductPackages.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductTemplates.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentTemplates.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ContentCommonTypes.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetPackageById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetPackages.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetProductPackageById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetProductPackages.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/InstallPackage.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/UninstallPackage.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/DeleteTemplate.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetProductTemplateById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetProductTemplates.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetTemplateById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetTemplates.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/InstallTemplate.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json new file mode 100644 index 000000000000..1d28166e33ff --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json @@ -0,0 +1,453 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-04-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentPackages": { + "get": { + "x-ms-examples": { + "Get all available packages.": { + "$ref": "./examples/contentPackages/GetPackages.json" + } + }, + "tags": [ + "ContentPackages" + ], + "description": "Gets all installed packages.", + "operationId": "ContentPackages_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/packageList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentPackages/{packageId}": { + "get": { + "x-ms-examples": { + "Get installed packages by id.": { + "$ref": "./examples/contentPackages/GetPackageById.json" + } + }, + "tags": [ + "ContentPackages" + ], + "description": "Gets an installed packages by its id.", + "operationId": "ContentPackages_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/PackageIdParameter" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/packageModel" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Install a package to the workspace.": { + "$ref": "./examples/contentPackages/InstallPackage.json" + } + }, + "tags": [ + "ContentPackages" + ], + "description": "Install a package to the workspace.", + "operationId": "ContentPackage_Install", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/PackageIdParameter" + }, + { + "$ref": "#/parameters/PackageInstallationProperties" + } + ], + "responses": { + "200": { + "description": "OK, create or update a instance", + "schema": { + "$ref": "#/definitions/packageModel" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/packageModel" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Uninstall a package from the workspace.": { + "$ref": "./examples/contentPackages/UninstallPackage.json" + } + }, + "tags": [ + "ContentPackages" + ], + "description": "Uninstall a package from the workspace.", + "operationId": "ContentPackage_Uninstall", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/PackageIdParameter" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "packageList": { + "description": "List available packages.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of packages.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of packages.", + "items": { + "$ref": "#/definitions/packageModel" + }, + "type": "array" + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "packageModel": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Package in Azure Security Insights.", + "properties": { + "properties": { + "description": "package properties", + "$ref": "#/definitions/packageProperties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "packageProperties": { + "description": "Describes package properties", + "properties": { + "contentId": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataContentId", + "description": "The package id" + }, + "contentKind": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataPackageKind", + "description": "The package kind" + }, + "contentSchemaVersion": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataVersion", + "description": "The version of the content schema." + }, + "isNew": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataTrueFalseFlag", + "description": "Flag indicates if this is a newly published package." + }, + "isPreview": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataTrueFalseFlag", + "description": "Flag indicates if this package is in preview." + }, + "isFeatured": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataTrueFalseFlag", + "description": "Flag indicates if this package is among the featured list." + }, + "version": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataVersion", + "description": "the latest version number of the package" + }, + "displayName": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDisplayName", + "description": "The display name of the package" + }, + "description": { + "description": "The description of the package", + "type": "string" + }, + "publisherDisplayName": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDisplayName", + "description": "The publisher display name of the package" + }, + "source": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataSource", + "description": "The source of the package" + }, + "author": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataAuthor", + "description": "The author of the package" + }, + "support": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataSupport", + "description": "The support tier of the package" + }, + "dependencies": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDependencies", + "description": "The support tier of the package" + }, + "providers": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataProviders", + "description": "Providers for the package item" + }, + "firstPublishDate": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataFirstPublishDate", + "description": "first publish date package item" + }, + "lastPublishDate": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataLastPublishDate", + "description": "last publish date for the package item" + }, + "categories": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataCategories", + "description": "The categories of the package" + }, + "threatAnalysisTactics": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTactics", + "description": "the tactics the resource covers" + }, + "threatAnalyticsTechniques": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTechniques", + "description": "the techniques the resource covers, these have to be aligned with the tactics being used" + }, + "icon": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataIcon", + "description": "the icon identifier. this id can later be fetched from the content metadata" + } + }, + "required": [ + "contentId", + "contentKind", + "version", + "displayName" + ], + "type": "object" + }, + "metadataDependencies": { + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies.", + "type": "object", + "properties": { + "contentId": { + "description": "Id of the content item we depend on", + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataContentId" + }, + "kind": { + "description": "Type of the content item we depend on", + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataKind" + }, + "version": { + "description": "Version of the the content item we depend on. Can be blank, * or missing to indicate any version fulfills the dependency. If version does not match our defined numeric format then an exact match is required.", + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataVersion" + }, + "name": { + "description": "Name of the content item", + "type": "string" + }, + "operator": { + "description": "Operator used for list of dependencies in criteria array.", + "type": "string", + "enum": [ + "AND", + "OR" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "operator", + "values": [ + { + "value": "AND" + }, + { + "value": "OR" + } + ] + } + }, + "criteria": { + "description": "This is the list of dependencies we must fulfill, according to the AND/OR operator", + "type": "array", + "items": { + "$ref": "#/definitions/metadataDependencies", + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats." + }, + "x-ms-identifiers": [], + "example": [ + { + "kind": "DataConnector", + "contentId": "68b1de8a-b635-430d-b208-01ba3dda5877", + "version": "1.0.0" + }, + { + "kind": "Workbook", + "contentId": "ad903b46-9905-4504-9825-3bcce796da8e", + "version": "1.0.0" + } + ] + } + } + } + }, + "parameters": { + "PackageIdParameter": { + "description": "package Id", + "in": "path", + "name": "packageId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "PackageInstallationProperties": { + "description": "Package installation properties", + "in": "body", + "name": "packageInstallationProperties", + "required": true, + "schema": { + "$ref": "#/definitions/packageModel" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductPackages.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductPackages.json new file mode 100644 index 000000000000..548d002124d4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductPackages.json @@ -0,0 +1,297 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-04-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentProductPackages": { + "get": { + "x-ms-examples": { + "Get all available packages.": { + "$ref": "./examples/contentPackages/GetProductPackages.json" + } + }, + "tags": [ + "ContentProductPackages" + ], + "description": "Gets all packages from the catalog.", + "operationId": "ProductPackages_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/packageList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentProductPackages/{packageId}": { + "get": { + "x-ms-examples": { + "Get a package.": { + "$ref": "./examples/contentPackages/GetProductPackageById.json" + } + }, + "tags": [ + "ContentProductPackages" + ], + "description": "Gets a package by its identifier from the catalog.", + "operationId": "ProductPackage_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/PackageIdParameter" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/packageModel" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "packageList": { + "description": "List available packages.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of packages.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of packages.", + "items": { + "$ref": "#/definitions/packageModel" + }, + "type": "array" + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "packageModel": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Package in Azure Security Insights.", + "properties": { + "properties": { + "description": "package properties", + "$ref": "#/definitions/packageProperties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "packageProperties": { + "description": "Describes package properties", + "properties": { + "contentId": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataContentId", + "description": "The content id of the package" + }, + "contentKind": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataPackageKind", + "description": "The package kind" + }, + "installedVersion": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataVersion", + "description": "The version of the installed package, null or absent means not installed." + }, + "contentSchemaVersion": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataVersion", + "description": "The version of the content schema." + }, + "resourceId": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataContentId", + "description": "The metadata resource id." + }, + "isNew": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataTrueFalseFlag", + "description": "Flag indicates if this is a newly published package." + }, + "isPreview": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataTrueFalseFlag", + "description": "Flag indicates if this package is in preview." + }, + "isFeatured": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataTrueFalseFlag", + "description": "Flag indicates if this package is among the featured list." + }, + "version": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataVersion", + "description": "the latest version number of the package" + }, + "displayName": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDisplayName", + "description": "The display name of the package" + }, + "description": { + "description": "The description of the package", + "type": "string" + }, + "publisherDisplayName": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDisplayName", + "description": "The publisher display name of the package" + }, + "source": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataSource", + "description": "The source of the package" + }, + "author": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataAuthor", + "description": "The author of the package" + }, + "support": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataSupport", + "description": "The support tier of the package" + }, + "dependencies": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDependencies", + "description": "The support tier of the package" + }, + "providers": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataProviders", + "description": "Providers for the package item" + }, + "firstPublishDate": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataFirstPublishDate", + "description": "first publish date package item" + }, + "lastPublishDate": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataLastPublishDate", + "description": "last publish date for the package item" + }, + "categories": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataCategories", + "description": "The categories of the package" + }, + "threatAnalysisTactics": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTactics", + "description": "the tactics the resource covers" + }, + "threatAnalyticsTechniques": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTechniques", + "description": "the techniques the resource covers, these have to be aligned with the tactics being used" + }, + "icon": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataIcon", + "description": "the icon identifier. this id can later be fetched from the content metadata" + }, + "packagedContent": { + "type": "object", + "description": "the json to deploy" + } + }, + "required": [ + "contentId", + "contentKind", + "version", + "displayName" + ], + "type": "object" + } + }, + "parameters": { + "PackageIdParameter": { + "description": "package Id", + "in": "path", + "name": "packageId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductTemplates.json new file mode 100644 index 000000000000..5c8c7ab9d1ce --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductTemplates.json @@ -0,0 +1,298 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-04-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentProductTemplates": { + "get": { + "x-ms-examples": { + "Get all installed templates.": { + "$ref": "./examples/contentTemplates/GetProductTemplates.json" + } + }, + "tags": [ + "ContentProductTemplates" + ], + "description": "Gets all templates in the catalog.", + "operationId": "ProductTemplates_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/templateList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentproducttemplates/{templateId}": { + "get": { + "x-ms-examples": { + "Get a template.": { + "$ref": "./examples/contentTemplates/GetProductTemplateById.json" + } + }, + "tags": [ + "ContentProductTemplates" + ], + "description": "Gets a template by its identifier.", + "operationId": "ProductTemplate_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/templateIdParameter" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/templateModel" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "templateList": { + "description": "List of all the template.", + "type": "object", + "properties": { + "value": { + "description": "Array of templates.", + "items": { + "$ref": "#/definitions/templateModel" + }, + "type": "array" + }, + "nextLink": { + "description": "URL to fetch the next page of template.", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "value" + ] + }, + "templateModel": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Template resource definition.", + "properties": { + "properties": { + "description": "template properties", + "$ref": "#/definitions/templateProperties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "templateProperties": { + "description": "Template property bag.", + "required": [ + "contentId", + "version", + "displayName", + "contentKind", + "source" + ], + "type": "object", + "properties": { + "contentId": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataContentId", + "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name" + }, + "parentId": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataParentId", + "description": "Full parent resource ID of the content item the template is for. This is the full resource ID including the scope (subscription and resource group)" + }, + "version": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataVersion", + "description": "Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM metadata best practices. Can also be any string, but then we cannot guarantee any version checks" + }, + "displayName": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDisplayName", + "description": "The display name of the template" + }, + "contentKind": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataKind", + "description": "The kind of content the template is for." + }, + "source": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataSource", + "description": "Source of the content. This is where/how it was created." + }, + "author": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataAuthor", + "description": "The creator of the content item." + }, + "support": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataSupport", + "description": "Support information for the template - type, name, contact information" + }, + "dependencies": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDependencies", + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats." + }, + "categories": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataCategories", + "description": "Categories for the item" + }, + "providers": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataProviders", + "description": "Providers for the content item" + }, + "firstPublishDate": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataFirstPublishDate", + "description": "first publish date content item" + }, + "lastPublishDate": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataLastPublishDate", + "description": "last publish date for the content item" + }, + "customVersion": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataCustomVersion", + "description": "The custom version of the content. A optional free text" + }, + "contentSchemaVersion": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataContentSchemaVersion", + "description": "Schema version of the content. Can be used to distinguish between different flow based on the schema version" + }, + "icon": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataIcon", + "description": "the icon identifier. this id can later be fetched from the content metadata" + }, + "threatAnalysisTactics": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTactics", + "description": "the tactics the resource covers" + }, + "threatAnalysisTechniques": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTechniques", + "description": "the techniques the resource covers, these have to be aligned with the tactics being used" + }, + "previewImages": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataPreviewImages", + "description": "preview image file names. These will be taken from the solution artifacts" + }, + "previewImagesDark": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataPreviewImagesDark", + "description": "preview image file names. These will be taken from the solution artifacts. used for dark theme support" + }, + "packageId": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataContentId", + "description": "the package Id contains this template" + }, + "packageKind": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataPackageKind", + "description": "the packageKind of the package contains this template" + }, + "packageName": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDisplayName", + "description": "the name of the package contains this template" + }, + "packagedContent": { + "type": "object", + "description": "the json to deploy" + } + } + } + }, + "parameters": { + "templateIdParameter": { + "description": "template Id", + "in": "path", + "name": "templateId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentTemplates.json new file mode 100644 index 000000000000..edb4f0dd35fb --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentTemplates.json @@ -0,0 +1,400 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2023-04-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentTemplates": { + "get": { + "x-ms-examples": { + "Get all installed templates.": { + "$ref": "./examples/contentTemplates/GetTemplates.json" + } + }, + "tags": [ + "ContentTemplates" + ], + "description": "Gets all installed templates.", + "operationId": "ContentTemplates_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataFilter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataOrderBy" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataTop" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/templateList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentTemplates/{templateId}": { + "put": { + "x-ms-examples": { + "Get a template.": { + "$ref": "./examples/contentTemplates/InstallTemplate.json" + } + }, + "tags": [ + "ContentTemplates" + ], + "description": "Install a template.", + "operationId": "ContentTemplate_Install", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/templateIdParameter" + }, + { + "$ref": "#/parameters/templateInstallationProperties" + } + ], + "responses": { + "200": { + "description": "OK, create or update a instance", + "schema": { + "$ref": "#/definitions/templateModel" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/templateModel" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "get": { + "x-ms-examples": { + "Get a template.": { + "$ref": "./examples/contentTemplates/GetTemplateById.json" + } + }, + "tags": [ + "ContentTemplates" + ], + "description": "Gets a template byt its identifier.", + "operationId": "ContentTemplate_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/templateIdParameter" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/templateModel" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete metadata.": { + "$ref": "./examples/contentTemplates/DeleteTemplate.json" + } + }, + "tags": [ + "ContentTemplates" + ], + "description": "Delete an installed template.", + "operationId": "ContentTemplate_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/templateIdParameter" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "templateList": { + "description": "List of all the template.", + "type": "object", + "properties": { + "value": { + "description": "Array of templates.", + "items": { + "$ref": "#/definitions/templateModel" + }, + "type": "array" + }, + "nextLink": { + "description": "URL to fetch the next page of template.", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "value" + ] + }, + "templateModel": { + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Template resource definition.", + "properties": { + "properties": { + "description": "template properties", + "$ref": "#/definitions/templateProperties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "templateProperties": { + "description": "Template property bag.", + "required": [ + "contentId", + "version", + "displayName", + "contentKind", + "source", + "packageId" + ], + "type": "object", + "properties": { + "contentId": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataContentId", + "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name" + }, + "version": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataVersion", + "description": "Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM metadata best practices. Can also be any string, but then we cannot guarantee any version checks" + }, + "displayName": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDisplayName", + "description": "The display name of the template" + }, + "contentKind": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataKind", + "description": "The kind of content the template is for." + }, + "source": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataSource", + "description": "Source of the content. This is where/how it was created." + }, + "author": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataAuthor", + "description": "The creator of the content item." + }, + "support": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataSupport", + "description": "Support information for the template - type, name, contact information" + }, + "dependencies": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDependencies", + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats." + }, + "categories": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataCategories", + "description": "Categories for the item" + }, + "providers": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataProviders", + "description": "Providers for the content item" + }, + "firstPublishDate": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataFirstPublishDate", + "description": "first publish date content item" + }, + "lastPublishDate": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataLastPublishDate", + "description": "last publish date for the content item" + }, + "customVersion": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataCustomVersion", + "description": "The custom version of the content. A optional free text" + }, + "contentSchemaVersion": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataContentSchemaVersion", + "description": "Schema version of the content. Can be used to distinguish between different flow based on the schema version" + }, + "icon": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataIcon", + "description": "the icon identifier. this id can later be fetched from the content metadata" + }, + "threatAnalysisTactics": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTactics", + "description": "the tactics the resource covers" + }, + "threatAnalysisTechniques": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTechniques", + "description": "the techniques the resource covers, these have to be aligned with the tactics being used" + }, + "previewImages": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataPreviewImages", + "description": "preview image file names. These will be taken from the solution artifacts" + }, + "previewImagesDark": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataPreviewImagesDark", + "description": "preview image file names. These will be taken from the solution artifacts. used for dark theme support" + }, + "packageId": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataContentId", + "description": "the package Id contains this template" + }, + "packageKind": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataPackageKind", + "description": "the packageKind of the package contains this template" + }, + "packageName": { + "$ref": "./common/ContentCommonTypes.json#/definitions/metadataDisplayName", + "description": "the name of the package contains this template" + }, + "mainTemplate": { + "description": "The JSON of the ARM template to deploy active content", + "type": "object" + } + } + } + }, + "parameters": { + "templateIdParameter": { + "description": "template Id", + "in": "path", + "name": "templateId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "templateInstallationProperties": { + "description": "Template installation properties", + "in": "body", + "name": "templateInstallationProperties", + "required": true, + "schema": { + "$ref": "#/definitions/templateModel" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ContentCommonTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ContentCommonTypes.json new file mode 100644 index 000000000000..950754e9a34a --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/ContentCommonTypes.json @@ -0,0 +1,429 @@ +{ + "swagger": "2.0", + "info": { + "version": "2023-04-01-preview", + "title": "Common content metadata types" + }, + "paths": {}, + "definitions": { + "metadataContentId": { + "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Can be optionally set for user created content to define dependencies. If an active content item is made from a metadata, both will have the same contentId.", + "type": "string" + }, + "metadataParentId": { + "description": "Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group)", + "type": "string" + }, + "metadataDisplayName": { + "description": "DisplayName of the content.", + "type": "string" + }, + "metadataVersion": { + "description": "Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks", + "type": "string" + }, + "metadataPackageKind": { + "description": "The package kind", + "enum": [ + "Solution", + "Standalone" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "packageKind", + "values": [ + { + "value": "Solution" + }, + { + "value": "Standalone" + } + ] + } + }, + "metadataKind": { + "type": "string", + "description": "The kind of content the metadata is for.", + "enum": [ + "DataConnector", + "DataType", + "Workbook", + "WorkbookTemplate", + "Playbook", + "PlaybookTemplate", + "AnalyticsRuleTemplate", + "AnalyticsRule", + "HuntingQuery", + "InvestigationQuery", + "Parser", + "Watchlist", + "WatchlistTemplate", + "Solution", + "AzureFunction", + "LogicAppsCustomConnector", + "AutomationRule" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "kind", + "values": [ + { + "value": "DataConnector" + }, + { + "value": "DataType" + }, + { + "value": "Workbook" + }, + { + "value": "WorkbookTemplate" + }, + { + "value": "Playbook" + }, + { + "value": "PlaybookTemplate" + }, + { + "value": "AnalyticsRuleTemplate" + }, + { + "value": "AnalyticsRule" + }, + { + "value": "HuntingQuery" + }, + { + "value": "InvestigationQuery" + }, + { + "value": "Parser" + }, + { + "value": "Watchlist" + }, + { + "value": "WatchlistTemplate" + }, + { + "value": "Solution" + }, + { + "value": "AzureFunction" + }, + { + "value": "LogicAppsCustomConnector" + }, + { + "value": "AutomationRule" + } + ] + } + }, + "metadataTrueFalseFlag": { + "type": "string", + "description": "The boolean value the metadata is for.", + "enum": [ + "true", + "false" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "flag", + "values": [ + { + "value": "true" + }, + { + "value": "false" + } + ] + } + }, + "metadataSource": { + "description": "The original source of the content item, where it comes from.", + "type": "object", + "required": [ + "kind" + ], + "properties": { + "kind": { + "description": "Source type of the content", + "type": "string", + "enum": [ + "LocalWorkspace", + "Community", + "Solution", + "SourceRepository" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "sourceKind", + "values": [ + { + "value": "LocalWorkspace" + }, + { + "value": "Community" + }, + { + "value": "Solution" + }, + { + "value": "SourceRepository" + } + ] + } + }, + "name": { + "description": "Name of the content source. The repo name, solution name, LA workspace name etc.", + "type": "string" + }, + "sourceId": { + "description": "ID of the content source. The solution ID, workspace ID, etc", + "type": "string" + } + } + }, + "metadataAuthor": { + "type": "object", + "description": "Publisher or creator of the content item.", + "properties": { + "name": { + "description": "Name of the author. Company or person.", + "type": "string" + }, + "email": { + "description": "Email of author contact", + "type": "string" + }, + "link": { + "description": "Link for author/vendor page", + "type": "string" + } + } + }, + "metadataSupport": { + "type": "object", + "description": "Support information for the content item.", + "required": [ + "tier" + ], + "properties": { + "tier": { + "description": "Type of support for content item", + "type": "string", + "enum": [ + "Microsoft", + "Partner", + "Community" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "supportTier", + "values": [ + { + "value": "Microsoft" + }, + { + "value": "Partner" + }, + { + "value": "Community" + } + ] + } + }, + "name": { + "description": "Name of the support contact. Company or person.", + "type": "string" + }, + "email": { + "description": "Email of support contact", + "type": "string" + }, + "link": { + "description": "Link for support help, like to support page to open a ticket etc.", + "type": "string" + } + } + }, + "metadataDependencies": { + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies.", + "type": "object", + "properties": { + "contentId": { + "description": "Id of the content item we depend on", + "$ref": "#/definitions/metadataContentId" + }, + "kind": { + "description": "Type of the content item we depend on", + "$ref": "#/definitions/metadataKind" + }, + "version": { + "description": "Version of the the content item we depend on. Can be blank, * or missing to indicate any version fulfills the dependency. If version does not match our defined numeric format then an exact match is required.", + "$ref": "#/definitions/metadataVersion" + }, + "name": { + "description": "Name of the content item", + "type": "string" + }, + "operator": { + "description": "Operator used for list of dependencies in criteria array.", + "type": "string", + "enum": [ + "AND", + "OR" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "operator", + "values": [ + { + "value": "AND" + }, + { + "value": "OR" + } + ] + } + }, + "criteria": { + "description": "This is the list of dependencies we must fulfill, according to the AND/OR operator", + "type": "array", + "items": { + "$ref": "#/definitions/metadataDependencies", + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats." + }, + "x-ms-identifiers": [ + "contentId" + ] + } + } + }, + "metadataCategories": { + "type": "object", + "description": "ies for the solution content item", + "properties": { + "domains": { + "description": "domain for the solution content item", + "type": "array", + "example": [ + "str1", + "str2", + "str3" + ], + "items": { + "type": "string" + } + }, + "verticals": { + "description": "Industry verticals for the solution content item", + "type": "array", + "items": { + "type": "string" + }, + "example": [ + "str1", + "str2", + "str3" + ] + } + } + }, + "metadataProviders": { + "description": "Providers for the solution content item", + "type": "array", + "example": [ + "str1", + "str2", + "str3" + ], + "items": { + "type": "string" + } + }, + "metadataFirstPublishDate": { + "description": "first publish date of solution content item", + "type": "string", + "format": "date" + }, + "metadataLastPublishDate": { + "description": "last publish date of solution content item", + "type": "string", + "format": "date" + }, + "metadataCustomVersion": { + "description": "The custom version of the content. A optional free text", + "type": "string" + }, + "metadataContentSchemaVersion": { + "description": "Schema version of the content. Can be used to distinguish between different flow based on the schema version", + "type": "string" + }, + "metadataIcon": { + "description": "the icon identifier. this id can later be fetched from the metadata", + "type": "string" + }, + "metadataThreatAnalysisTactics": { + "description": "the tactics the resource covers", + "type": "array", + "example": [ + "reconnaissance", + "exfiltration" + ], + "items": { + "type": "string" + } + }, + "metadataThreatAnalysisTechniques": { + "description": "the techniques the resource covers, these have to be aligned with the tactics being used", + "type": "array", + "example": [ + "T1548", + "T1548.001", + "T1134.003" + ], + "items": { + "type": "string" + } + }, + "metadataPreviewImages": { + "description": "preview image file names. These will be taken from the solution artifacts", + "type": "array", + "example": [ + "example.png", + "example2.jpeg" + ], + "items": { + "type": "string" + } + }, + "metadataPreviewImagesDark": { + "description": "preview image file names. These will be taken from the solution artifacts. used for dark theme support", + "type": "array", + "example": [ + "example.png", + "example2.jpeg" + ], + "items": { + "type": "string" + } + }, + "metadataTags": { + "description": "the tags assigned to the resource", + "type": "array", + "example": [ + "str1", + "str2", + "str3" + ], + "items": { + "type": "string" + } + } + }, + "parameters": {} +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetPackageById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetPackageById.json new file mode 100644 index 000000000000..c1a3d45241e5 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetPackageById.json @@ -0,0 +1,33 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "packageId": "str.azure-sentinel-solution-str" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentPackages/str.azure-sentinel-solution-str", + "name": "str.azure-sentinel-solution-str", + "type": "Microsoft.SecurityInsights/contentpackages", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "str.azure-sentinel-solution-str", + "contentKind": "Solution", + "version": "2.0.0", + "displayName": "str" + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetPackages.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetPackages.json new file mode 100644 index 000000000000..1e92bf590813 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetPackages.json @@ -0,0 +1,38 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "packageId": "str.azure-sentinel-solution-str" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentPackages", + "name": "str.azure-sentinel-solution-str", + "type": "Microsoft.SecurityInsights/contentpackages", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "str.azure-sentinel-solution-str", + "contentKind": "Solution", + "contentSchemaVersion": "3.0.0", + "version": "2.0.0", + "displayName": "str" + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetProductPackageById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetProductPackageById.json new file mode 100644 index 000000000000..020c182c0398 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetProductPackageById.json @@ -0,0 +1,75 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "packageId": "str.azure-sentinel-solution-str" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentPackages/str.azure-sentinel-solution-str", + "name": "str.azure-sentinel-solution-str", + "type": "Microsoft.SecurityInsights/contentpackages", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "str.azure-sentinel-solution-str", + "contentKind": "Solution", + "installedVersion": "2.0.0", + "version": "2.0.0", + "displayName": "str", + "source": { + "kind": "Solution", + "name": "str", + "sourceId": "str.azure-sentinel-solution-str" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "contentId": "strDataConnector", + "kind": "DataConnector", + "version": "2.0.0" + }, + { + "contentId": "str-Parser", + "kind": "Parser", + "version": "2.0.0" + } + ], + "operator": "AND" + }, + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Cloud Security" + ], + "verticals": null + }, + "firstPublishDate": "2022-04-01", + "packageContent": "JSON string of the package" + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetProductPackages.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetProductPackages.json new file mode 100644 index 000000000000..30f3b9ee6d6e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/GetProductPackages.json @@ -0,0 +1,77 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentPackages", + "name": "str.azure-sentinel-solution-str", + "type": "Microsoft.SecurityInsights/contentpackages", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "str.azure-sentinel-solution-str", + "contentKind": "Solution", + "installedVersion": "2.0.0", + "version": "2.0.0", + "displayName": "str", + "source": { + "kind": "Solution", + "name": "str", + "sourceId": "str.azure-sentinel-solution-str" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "contentId": "strDataConnector", + "kind": "DataConnector", + "version": "2.0.0" + }, + { + "contentId": "str-Parser", + "kind": "Parser", + "version": "2.0.0" + } + ], + "operator": "AND" + }, + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Cloud Security" + ], + "verticals": null + }, + "firstPublishDate": "2022-04-01" + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/InstallPackage.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/InstallPackage.json new file mode 100644 index 000000000000..96a1b6a09c97 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/InstallPackage.json @@ -0,0 +1,148 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "packageId": "str.azure-sentinel-solution-str", + "packageInstallationProperties": { + "properties": { + "contentId": "str.azure-sentinel-solution-str", + "contentKind": "Solution", + "version": "2.0.0", + "displayName": "str" + }, + "tags": { + "tag1": "str" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentPackages/str.azure-sentinel-solution-str", + "name": "str.azure-sentinel-solution-str", + "type": "Microsoft.SecurityInsights/contentpackages", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "str.azure-sentinel-solution-str", + "contentKind": "Solution", + "installedVersion": "2.0.0", + "version": "2.0.0", + "displayName": "str", + "source": { + "kind": "Solution", + "name": "str", + "sourceId": "str.azure-sentinel-solution-str" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "contentId": "strDataConnector", + "kind": "DataConnector", + "version": "2.0.0" + }, + { + "contentId": "str-Parser", + "kind": "Parser", + "version": "2.0.0" + } + ], + "operator": "AND" + }, + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Cloud Security" + ], + "verticals": null + }, + "firstPublishDate": "2022-04-01" + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentPackages/str.azure-sentinel-solution-str", + "name": "str.azure-sentinel-solution-str", + "type": "Microsoft.SecurityInsights/contentpackages", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "str.azure-sentinel-solution-str", + "contentKind": "Solution", + "installedVersion": "2.0.0", + "version": "2.0.0", + "displayName": "str", + "source": { + "kind": "Solution", + "name": "str", + "sourceId": "str.azure-sentinel-solution-str" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "contentId": "strDataConnector", + "kind": "DataConnector", + "version": "2.0.0" + }, + { + "contentId": "str-Parser", + "kind": "Parser", + "version": "2.0.0" + } + ], + "operator": "AND" + }, + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Cloud Security" + ], + "verticals": null + }, + "firstPublishDate": "2022-04-01" + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/UninstallPackage.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/UninstallPackage.json new file mode 100644 index 000000000000..274e530d88a8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentPackages/UninstallPackage.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "packageId": "str.azure-sentinel-solution-str" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/DeleteTemplate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/DeleteTemplate.json new file mode 100644 index 000000000000..239185c5fcf5 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/DeleteTemplate.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "templateId": "8365ebfe-a381-45b7-ad08-7d818070e11f" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetProductTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetProductTemplateById.json new file mode 100644 index 000000000000..4c465c446c9d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetProductTemplateById.json @@ -0,0 +1,41 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "templateId": "8365ebfe-a381-45b7-ad08-7d818070e11f" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentTemplates/8365ebfe-a381-45b7-ad08-7d818070e11f", + "name": "8365ebfe-a381-45b7-ad08-7d818070e11f", + "type": "Microsoft.SecurityInsights/contenttemplates", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "content id", + "version": "1.0.0", + "displayName": "My installed template", + "contentKind": "Workbooks", + "packageId": "package id", + "packageKind": "Standalone", + "packageName": "package name", + "source": { + "kind": "Standalone", + "name": "Source name" + }, + "mainTemplate": "JSON string of the installed template" + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetProductTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetProductTemplates.json new file mode 100644 index 000000000000..d7bdb802f042 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetProductTemplates.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentTemplates", + "name": "8365ebfe-a381-45b7-ad08-7d818070e11f", + "type": "Microsoft.SecurityInsights/contenttemplates", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "content id", + "version": "1.0.0", + "displayName": "My installed template", + "contentKind": "Workbooks", + "packageId": "package id", + "packageKind": "Standalone", + "packageName": "package name", + "source": { + "kind": "Standalone", + "name": "Source name" + } + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetTemplateById.json new file mode 100644 index 000000000000..c0c7109e806f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetTemplateById.json @@ -0,0 +1,39 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "templateId": "8365ebfe-a381-45b7-ad08-7d818070e11f" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentTemplates/8365ebfe-a381-45b7-ad08-7d818070e11f", + "name": "8365ebfe-a381-45b7-ad08-7d818070e11f", + "type": "Microsoft.SecurityInsights/contenttemplates", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "content id", + "version": "1.0.0", + "displayName": "My installed template", + "contentKind": "Workbooks", + "packageId": "package id", + "source": { + "kind": "Standalone", + "name": "Source name" + }, + "mainTemplate": "JSON string of the installed template" + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetTemplates.json new file mode 100644 index 000000000000..f6c02e516ebe --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/GetTemplates.json @@ -0,0 +1,41 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentTemplates", + "name": "8365ebfe-a381-45b7-ad08-7d818070e11f", + "type": "Microsoft.SecurityInsights/contenttemplates", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "content id", + "version": "1.0.0", + "displayName": "My installed template", + "contentKind": "Workbooks", + "packageId": "package id", + "source": { + "kind": "Standalone", + "name": "Source name" + } + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/InstallTemplate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/InstallTemplate.json new file mode 100644 index 000000000000..0e39761a0c77 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/examples/contentTemplates/InstallTemplate.json @@ -0,0 +1,222 @@ +{ + "parameters": { + "api-version": "2023-04-01-preview", + "subscriptionId": "d0cfeab2-9ae0-4464-9919-dccaee2e48f0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "templateId": "str.azure-sentinel-solution-str", + "templateInstallationProperties": { + "properties": { + "contentId": "8365ebfe-a381-45b7-ad08-7d818070e11f", + "displayName": "API Protection workbook template", + "contentKind": "AnalyticsRule", + "version": "1.0.1", + "packageId": "str.azure-sentinel-solution-str", + "packageName": "str", + "packageKind": "Solution", + "source": { + "kind": "Solution", + "name": "str", + "sourceId": "str.azure-sentinel-solution-str" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.1", + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "8365ebfe-a381-45b7-ad08-7d818070e11f", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Creates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user", + "displayName": "Critical or High Severity Detections by User", + "enabled": false, + "query": "...", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split([resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 8365ebfe-a381-45b7-ad08-7d818070e11f)],'/'))))]", + "properties": { + "description": "CrowdStrike Falcon Endpoint Protection Analytics Rule 1", + "parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 8365ebfe-a381-45b7-ad08-7d818070e11f)]", + "contentId": "4465ebde-b381-45f7-ad08-7d818070a11c", + "kind": "AnalyticsRule", + "version": "1.0.0", + "source": { + "kind": "Solution", + "name": "str", + "sourceId": "str.azure-sentinel-solution-str" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + } + }, + "tags": { + "tag1": "str" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentPackages/azuresentinel.azure-sentinel-solution-ciscoumbrella", + "name": "azuresentinel.azure-sentinel-solution-ciscoumbrella", + "type": "Microsoft.SecurityInsights/contenttemplates", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "4465ebde-c381-45d7-af08-7d818072a11c", + "packageKind": "Solution", + "packageId": "package id", + "contentKind": "AnalyticsRule", + "version": "1.0.1", + "displayName": "API Protection workbook template", + "source": { + "kind": "Solution", + "name": "CiscoUmbrella", + "sourceId": "azuresentinel.azure-sentinel-solution-ciscoumbrella" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "contentId": "strDataConnector", + "kind": "DataConnector", + "version": "2.0.0" + }, + { + "contentId": "str-Parser", + "kind": "Parser", + "version": "2.0.0" + } + ], + "operator": "AND" + }, + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Cloud Security" + ], + "verticals": null + }, + "firstPublishDate": "2022-04-01" + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentPackages/azuresentinel.azure-sentinel-solution-ciscoumbrella", + "name": "azuresentinel.azure-sentinel-solution-ciscoumbrella", + "type": "Microsoft.SecurityInsights/contenttemplates", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "contentId": "4465ebde-c381-45d7-af08-7d818072a11c", + "packageKind": "Solution", + "packageId": "package id", + "contentKind": "AnalyticsRule", + "version": "1.0.1", + "displayName": "API Protection workbook template", + "source": { + "kind": "Solution", + "name": "CiscoUmbrella", + "sourceId": "azuresentinel.azure-sentinel-solution-ciscoumbrella" + }, + "author": { + "name": "Microsoft", + "email": "support@microsoft.com" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "dependencies": { + "criteria": [ + { + "contentId": "strDataConnector", + "kind": "DataConnector", + "version": "2.0.0" + }, + { + "contentId": "str-Parser", + "kind": "Parser", + "version": "2.0.0" + } + ], + "operator": "AND" + }, + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Cloud Security" + ], + "verticals": null + }, + "firstPublishDate": "2022-04-01" + }, + "systemData": { + "createdBy": "string", + "createdByType": "User", + "createdAt": "2020-04-27T21:53:29.0928001Z", + "lastModifiedBy": "string", + "lastModifiedByType": "User", + "lastModifiedAt": "2020-04-27T21:53:29.0928001Z" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 1d4bf91ce786..0d06f21768ff 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -42,6 +42,10 @@ input-file: - Microsoft.SecurityInsights/preview/2023-04-01-preview/AlertRules.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/AutomationRules.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/Bookmarks.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductPackages.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductTemplates.json + - Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentTemplates.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/Enrichment.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json - Microsoft.SecurityInsights/preview/2023-04-01-preview/EntityQueries.json From 74b0e917c13743c97893500f1790ba4c65dadfed Mon Sep 17 00:00:00 2001 From: rheabansal <93624991+rheabansal@users.noreply.github.com> Date: Mon, 3 Apr 2023 06:17:22 -0700 Subject: [PATCH 11/14] update descriptions due to lint error (#23392) --- .../preview/2023-04-01-preview/WorkspaceManagerAssignments.json | 2 +- .../2023-04-01-preview/WorkspaceManagerConfigurations.json | 2 +- .../preview/2023-04-01-preview/WorkspaceManagerGroups.json | 2 +- .../preview/2023-04-01-preview/WorkspaceManagerMembers.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerAssignments.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerAssignments.json index d46494931447..770b88c1e06a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerAssignments.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerAssignments.json @@ -165,7 +165,7 @@ ], "responses": { "200": { - "description": "OK", + "description": "OK, created or updated an instance", "schema": { "$ref": "#/definitions/WorkspaceManagerAssignment" } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json index 8ca6d636eeaf..e81b016c8085 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerConfigurations.json @@ -208,7 +208,7 @@ ], "responses": { "200": { - "description": "OK", + "description": "OK, created or updated an instance", "schema": { "$ref": "#/definitions/WorkspaceManagerConfiguration" } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerGroups.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerGroups.json index cdf63b2dccd7..77f60c4492aa 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerGroups.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerGroups.json @@ -165,7 +165,7 @@ ], "responses": { "200": { - "description": "OK", + "description": "OK, created or updated an instance", "schema": { "$ref": "#/definitions/WorkspaceManagerGroup" } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json index 74c1a9296c95..074ea0c3174e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/WorkspaceManagerMembers.json @@ -165,7 +165,7 @@ ], "responses": { "200": { - "description": "Updated", + "description": "OK, created or updated an instance", "schema": { "$ref": "#/definitions/WorkspaceManagerMember" } From 38517c2e8a15adb032b888ae75e13b5843597d99 Mon Sep 17 00:00:00 2001 From: Nan Zang Date: Mon, 3 Apr 2023 17:41:42 -0700 Subject: [PATCH 12/14] Fix policheck issue by updating the description. (#23415) * Fix polich issue by updating the description. * update the description to fix a typo. --- .../preview/2023-04-01-preview/ContentPackages.json | 2 +- .../preview/2023-04-01-preview/ContentTemplates.json | 2 +- .../preview/2023-04-01-preview/Entities.json | 2 +- .../preview/2023-04-01-preview/common/EntityTypes.json | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json index 1d28166e33ff..67c71f9cce60 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json @@ -168,7 +168,7 @@ ], "responses": { "200": { - "description": "OK, create or update a instance", + "description": "OK, a package is updated.", "schema": { "$ref": "#/definitions/packageModel" } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentTemplates.json index edb4f0dd35fb..79b9fb5e762e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentTemplates.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentTemplates.json @@ -125,7 +125,7 @@ ], "responses": { "200": { - "description": "OK, create or update a instance", + "description": "OK, a template is updated.", "schema": { "$ref": "#/definitions/templateModel" } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json index 0fb8bb7154a5..d69de05fa5ea 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/Entities.json @@ -1429,7 +1429,7 @@ "value": "CredentialAccess" }, { - "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", + "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must navigate themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", "value": "Discovery" }, { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json index 303bf44f9c2a..e2f1cb415e51 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json @@ -1173,13 +1173,13 @@ "type": "string" }, "latitude": { - "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.", + "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90. Latitude and longitude are derived from the city or postal code.", "format": "double", "readOnly": true, "type": "number" }, "longitude": { - "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.", + "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180. Latitude and longitude are derived from the city or postal code.", "format": "double", "readOnly": true, "type": "number" From 19629f09dcb723138d52f657602350748ed53ae6 Mon Sep 17 00:00:00 2001 From: Nan Zang Date: Wed, 5 Apr 2023 18:19:30 -0700 Subject: [PATCH 13/14] Release sentinel 2023 04 01 preview (#23420) * Fix polich issue by updating the description. * update the description to fix a typo. * fix policheck by updating description * rename enum name to stable version to fix cross-version breaking change failure. --- .../preview/2023-04-01-preview/ThreatIntelligence.json | 4 ++-- .../preview/2023-04-01-preview/common/EntityTypes.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json index 98de914f76c4..b4b35de0e5e3 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ThreatIntelligence.json @@ -591,7 +591,7 @@ "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "ThreatIntelligenceResourceKindEnum", + "name": "ThreatIntelligenceResourceInnerKind", "values": [ { "description": "Entity represents threat intelligence indicator in the system.", @@ -985,7 +985,7 @@ "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "ThreatIntelligenceSortingCriteriaEnum", + "name": "ThreatIntelligenceSortingOrder", "values": [ { "value": "unsorted" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json index e2f1cb415e51..c3987834dcdc 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/common/EntityTypes.json @@ -2183,7 +2183,7 @@ "value": "CredentialAccess" }, { - "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", + "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must navigate themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", "value": "Discovery" }, { From 01b32d70d72b8e671e6372f4e08fa40d2b6e213e Mon Sep 17 00:00:00 2001 From: xuhumsft <116764429+xuhumsft@users.noreply.github.com> Date: Thu, 6 Apr 2023 20:10:03 -0700 Subject: [PATCH 14/14] fix typo (#23463) --- .../preview/2023-04-01-preview/ContentPackages.json | 2 +- .../preview/2023-04-01-preview/ContentProductPackages.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json index 67c71f9cce60..c92d3745f502 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentPackages.json @@ -349,7 +349,7 @@ "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTactics", "description": "the tactics the resource covers" }, - "threatAnalyticsTechniques": { + "threatAnalysisTechniques": { "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTechniques", "description": "the techniques the resource covers, these have to be aligned with the tactics being used" }, diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductPackages.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductPackages.json index 548d002124d4..b8f12c3df3cf 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductPackages.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2023-04-01-preview/ContentProductPackages.json @@ -262,7 +262,7 @@ "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTactics", "description": "the tactics the resource covers" }, - "threatAnalyticsTechniques": { + "threatAnalysisTechniques": { "$ref": "./common/ContentCommonTypes.json#/definitions/metadataThreatAnalysisTechniques", "description": "the techniques the resource covers, these have to be aligned with the tactics being used" },