diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertResourceGroupLocation_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertResourceGroupLocation_example.json index f7d1de97b849..440889fab580 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertResourceGroupLocation_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertResourceGroupLocation_example.json @@ -45,6 +45,7 @@ "reason": "Some computer reason" }], "canBeInvestigated": true, + "isIncident": false, "entities": [{ "address": "192.0.2.1", "location": { diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertSubscriptionLocation_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertSubscriptionLocation_example.json index bcb4d7fd727d..461126f44bf0 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertSubscriptionLocation_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertSubscriptionLocation_example.json @@ -44,6 +44,7 @@ "reason": "Some computer reason" }], "canBeInvestigated": true, + "isIncident": false, "entities": [{ "address": "192.0.2.1", "location": { diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsResourceGroupLocation_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsResourceGroupLocation_example.json index ddc50444a3f7..b0f23f6f9d0a 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsResourceGroupLocation_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsResourceGroupLocation_example.json @@ -45,6 +45,7 @@ "reason": "Some computer reason" }], "canBeInvestigated": true, + "isIncident": false, "entities": [{ "address": "192.0.2.1", "location": { diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsResourceGroup_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsResourceGroup_example.json index 415c4dd5a394..6c7008fd58ba 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsResourceGroup_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsResourceGroup_example.json @@ -44,6 +44,7 @@ "reason": "Some computer reason" }], "canBeInvestigated": true, + "isIncident": false, "entities": [{ "address": "192.0.2.1", "location": { diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsSubscription_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsSubscription_example.json index b1c6da1dce8a..a9ecacbc0765 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsSubscription_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsSubscription_example.json @@ -43,6 +43,7 @@ "reason": "Some computer reason" }], "canBeInvestigated": true, + "isIncident": false, "entities": [{ "address": "192.0.2.1", "location": { diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsSubscriptionsLocation_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsSubscriptionsLocation_example.json index 506adecf7f6e..d8ea835d6a30 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsSubscriptionsLocation_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/examples/Alerts/GetAlertsSubscriptionsLocation_example.json @@ -44,6 +44,7 @@ "reason": "Some computer reason" }], "canBeInvestigated": true, + "isIncident": false, "entities": [{ "address": "192.0.2.1", "location": { diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/security.json b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/security.json index 9b3f52583b9e..c3c2eecfbd3a 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/security.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/security.json @@ -2017,6 +2017,30 @@ "reportedSeverity": { "readOnly": true, "type": "string", + "enum": [ + "Silent", + "Information", + "Low", + "High" + ], + "x-ms-enum": { + "name": "reportedSeverity", + "modelAsString": true, + "values": [ + { + "value": "Silent" + }, + { + "value": "Information" + }, + { + "value": "Low" + }, + { + "value": "High" + } + ] + }, "description": "Estimated severity of this alert" }, "compromisedEntity": { @@ -2042,6 +2066,11 @@ "type": "boolean", "description": "Whether this alert can be investigated with Azure Security Center" }, + "isIncident": { + "readOnly": true, + "type": "boolean", + "description": "Whether this alert is for incident type or not (otherwise - single alert)" + }, "entities": { "type": "array", "description": "objects that are related to this alerts", diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertResourceGroupLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertResourceGroupLocation_example.json new file mode 100644 index 000000000000..4f151c844069 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertResourceGroupLocation_example.json @@ -0,0 +1,73 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg1", + "ascLocation": "westeurope", + "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [{ + "type": "User", + "reason": "Some user reason" + }, { + "type": "Process", + "reason": "Some proccess reason" + }, { + "type": "Computer", + "reason": "Some computer reason" + }], + "canBeInvestigated": true, + "isIncident": false, + "entities": [{ + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [{ + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + }], + "type": "ip" + }] + } + } + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertSubscriptionLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertSubscriptionLocation_example.json new file mode 100644 index 000000000000..a83797038f93 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertSubscriptionLocation_example.json @@ -0,0 +1,72 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "ascLocation": "westeurope", + "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [{ + "type": "User", + "reason": "Some user reason" + }, { + "type": "Process", + "reason": "Some proccess reason" + }, { + "type": "Computer", + "reason": "Some computer reason" + }], + "canBeInvestigated": true, + "isIncident": false, + "entities": [{ + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [{ + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + }], + "type": "ip" + }] + } + } + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupLocation_example.json new file mode 100644 index 000000000000..71f6d8ad8def --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupLocation_example.json @@ -0,0 +1,74 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg1", + "ascLocation": "westeurope" + }, + "responses": { + "200": { + "body": { + "value": [{ + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [{ + "type": "User", + "reason": "Some user reason" + }, { + "type": "Process", + "reason": "Some proccess reason" + }, { + "type": "Computer", + "reason": "Some computer reason" + }], + "canBeInvestigated": true, + "isIncident": false, + "entities": [{ + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [{ + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + }], + "type": "ip" + }] + } + }] + } + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroup_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroup_example.json new file mode 100644 index 000000000000..c73f61d0b36f --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroup_example.json @@ -0,0 +1,73 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg1" + }, + "responses": { + "200": { + "body": { + "value": [{ + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [{ + "type": "User", + "reason": "Some user reason" + }, { + "type": "Process", + "reason": "Some proccess reason" + }, { + "type": "Computer", + "reason": "Some computer reason" + }], + "canBeInvestigated": true, + "isIncident": false, + "entities": [{ + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [{ + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + }], + "type": "ip" + }] + } + }] + } + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscription_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscription_example.json new file mode 100644 index 000000000000..74f1c0e26122 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscription_example.json @@ -0,0 +1,151 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" + }, + "responses": { + "200": { + "body": { + "value": [{ + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [{ + "type": "User", + "reason": "Some user reason" + }, { + "type": "Process", + "reason": "Some proccess reason" + }, { + "type": "Computer", + "reason": "Some computer reason" + }], + "canBeInvestigated": true, + "isIncident": false, + "entities": [{ + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [{ + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + }], + "type": "ip" + }] + } + }, + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "systemSource": "Azure", + "vendorName": "Microsoft", + "alertDisplayName": "Suspicious Screensaver process executed", + "alertName": "SuspiciousScreenSaver", + "detectedTimeUtc": "2018-05-07T13:51:45.0045913Z", + "description": "The process ‘%{process name}’ was observed executing from an uncommon location.\r\n\r\nFiles with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.", + "remediationSteps": "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)\r\n2. Make sure the machine is completely updated and has an updated anti-malware application installed\r\n3. Run a full anti-malware scan and verify that the threat was removed\r\n4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)\r\n5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)\r\n6. Escalate the alert to the information security team", + "actionTaken": "Detected", + "reportedSeverity": "Low", + "compromisedEntity": "vm2", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "extendedProperties": { + "domain name": "vm2", + "user name": "vm2\\contosoUser", + "process name": "c:\\users\\contosoUser\\scrsave.scr", + "command line": "c:\\users\\contosoUser\\scrsave.scr", + "parent process": "cmd.exe", + "process id": "0x4aec", + "account logon id": "0x61450d87", + "user SID": "S-1-5-21-2144575486-8928446540-5163864319-500", + "parent process id": "0x3c44", + "enrichment_tas_threat__reports": "{\"Kind\":\"MultiLink\",\"DisplayValueToUrlDictionary\":{\"Report: Suspicious Screen Saver Execution\":\"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Screen-Saver-Execution.pdf?sv=2016-05-31&sr=b&sig=2igHPl764UM7aBHNaO9mPAnpzoXlwRw8YjpFLLuB2NE%3D&spr=https&st=2018-05-07T00%3A20%3A54Z&se=2018-05-08T00%3A35%3A54Z&sp=r\"}}", + "resourceType": "Virtual Machine" + }, + "state": "Active", + "reportedTimeUtc": "2018-05-07T13:51:48.3810457Z", + "workspaceArmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-21ff7fc3-e762-48dd-bd96-b551f6dcdd23-weu", + "confidenceScore": 0.3, + "confidenceReasons": [{ + "type": "Process", + "reason": "Suspicious process execution history for this subscription" + }, { + "type": "Process", + "reason": "Suspicious process execution history for this subscription" + }, { + "type": "Process", + "reason": "cmd.exe appeared in multiple alerts of the same type" + }], + "canBeInvestigated": true, + "entities": [{ + "dnsDomain": "", + "ntDomain": "", + "hostName": "vm2", + "netBiosName": "vm2", + "azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", + "omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a", + "operatingSystem": "Unknown", + "type": "host", + "OsVersion": null + }, { + "name": "contosoUser", + "ntDomain": "vm2", + "logonId": "0x61450d87", + "sid": "S-1-5-21-2144575486-8928446540-5163864319-500", + "type": "account" + }, { + "directory": "c:\\windows\\system32", + "name": "cmd.exe", + "type": "file" + }, { + "directory": "c:\\users\\contosoUser", + "name": "scrsave.scr", + "type": "file" + }, { + "processId": "0x4aec", + "commandLine": "c:\\users\\contosoUser\\scrsave.scr", + "creationTimeUtc": "2018-05-07T13:51:45.0045913Z", + "type": "process" + }] + } + } + ] + } + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionsLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionsLocation_example.json new file mode 100644 index 000000000000..7eb3c550c3d8 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionsLocation_example.json @@ -0,0 +1,155 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "ascLocation": "westeurope" + }, + "responses": { + "200": { + "body": { + "value": [{ + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [{ + "type": "User", + "reason": "Some user reason" + }, { + "type": "Process", + "reason": "Some proccess reason" + }, { + "type": "Computer", + "reason": "Some computer reason" + }], + "canBeInvestigated": true, + "isIncident": false, + "entities": [{ + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [{ + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + }], + "type": "ip" + }] + } + }, + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "systemSource": "Azure", + "vendorName": "Microsoft", + "alertDisplayName": "Suspicious Screensaver process executed", + "alertName": "SuspiciousScreenSaver", + "detectedTimeUtc": "2018-05-07T13:51:45.0045913Z", + "description": "The process ‘%{process name}’ was observed executing from an uncommon location.\r\n\r\nFiles with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.", + "remediationSteps": "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)\r\n2. Make sure the machine is completely updated and has an updated anti-malware application installed\r\n3. Run a full anti-malware scan and verify that the threat was removed\r\n4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)\r\n5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)\r\n6. Escalate the alert to the information security team", + "actionTaken": "Detected", + "reportedSeverity": "Low", + "compromisedEntity": "vm2", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "extendedProperties": { + "domain name": "vm2", + "user name": "vm2\\contosoUser", + "process name": "c:\\users\\contosoUser\\scrsave.scr", + "command line": "c:\\users\\contosoUser\\scrsave.scr", + "parent process": "cmd.exe", + "process id": "0x4aec", + "account logon id": "0x61450d87", + "user SID": "S-1-5-21-2144575486-8928446540-5163864319-500", + "parent process id": "0x3c44", + "enrichment_tas_threat__reports": "{\"Kind\":\"MultiLink\",\"DisplayValueToUrlDictionary\":{\"Report: Suspicious Screen Saver Execution\":\"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Screen-Saver-Execution.pdf?sv=2016-05-31&sr=b&sig=2igHPl764UM7aBHNaO9mPAnpzoXlwRw8YjpFLLuB2NE%3D&spr=https&st=2018-05-07T00%3A20%3A54Z&se=2018-05-08T00%3A35%3A54Z&sp=r\"}}", + "resourceType": "Virtual Machine" + }, + "state": "Active", + "reportedTimeUtc": "2018-05-07T13:51:48.3810457Z", + "workspaceArmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-21ff7fc3-e762-48dd-bd96-b551f6dcdd23-weu", + "confidenceScore": 0.3, + "confidenceReasons": [{ + "type": "Process", + "reason": "Suspicious process execution history for this subscription" + }, { + "type": "Process", + "reason": "Suspicious process execution history for this subscription" + }, { + "type": "Process", + "reason": "cmd.exe appeared in multiple alerts of the same type" + }], + "canBeInvestigated": true, + "entities": [{ + "dnsDomain": "", + "ntDomain": "", + "hostName": "vm2", + "netBiosName": "vm2", + "azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", + "omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a", + "operatingSystem": "Unknown", + "type": "host", + "OsVersion": null + }, { + "name": "contosoUser", + "ntDomain": "vm2", + "logonId": "0x61450d87", + "sid": "S-1-5-21-2144575486-8928446540-5163864319-500", + "type": "account" + }, { + "directory": "c:\\windows\\system32", + "name": "cmd.exe", + "type": "file" + }, { + "processId": "0x3c44", + "type": "process" + }, { + "directory": "c:\\users\\contosoUser", + "name": "scrsave.scr", + "type": "file" + }, { + "processId": "0x4aec", + "commandLine": "c:\\users\\contosoUser\\scrsave.scr", + "creationTimeUtc": "2018-05-07T13:51:45.0045913Z", + "type": "process" + }] + } + } + ] + } + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/UpdateAlertResourceGroupLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/UpdateAlertResourceGroupLocation_example.json new file mode 100644 index 000000000000..76854926020d --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/UpdateAlertResourceGroupLocation_example.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg2", + "ascLocation": "westeurope", + "alertName": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "alertUpdateActionType": "Dismiss" + }, + "responses": { + "204": { + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/UpdateAlertSubscriptionLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/UpdateAlertSubscriptionLocation_example.json new file mode 100644 index 000000000000..8ddb873327c4 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/UpdateAlertSubscriptionLocation_example.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "ascLocation": "westeurope", + "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "alertUpdateActionType": "Dismiss" + }, + "responses": { + "204": { + } + } +} \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/security.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/security.json new file mode 100644 index 000000000000..55698940738a --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/security.json @@ -0,0 +1,822 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Center", + "description": "API spec for Microsoft.Security (Azure Security Center) resource provider", + "version": "2019-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts": { + "get": { + "x-ms-examples": { + "Get security alerts on a subscription": { + "$ref": "./examples/Alerts/GetAlertsSubscription_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "List all the alerts that are associated with the subscription", + "operationId": "Alerts_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataSelect" + }, + { + "$ref": "#/parameters/ODataExpand" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/alerts": { + "get": { + "x-ms-examples": { + "Get security alerts on a resource group": { + "$ref": "./examples/Alerts/GetAlertsResourceGroup_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "List all the alerts that are associated with the resource group", + "operationId": "Alerts_ListByResourceGroup", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataSelect" + }, + { + "$ref": "#/parameters/ODataExpand" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { + "get": { + "x-ms-examples": { + "Get security alerts on a subscription from a security data location": { + "$ref": "./examples/Alerts/GetAlertsSubscriptionsLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "List all the alerts that are associated with the subscription that are stored in a specific location", + "operationId": "Alerts_ListSubscriptionLevelAlertsByRegion", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataSelect" + }, + { + "$ref": "#/parameters/ODataExpand" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { + "get": { + "x-ms-examples": { + "Get security alerts on a resource group from a security data location": { + "$ref": "./examples/Alerts/GetAlertsResourceGroupLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "List all the alerts that are associated with the resource group that are stored in a specific location", + "operationId": "Alerts_ListResourceGroupLevelAlertsByRegion", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataSelect" + }, + { + "$ref": "#/parameters/ODataExpand" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { + "get": { + "x-ms-examples": { + "Get security alert on a subscription from a security data location": { + "$ref": "./examples/Alerts/GetAlertSubscriptionLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Get an alert that is associated with a subscription", + "operationId": "Alerts_GetSubscriptionLevelAlert", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Alert" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { + "get": { + "x-ms-examples": { + "Get security alert on a resource group from a security data location": { + "$ref": "./examples/Alerts/GetAlertResourceGroupLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Get an alert that is associated a resource group or a resource in a resource group", + "operationId": "Alerts_GetResourceGroupLevelAlerts", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + }, + { + "$ref": "#/parameters/ResourceGroupName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Alert" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/{alertUpdateActionType}": { + "post": { + "x-ms-examples": { + "Update security alert state on a subscription from a security data location": { + "$ref": "./examples/Alerts/UpdateAlertSubscriptionLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Update the alert's state", + "operationId": "Alerts_UpdateSubscriptionLevelAlertState", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + }, + { + "$ref": "#/parameters/AlertUpdateActionType" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/{alertUpdateActionType}": { + "post": { + "x-ms-examples": { + "Update security alert state on a resource group from a security data location": { + "$ref": "./examples/Alerts/UpdateAlertResourceGroupLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Update the alert's state", + "operationId": "Alerts_UpdateResourceGroupLevelAlertState", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + }, + { + "$ref": "#/parameters/AlertUpdateActionType" + }, + { + "$ref": "#/parameters/ResourceGroupName" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "CloudError": { + "x-ms-external": true, + "type": "object", + "description": "Error response structure.", + "properties": { + "error": { + "x-ms-client-flatten": true, + "description": "Error data", + "$ref": "#/definitions/CloudErrorBody" + } + } + }, + "CloudErrorBody": { + "x-ms-external": true, + "type": "object", + "description": "Error details.", + "properties": { + "code": { + "readOnly": true, + "type": "string", + "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically." + }, + "message": { + "readOnly": true, + "type": "string", + "description": "A message describing the error, intended to be suitable for display in a user interface." + } + } + }, + "Resource": { + "type": "object", + "description": "Describes an Azure resource.", + "properties": { + "id": { + "readOnly": true, + "type": "string", + "description": "Resource Id" + }, + "name": { + "readOnly": true, + "type": "string", + "description": "Resource name" + }, + "type": { + "readOnly": true, + "type": "string", + "description": "Resource type" + } + }, + "x-ms-azure-resource": true + }, + "Kind": { + "type": "object", + "description": "Describes an Azure resource with kind", + "properties": { + "kind": { + "type": "string", + "description": "Kind of the resource" + } + } + }, + "Location": { + "type": "object", + "description": "Describes an Azure resource with location", + "properties": { + "location": { + "readOnly": true, + "type": "string", + "description": "Location where the resource is stored" + } + } + }, + "AscLocationList": { + "type": "object", + "description": "List of locations where ASC saves your data", + "properties": { + "value": { + "readOnly": true, + "type": "array", + "items": { + "$ref": "#/definitions/AscLocation" + } + }, + "nextLink": { + "readOnly": true, + "type": "string", + "description": "The URI to fetch the next page." + } + } + }, + "AscLocation": { + "type": "object", + "description": "The ASC location of the subscription is in the \"name\" field", + "properties": { + "properties": { + "x-ms-client-flatten": true, + "$ref": "#/definitions/AscLocationProperties" + } + }, + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ] + }, + "AscLocationProperties": { + "type": "object", + "description": "An empty set of properties" + }, + "AlertList": { + "type": "object", + "description": "List of security alerts", + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/Alert" + } + }, + "nextLink": { + "readOnly": true, + "type": "string", + "description": "The URI to fetch the next page." + } + } + }, + "Alert": { + "type": "object", + "description": "Security alert", + "properties": { + "properties": { + "x-ms-client-flatten": true, + "$ref": "#/definitions/AlertProperties" + } + }, + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ] + }, + "AlertProperties": { + "type": "object", + "description": "describes security alert properties.", + "properties": { + "state": { + "readOnly": true, + "type": "string", + "description": "State of the alert (Active, Dismissed etc.)" + }, + "reportedTimeUtc": { + "readOnly": true, + "type": "string", + "format": "date-time", + "description": "The time the incident was reported to Microsoft.Security in UTC" + }, + "vendorName": { + "readOnly": true, + "type": "string", + "description": "Name of the vendor that discovered the incident" + }, + "alertName": { + "readOnly": true, + "type": "string", + "description": "Name of the alert type" + }, + "alertDisplayName": { + "readOnly": true, + "type": "string", + "description": "Display name of the alert type" + }, + "detectedTimeUtc": { + "readOnly": true, + "type": "string", + "format": "date-time", + "description": "The time the incident was detected by the vendor" + }, + "description": { + "readOnly": true, + "type": "string", + "description": "Description of the incident and what it means" + }, + "remediationSteps": { + "readOnly": true, + "type": "string", + "description": "Recommended steps to reradiate the incident" + }, + "actionTaken": { + "readOnly": true, + "type": "string", + "description": "The action that was taken as a response to the alert (Active, Blocked etc.)" + }, + "reportedSeverity": { + "readOnly": true, + "type": "string", + "enum": [ + "Informational", + "Low", + "Medium", + "High" + ], + "x-ms-enum": { + "name": "reportedSeverity", + "modelAsString": true, + "values": [ + { + "value": "Informational" + }, + { + "value": "Low" + }, + { + "value": "Medium" + }, + { + "value": "High" + } + ] + }, + "description": "Estimated severity of this alert" + }, + "compromisedEntity": { + "readOnly": true, + "type": "string", + "description": "The entity that the incident happened on" + }, + "associatedResource": { + "readOnly": true, + "type": "string", + "description": "Azure resource ID of the associated resource" + }, + "extendedProperties": { + "$ref": "#/definitions/AlertExtendedProperties" + }, + "systemSource": { + "readOnly": true, + "type": "string", + "description": "The type of the alerted resource (Azure, Non-Azure)" + }, + "canBeInvestigated": { + "readOnly": true, + "type": "boolean", + "description": "Whether this alert can be investigated with Azure Security Center" + }, + "isIncident": { + "readOnly": true, + "type": "boolean", + "description": "Whether this alert is for incident type or not (otherwise - single alert)" + }, + "entities": { + "type": "array", + "description": "objects that are related to this alerts", + "items": { + "$ref": "#/definitions/AlertEntity" + } + }, + "confidenceScore": { + "readOnly": true, + "type": "number", + "format": "float", + "minimum": 0, + "maximum": 1, + "description": "level of confidence we have on the alert" + }, + "confidenceReasons": { + "type": "array", + "description": "reasons the alert got the confidenceScore value", + "items": { + "$ref": "#/definitions/AlertConfidenceReason" + } + }, + "subscriptionId": { + "readOnly": true, + "type": "string", + "description": "Azure subscription ID of the resource that had the security alert or the subscription ID of the workspace that this resource reports to" + }, + "instanceId": { + "readOnly": true, + "type": "string", + "description": "Instance ID of the alert." + }, + "workspaceArmId": { + "readOnly": true, + "type": "string", + "description": "Azure resource ID of the workspace that the alert was reported to." + } + } + }, + "AlertConfidenceReason": { + "type": "object", + "description": "Factors that increase our confidence that the alert is a true positive", + "properties": { + "type": { + "readOnly": true, + "type": "string", + "description": "Type of confidence factor" + }, + "reason": { + "readOnly": true, + "type": "string", + "description": "description of the confidence reason" + } + } + }, + "AlertEntity": { + "type": "object", + "additionalProperties": true, + "description": "Changing set of properties depending on the entity type.", + "properties": { + "type": { + "readOnly": true, + "type": "string", + "description": "Type of entity" + } + } + }, + "AlertExtendedProperties": { + "type": "object", + "additionalProperties": true, + "description": "Changing set of properties depending on the alert type." + } + }, + "parameters": { + "SubscriptionId": { + "name": "subscriptionId", + "in": "path", + "required": true, + "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", + "type": "string", + "description": "Azure subscription ID" + }, + "ResourceGroupName": { + "name": "resourceGroupName", + "in": "path", + "required": true, + "type": "string", + "description": "The name of the resource group within the user's subscription. The name is case insensitive.", + "pattern": "^[-\\w\\._\\(\\)]+$", + "minLength": 1, + "maxLength": 90, + "x-ms-parameter-location": "method" + }, + "ApiVersion": { + "name": "api-version", + "in": "query", + "required": true, + "type": "string", + "enum": [ + "2019-01-01" + ], + "description": "API version for the operation" + }, + "AscLocation": { + "name": "ascLocation", + "in": "path", + "required": true, + "type": "string", + "description": "The location where ASC stores the data of the subscription. can be retrieved from Get locations", + "x-ms-parameter-location": "client" + }, + "ODataFilter": { + "name": "$filter", + "in": "query", + "required": false, + "type": "string", + "description": "OData filter. Optional.", + "x-ms-parameter-location": "method" + }, + "ODataSelect": { + "name": "$select", + "in": "query", + "required": false, + "type": "string", + "description": "OData select. Optional.", + "x-ms-parameter-location": "method" + }, + "ODataExpand": { + "name": "$expand", + "in": "query", + "required": false, + "type": "string", + "description": "OData expand. Optional.", + "x-ms-parameter-location": "method" + }, + "AlertName": { + "name": "alertName", + "in": "path", + "required": true, + "type": "string", + "description": "Name of the alert object", + "x-ms-parameter-location": "method" + }, + "AlertUpdateActionType": { + "name": "alertUpdateActionType", + "in": "path", + "required": true, + "type": "string", + "enum": [ + "Dismiss", + "Reactivate" + ], + "description": "Type of the action to do on the alert", + "x-ms-parameter-location": "method" + } + } +}