Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding new api-version to Microsoft.Security Alerts resource #4902

Merged
merged 6 commits into from
Feb 1, 2019
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2017,6 +2017,30 @@
"reportedSeverity": {
"readOnly": true,
"type": "string",
"enum": [
"Silent",
"Information",
"Low",
"High"
],
"x-ms-enum": {
"name": "reportedSeverity",
"modelAsString": true,
"values": [
{
"value": "Silent"
},
{
"value": "Information"
},
{
"value": "Low"
},
{
"value": "High"
}
]
},
"description": "Estimated severity of this alert"
},
"compromisedEntity": {
Expand All @@ -2042,6 +2066,11 @@
"type": "boolean",
"description": "Whether this alert can be investigated with Azure Security Center"
},
"isIncident": {
"readOnly": true,
"type": "boolean",
"description": "Whether this alert is for incident type or not (otherwise - single alert)"
},
"entities": {
"type": "array",
"description": "objects that are related to this alerts",
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{
"parameters": {
"api-version": "2019-01-01",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"resourceGroupName": "myRg1",
"ascLocation": "westeurope",
"alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"vendorName": "Microsoft",
"alertDisplayName": "Threat Intelligence Alert",
"alertName": "ThreatIntelligence",
"detectedTimeUtc": "2018-05-01T19:50:47.083633Z",
"description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it",
"remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM",
"actionTaken": "Detected",
"reportedSeverity": "High",
"compromisedEntity": "vm1",
"associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"instanceId": "f144ee95-a3e5-42da-a279-967d115809aa",
"extendedProperties": {
"user Name": "administrator",
"domain Name": "Contoso",
"attacker IP": "192.0.2.1",
"resourceType": "Virtual Machine"
},
"state": "Dismissed",
"reportedTimeUtc": "2018-05-02T05:36:12.2089889Z",
"confidenceScore": 0.8,
"confidenceReasons": [{
"type": "User",
"reason": "Some user reason"
}, {
"type": "Process",
"reason": "Some proccess reason"
}, {
"type": "Computer",
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
"countryCode": "gb",
"state": "wokingham",
"city": "sonning",
"longitude": -0.909,
"latitude": 51.468,
"asn": 6584
},
"threatIntelligence": [{
"providerName": "Team Cymru",
"threatType": "C2",
"threatName": "rarog",
"confidence": 0.8,
"reportLink": "http://www.microsoft.com",
"threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed."
}],
"type": "ip"
}]
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
{
"parameters": {
"api-version": "2019-01-01",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"ascLocation": "westeurope",
"alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"vendorName": "Microsoft",
"alertDisplayName": "Threat Intelligence Alert",
"alertName": "ThreatIntelligence",
"detectedTimeUtc": "2018-05-01T19:50:47.083633Z",
"description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it",
"remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM",
"actionTaken": "Detected",
"reportedSeverity": "High",
"compromisedEntity": "vm1",
"associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"instanceId": "f144ee95-a3e5-42da-a279-967d115809aa",
"extendedProperties": {
"user Name": "administrator",
"domain Name": "Contoso",
"attacker IP": "192.0.2.1",
"resourceType": "Virtual Machine"
},
"state": "Dismissed",
"reportedTimeUtc": "2018-05-02T05:36:12.2089889Z",
"confidenceScore": 0.8,
"confidenceReasons": [{
"type": "User",
"reason": "Some user reason"
}, {
"type": "Process",
"reason": "Some proccess reason"
}, {
"type": "Computer",
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
"countryCode": "gb",
"state": "wokingham",
"city": "sonning",
"longitude": -0.909,
"latitude": 51.468,
"asn": 6584
},
"threatIntelligence": [{
"providerName": "Team Cymru",
"threatType": "C2",
"threatName": "rarog",
"confidence": 0.8,
"reportLink": "http://www.microsoft.com",
"threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed."
}],
"type": "ip"
}]
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
{
"parameters": {
"api-version": "2019-01-01",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"resourceGroupName": "myRg1",
"ascLocation": "westeurope"
},
"responses": {
"200": {
"body": {
"value": [{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"vendorName": "Microsoft",
"alertDisplayName": "Threat Intelligence Alert",
"alertName": "ThreatIntelligence",
"detectedTimeUtc": "2018-05-01T19:50:47.083633Z",
"description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it",
"remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM",
"actionTaken": "Detected",
"reportedSeverity": "High",
"compromisedEntity": "vm1",
"associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"instanceId": "f144ee95-a3e5-42da-a279-967d115809aa",
"extendedProperties": {
"user Name": "administrator",
"domain Name": "Contoso",
"attacker IP": "192.0.2.1",
"resourceType": "Virtual Machine"
},
"state": "Dismissed",
"reportedTimeUtc": "2018-05-02T05:36:12.2089889Z",
"confidenceScore": 0.8,
"confidenceReasons": [{
"type": "User",
"reason": "Some user reason"
}, {
"type": "Process",
"reason": "Some proccess reason"
}, {
"type": "Computer",
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
"countryCode": "gb",
"state": "wokingham",
"city": "sonning",
"longitude": -0.909,
"latitude": 51.468,
"asn": 6584
},
"threatIntelligence": [{
"providerName": "Team Cymru",
"threatType": "C2",
"threatName": "rarog",
"confidence": 0.8,
"reportLink": "http://www.microsoft.com",
"threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed."
}],
"type": "ip"
}]
}
}]
}
}
}
}
Loading