diff --git a/profiles/preview/preview/securityinsight/mgmt/securityinsight/models.go b/profiles/preview/preview/securityinsight/mgmt/securityinsight/models.go index 7c29b208b4b4..aaacda66d67a 100644 --- a/profiles/preview/preview/securityinsight/mgmt/securityinsight/models.go +++ b/profiles/preview/preview/securityinsight/mgmt/securityinsight/models.go @@ -50,6 +50,16 @@ const ( Medium AlertSeverity = original.Medium ) +type AlertStatus = original.AlertStatus + +const ( + AlertStatusDismissed AlertStatus = original.AlertStatusDismissed + AlertStatusInProgress AlertStatus = original.AlertStatusInProgress + AlertStatusNew AlertStatus = original.AlertStatusNew + AlertStatusResolved AlertStatus = original.AlertStatusResolved + AlertStatusUnknown AlertStatus = original.AlertStatusUnknown +) + type CaseSeverity = original.CaseSeverity const ( @@ -77,15 +87,34 @@ const ( Resolved CloseReason = original.Resolved ) +type ConfidenceLevel = original.ConfidenceLevel + +const ( + ConfidenceLevelHigh ConfidenceLevel = original.ConfidenceLevelHigh + ConfidenceLevelLow ConfidenceLevel = original.ConfidenceLevelLow + ConfidenceLevelUnknown ConfidenceLevel = original.ConfidenceLevelUnknown +) + +type ConfidenceScoreStatus = original.ConfidenceScoreStatus + +const ( + Final ConfidenceScoreStatus = original.Final + InProcess ConfidenceScoreStatus = original.InProcess + NotApplicable ConfidenceScoreStatus = original.NotApplicable + NotFinal ConfidenceScoreStatus = original.NotFinal +) + type DataConnectorKind = original.DataConnectorKind const ( - AmazonWebServicesCloudTrail DataConnectorKind = original.AmazonWebServicesCloudTrail - AzureActiveDirectory DataConnectorKind = original.AzureActiveDirectory - AzureSecurityCenter DataConnectorKind = original.AzureSecurityCenter - MicrosoftCloudAppSecurity DataConnectorKind = original.MicrosoftCloudAppSecurity - Office365 DataConnectorKind = original.Office365 - ThreatIntelligence DataConnectorKind = original.ThreatIntelligence + DataConnectorKindAmazonWebServicesCloudTrail DataConnectorKind = original.DataConnectorKindAmazonWebServicesCloudTrail + DataConnectorKindAzureActiveDirectory DataConnectorKind = original.DataConnectorKindAzureActiveDirectory + DataConnectorKindAzureAdvancedThreatProtection DataConnectorKind = original.DataConnectorKindAzureAdvancedThreatProtection + DataConnectorKindAzureSecurityCenter DataConnectorKind = original.DataConnectorKindAzureSecurityCenter + DataConnectorKindMicrosoftCloudAppSecurity DataConnectorKind = original.DataConnectorKindMicrosoftCloudAppSecurity + DataConnectorKindMicrosoftDefenderAdvancedThreatProtection DataConnectorKind = original.DataConnectorKindMicrosoftDefenderAdvancedThreatProtection + DataConnectorKindOffice365 DataConnectorKind = original.DataConnectorKindOffice365 + DataConnectorKindThreatIntelligence DataConnectorKind = original.DataConnectorKindThreatIntelligence ) type DataTypeState = original.DataTypeState @@ -95,12 +124,83 @@ const ( Enabled DataTypeState = original.Enabled ) +type ElevationToken = original.ElevationToken + +const ( + Default ElevationToken = original.Default + Full ElevationToken = original.Full + Limited ElevationToken = original.Limited +) + type EntityKind = original.EntityKind const ( - Account EntityKind = original.Account - File EntityKind = original.File - Host EntityKind = original.Host + EntityKindAccount EntityKind = original.EntityKindAccount + EntityKindAzureResource EntityKind = original.EntityKindAzureResource + EntityKindBookmark EntityKind = original.EntityKindBookmark + EntityKindCloudApplication EntityKind = original.EntityKindCloudApplication + EntityKindDNSResolution EntityKind = original.EntityKindDNSResolution + EntityKindFile EntityKind = original.EntityKindFile + EntityKindFileHash EntityKind = original.EntityKindFileHash + EntityKindHost EntityKind = original.EntityKindHost + EntityKindIP EntityKind = original.EntityKindIP + EntityKindMalware EntityKind = original.EntityKindMalware + EntityKindProcess EntityKind = original.EntityKindProcess + EntityKindRegistryKey EntityKind = original.EntityKindRegistryKey + EntityKindRegistryValue EntityKind = original.EntityKindRegistryValue + EntityKindSecurityAlert EntityKind = original.EntityKindSecurityAlert + EntityKindSecurityGroup EntityKind = original.EntityKindSecurityGroup + EntityKindURL EntityKind = original.EntityKindURL +) + +type EntityType = original.EntityType + +const ( + EntityTypeAccount EntityType = original.EntityTypeAccount + EntityTypeAzureResource EntityType = original.EntityTypeAzureResource + EntityTypeCloudApplication EntityType = original.EntityTypeCloudApplication + EntityTypeDNS EntityType = original.EntityTypeDNS + EntityTypeFile EntityType = original.EntityTypeFile + EntityTypeFileHash EntityType = original.EntityTypeFileHash + EntityTypeHost EntityType = original.EntityTypeHost + EntityTypeHuntingBookmark EntityType = original.EntityTypeHuntingBookmark + EntityTypeIP EntityType = original.EntityTypeIP + EntityTypeMalware EntityType = original.EntityTypeMalware + EntityTypeProcess EntityType = original.EntityTypeProcess + EntityTypeRegistryKey EntityType = original.EntityTypeRegistryKey + EntityTypeRegistryValue EntityType = original.EntityTypeRegistryValue + EntityTypeSecurityAlert EntityType = original.EntityTypeSecurityAlert + EntityTypeSecurityGroup EntityType = original.EntityTypeSecurityGroup + EntityTypeURL EntityType = original.EntityTypeURL +) + +type FileHashAlgorithm = original.FileHashAlgorithm + +const ( + MD5 FileHashAlgorithm = original.MD5 + SHA1 FileHashAlgorithm = original.SHA1 + SHA256 FileHashAlgorithm = original.SHA256 + SHA256AC FileHashAlgorithm = original.SHA256AC + Unknown FileHashAlgorithm = original.Unknown +) + +type KillChainIntent = original.KillChainIntent + +const ( + KillChainIntentCollection KillChainIntent = original.KillChainIntentCollection + KillChainIntentCommandAndControl KillChainIntent = original.KillChainIntentCommandAndControl + KillChainIntentCredentialAccess KillChainIntent = original.KillChainIntentCredentialAccess + KillChainIntentDefenseEvasion KillChainIntent = original.KillChainIntentDefenseEvasion + KillChainIntentDiscovery KillChainIntent = original.KillChainIntentDiscovery + KillChainIntentExecution KillChainIntent = original.KillChainIntentExecution + KillChainIntentExfiltration KillChainIntent = original.KillChainIntentExfiltration + KillChainIntentExploitation KillChainIntent = original.KillChainIntentExploitation + KillChainIntentImpact KillChainIntent = original.KillChainIntentImpact + KillChainIntentLateralMovement KillChainIntent = original.KillChainIntentLateralMovement + KillChainIntentPersistence KillChainIntent = original.KillChainIntentPersistence + KillChainIntentPrivilegeEscalation KillChainIntent = original.KillChainIntentPrivilegeEscalation + KillChainIntentProbing KillChainIntent = original.KillChainIntentProbing + KillChainIntentUnknown KillChainIntent = original.KillChainIntentUnknown ) type Kind = original.Kind @@ -120,22 +220,36 @@ const ( type KindBasicDataConnector = original.KindBasicDataConnector const ( - KindAmazonWebServicesCloudTrail KindBasicDataConnector = original.KindAmazonWebServicesCloudTrail - KindAzureActiveDirectory KindBasicDataConnector = original.KindAzureActiveDirectory - KindAzureSecurityCenter KindBasicDataConnector = original.KindAzureSecurityCenter - KindDataConnector KindBasicDataConnector = original.KindDataConnector - KindMicrosoftCloudAppSecurity KindBasicDataConnector = original.KindMicrosoftCloudAppSecurity - KindOffice365 KindBasicDataConnector = original.KindOffice365 - KindThreatIntelligence KindBasicDataConnector = original.KindThreatIntelligence + KindAmazonWebServicesCloudTrail KindBasicDataConnector = original.KindAmazonWebServicesCloudTrail + KindAzureActiveDirectory KindBasicDataConnector = original.KindAzureActiveDirectory + KindAzureAdvancedThreatProtection KindBasicDataConnector = original.KindAzureAdvancedThreatProtection + KindAzureSecurityCenter KindBasicDataConnector = original.KindAzureSecurityCenter + KindDataConnector KindBasicDataConnector = original.KindDataConnector + KindMicrosoftCloudAppSecurity KindBasicDataConnector = original.KindMicrosoftCloudAppSecurity + KindMicrosoftDefenderAdvancedThreatProtection KindBasicDataConnector = original.KindMicrosoftDefenderAdvancedThreatProtection + KindOffice365 KindBasicDataConnector = original.KindOffice365 + KindThreatIntelligence KindBasicDataConnector = original.KindThreatIntelligence ) type KindBasicEntity = original.KindBasicEntity const ( - KindAccount KindBasicEntity = original.KindAccount - KindEntity KindBasicEntity = original.KindEntity - KindFile KindBasicEntity = original.KindFile - KindHost KindBasicEntity = original.KindHost + KindAccount KindBasicEntity = original.KindAccount + KindAzureResource KindBasicEntity = original.KindAzureResource + KindCloudApplication KindBasicEntity = original.KindCloudApplication + KindDNSResolution KindBasicEntity = original.KindDNSResolution + KindEntity KindBasicEntity = original.KindEntity + KindFile KindBasicEntity = original.KindFile + KindFileHash KindBasicEntity = original.KindFileHash + KindHost KindBasicEntity = original.KindHost + KindIP KindBasicEntity = original.KindIP + KindMalware KindBasicEntity = original.KindMalware + KindProcess KindBasicEntity = original.KindProcess + KindRegistryKey KindBasicEntity = original.KindRegistryKey + KindRegistryValue KindBasicEntity = original.KindRegistryValue + KindSecurityAlert KindBasicEntity = original.KindSecurityAlert + KindSecurityGroup KindBasicEntity = original.KindSecurityGroup + KindURL KindBasicEntity = original.KindURL ) type KindBasicSettings = original.KindBasicSettings @@ -162,6 +276,34 @@ const ( Windows OSFamily = original.Windows ) +type RegistryHive = original.RegistryHive + +const ( + HKEYA RegistryHive = original.HKEYA + HKEYCLASSESROOT RegistryHive = original.HKEYCLASSESROOT + HKEYCURRENTCONFIG RegistryHive = original.HKEYCURRENTCONFIG + HKEYCURRENTUSER RegistryHive = original.HKEYCURRENTUSER + HKEYCURRENTUSERLOCALSETTINGS RegistryHive = original.HKEYCURRENTUSERLOCALSETTINGS + HKEYLOCALMACHINE RegistryHive = original.HKEYLOCALMACHINE + HKEYPERFORMANCEDATA RegistryHive = original.HKEYPERFORMANCEDATA + HKEYPERFORMANCENLSTEXT RegistryHive = original.HKEYPERFORMANCENLSTEXT + HKEYPERFORMANCETEXT RegistryHive = original.HKEYPERFORMANCETEXT + HKEYUSERS RegistryHive = original.HKEYUSERS +) + +type RegistryValueKind = original.RegistryValueKind + +const ( + RegistryValueKindBinary RegistryValueKind = original.RegistryValueKindBinary + RegistryValueKindDWord RegistryValueKind = original.RegistryValueKindDWord + RegistryValueKindExpandString RegistryValueKind = original.RegistryValueKindExpandString + RegistryValueKindMultiString RegistryValueKind = original.RegistryValueKindMultiString + RegistryValueKindNone RegistryValueKind = original.RegistryValueKindNone + RegistryValueKindQWord RegistryValueKind = original.RegistryValueKindQWord + RegistryValueKindString RegistryValueKind = original.RegistryValueKindString + RegistryValueKindUnknown RegistryValueKind = original.RegistryValueKindUnknown +) + type SettingKind = original.SettingKind const ( @@ -187,6 +329,8 @@ const ( type AADDataConnector = original.AADDataConnector type AADDataConnectorProperties = original.AADDataConnectorProperties +type AATPDataConnector = original.AATPDataConnector +type AATPDataConnectorProperties = original.AATPDataConnectorProperties type ASCDataConnector = original.ASCDataConnector type ASCDataConnectorProperties = original.ASCDataConnectorProperties type AccountEntity = original.AccountEntity @@ -213,6 +357,8 @@ type AwsCloudTrailDataConnector = original.AwsCloudTrailDataConnector type AwsCloudTrailDataConnectorDataTypes = original.AwsCloudTrailDataConnectorDataTypes type AwsCloudTrailDataConnectorDataTypesLogs = original.AwsCloudTrailDataConnectorDataTypesLogs type AwsCloudTrailDataConnectorProperties = original.AwsCloudTrailDataConnectorProperties +type AzureResourceEntity = original.AzureResourceEntity +type AzureResourceEntityProperties = original.AzureResourceEntityProperties type BaseClient = original.BaseClient type BasicAggregations = original.BasicAggregations type BasicAlertRule = original.BasicAlertRule @@ -236,8 +382,12 @@ type CasesAggregationByStatusProperties = original.CasesAggregationByStatusPrope type CasesAggregationProperties = original.CasesAggregationProperties type CasesAggregationsClient = original.CasesAggregationsClient type CasesClient = original.CasesClient +type CloudApplicationEntity = original.CloudApplicationEntity +type CloudApplicationEntityProperties = original.CloudApplicationEntityProperties type CloudError = original.CloudError type CloudErrorBody = original.CloudErrorBody +type DNSEntity = original.DNSEntity +type DNSEntityProperties = original.DNSEntityProperties type DataConnector = original.DataConnector type DataConnectorDataTypeCommon = original.DataConnectorDataTypeCommon type DataConnectorKind1 = original.DataConnectorKind1 @@ -250,6 +400,10 @@ type DataConnectorWithAlertsProperties = original.DataConnectorWithAlertsPropert type DataConnectorsClient = original.DataConnectorsClient type EntitiesClient = original.EntitiesClient type Entity = original.Entity +type EntityCommonProperties = original.EntityCommonProperties +type EntityExpandParameters = original.EntityExpandParameters +type EntityExpandResponse = original.EntityExpandResponse +type EntityExpandResponseValue = original.EntityExpandResponseValue type EntityKind1 = original.EntityKind1 type EntityList = original.EntityList type EntityListIterator = original.EntityListIterator @@ -261,12 +415,25 @@ type EntityQueryList = original.EntityQueryList type EntityQueryListIterator = original.EntityQueryListIterator type EntityQueryListPage = original.EntityQueryListPage type EntityQueryProperties = original.EntityQueryProperties +type ExpansionResultAggregation = original.ExpansionResultAggregation +type ExpansionResultsMetadata = original.ExpansionResultsMetadata type FileEntity = original.FileEntity type FileEntityProperties = original.FileEntityProperties +type FileHashEntity = original.FileHashEntity +type FileHashEntityProperties = original.FileHashEntityProperties +type GeoLocation = original.GeoLocation type HostEntity = original.HostEntity type HostEntityProperties = original.HostEntityProperties +type IPEntity = original.IPEntity +type IPEntityProperties = original.IPEntityProperties type MCASDataConnector = original.MCASDataConnector +type MCASDataConnectorDataTypes = original.MCASDataConnectorDataTypes +type MCASDataConnectorDataTypesDiscoveryLogs = original.MCASDataConnectorDataTypesDiscoveryLogs type MCASDataConnectorProperties = original.MCASDataConnectorProperties +type MDATPDataConnector = original.MDATPDataConnector +type MDATPDataConnectorProperties = original.MDATPDataConnectorProperties +type MalwareEntity = original.MalwareEntity +type MalwareEntityProperties = original.MalwareEntityProperties type OfficeConsent = original.OfficeConsent type OfficeConsentList = original.OfficeConsentList type OfficeConsentListIterator = original.OfficeConsentListIterator @@ -284,10 +451,21 @@ type OperationsClient = original.OperationsClient type OperationsList = original.OperationsList type OperationsListIterator = original.OperationsListIterator type OperationsListPage = original.OperationsListPage +type ProcessEntity = original.ProcessEntity +type ProcessEntityProperties = original.ProcessEntityProperties type ProductSettingsClient = original.ProductSettingsClient +type RegistryKeyEntity = original.RegistryKeyEntity +type RegistryKeyEntityProperties = original.RegistryKeyEntityProperties +type RegistryValueEntity = original.RegistryValueEntity +type RegistryValueEntityProperties = original.RegistryValueEntityProperties type Resource = original.Resource type ScheduledAlertRule = original.ScheduledAlertRule type ScheduledAlertRuleProperties = original.ScheduledAlertRuleProperties +type SecurityAlert = original.SecurityAlert +type SecurityAlertProperties = original.SecurityAlertProperties +type SecurityAlertPropertiesConfidenceReasonsItem = original.SecurityAlertPropertiesConfidenceReasonsItem +type SecurityGroupEntity = original.SecurityGroupEntity +type SecurityGroupEntityProperties = original.SecurityGroupEntityProperties type Settings = original.Settings type SettingsKind = original.SettingsKind type SettingsModel = original.SettingsModel @@ -295,8 +473,11 @@ type TIDataConnector = original.TIDataConnector type TIDataConnectorDataTypes = original.TIDataConnectorDataTypes type TIDataConnectorDataTypesIndicators = original.TIDataConnectorDataTypesIndicators type TIDataConnectorProperties = original.TIDataConnectorProperties +type ThreatIntelligence = original.ThreatIntelligence type ToggleSettings = original.ToggleSettings type ToggleSettingsProperties = original.ToggleSettingsProperties +type URLEntity = original.URLEntity +type URLEntityProperties = original.URLEntityProperties type UebaSettings = original.UebaSettings type UebaSettingsProperties = original.UebaSettingsProperties type UserInfo = original.UserInfo @@ -436,6 +617,9 @@ func PossibleAlertRuleKindValues() []AlertRuleKind { func PossibleAlertSeverityValues() []AlertSeverity { return original.PossibleAlertSeverityValues() } +func PossibleAlertStatusValues() []AlertStatus { + return original.PossibleAlertStatusValues() +} func PossibleCaseSeverityValues() []CaseSeverity { return original.PossibleCaseSeverityValues() } @@ -445,15 +629,33 @@ func PossibleCaseStatusValues() []CaseStatus { func PossibleCloseReasonValues() []CloseReason { return original.PossibleCloseReasonValues() } +func PossibleConfidenceLevelValues() []ConfidenceLevel { + return original.PossibleConfidenceLevelValues() +} +func PossibleConfidenceScoreStatusValues() []ConfidenceScoreStatus { + return original.PossibleConfidenceScoreStatusValues() +} func PossibleDataConnectorKindValues() []DataConnectorKind { return original.PossibleDataConnectorKindValues() } func PossibleDataTypeStateValues() []DataTypeState { return original.PossibleDataTypeStateValues() } +func PossibleElevationTokenValues() []ElevationToken { + return original.PossibleElevationTokenValues() +} func PossibleEntityKindValues() []EntityKind { return original.PossibleEntityKindValues() } +func PossibleEntityTypeValues() []EntityType { + return original.PossibleEntityTypeValues() +} +func PossibleFileHashAlgorithmValues() []FileHashAlgorithm { + return original.PossibleFileHashAlgorithmValues() +} +func PossibleKillChainIntentValues() []KillChainIntent { + return original.PossibleKillChainIntentValues() +} func PossibleKindBasicAggregationsValues() []KindBasicAggregations { return original.PossibleKindBasicAggregationsValues() } @@ -475,6 +677,12 @@ func PossibleLicenseStatusValues() []LicenseStatus { func PossibleOSFamilyValues() []OSFamily { return original.PossibleOSFamilyValues() } +func PossibleRegistryHiveValues() []RegistryHive { + return original.PossibleRegistryHiveValues() +} +func PossibleRegistryValueKindValues() []RegistryValueKind { + return original.PossibleRegistryValueKindValues() +} func PossibleSettingKindValues() []SettingKind { return original.PossibleSettingKindValues() } diff --git a/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/entities.go b/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/entities.go index e72cffc3e2c3..f0e21ffe611a 100644 --- a/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/entities.go +++ b/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/entities.go @@ -41,6 +41,105 @@ func NewEntitiesClientWithBaseURI(baseURI string, subscriptionID string) Entitie return EntitiesClient{NewWithBaseURI(baseURI, subscriptionID)} } +// Expand expands an entity. +// Parameters: +// resourceGroupName - the name of the resource group within the user's subscription. The name is case +// insensitive. +// operationalInsightsResourceProvider - the namespace of workspaces resource provider- +// Microsoft.OperationalInsights. +// workspaceName - the name of the workspace. +// entityID - entity ID +// parameters - the parameters required to execute an expand operation on the given entity. +func (client EntitiesClient) Expand(ctx context.Context, resourceGroupName string, operationalInsightsResourceProvider string, workspaceName string, entityID string, parameters EntityExpandParameters) (result EntityExpandResponse, err error) { + if tracing.IsEnabled() { + ctx = tracing.StartSpan(ctx, fqdn+"/EntitiesClient.Expand") + defer func() { + sc := -1 + if result.Response.Response != nil { + sc = result.Response.Response.StatusCode + } + tracing.EndSpan(ctx, sc, err) + }() + } + if err := validation.Validate([]validation.Validation{ + {TargetValue: client.SubscriptionID, + Constraints: []validation.Constraint{{Target: "client.SubscriptionID", Name: validation.Pattern, Rule: `^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$`, Chain: nil}}}, + {TargetValue: resourceGroupName, + Constraints: []validation.Constraint{{Target: "resourceGroupName", Name: validation.MaxLength, Rule: 90, Chain: nil}, + {Target: "resourceGroupName", Name: validation.MinLength, Rule: 1, Chain: nil}, + {Target: "resourceGroupName", Name: validation.Pattern, Rule: `^[-\w\._\(\)]+$`, Chain: nil}}}, + {TargetValue: workspaceName, + Constraints: []validation.Constraint{{Target: "workspaceName", Name: validation.MaxLength, Rule: 90, Chain: nil}, + {Target: "workspaceName", Name: validation.MinLength, Rule: 1, Chain: nil}}}}); err != nil { + return result, validation.NewError("securityinsight.EntitiesClient", "Expand", err.Error()) + } + + req, err := client.ExpandPreparer(ctx, resourceGroupName, operationalInsightsResourceProvider, workspaceName, entityID, parameters) + if err != nil { + err = autorest.NewErrorWithError(err, "securityinsight.EntitiesClient", "Expand", nil, "Failure preparing request") + return + } + + resp, err := client.ExpandSender(req) + if err != nil { + result.Response = autorest.Response{Response: resp} + err = autorest.NewErrorWithError(err, "securityinsight.EntitiesClient", "Expand", resp, "Failure sending request") + return + } + + result, err = client.ExpandResponder(resp) + if err != nil { + err = autorest.NewErrorWithError(err, "securityinsight.EntitiesClient", "Expand", resp, "Failure responding to request") + } + + return +} + +// ExpandPreparer prepares the Expand request. +func (client EntitiesClient) ExpandPreparer(ctx context.Context, resourceGroupName string, operationalInsightsResourceProvider string, workspaceName string, entityID string, parameters EntityExpandParameters) (*http.Request, error) { + pathParameters := map[string]interface{}{ + "entityId": autorest.Encode("path", entityID), + "operationalInsightsResourceProvider": autorest.Encode("path", operationalInsightsResourceProvider), + "resourceGroupName": autorest.Encode("path", resourceGroupName), + "subscriptionId": autorest.Encode("path", client.SubscriptionID), + "workspaceName": autorest.Encode("path", workspaceName), + } + + const APIVersion = "2019-01-01-preview" + queryParameters := map[string]interface{}{ + "api-version": APIVersion, + } + + preparer := autorest.CreatePreparer( + autorest.AsContentType("application/json; charset=utf-8"), + autorest.AsPost(), + autorest.WithBaseURL(client.BaseURI), + autorest.WithPathParameters("/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/expand", pathParameters), + autorest.WithJSON(parameters), + autorest.WithQueryParameters(queryParameters)) + return preparer.Prepare((&http.Request{}).WithContext(ctx)) +} + +// ExpandSender sends the Expand request. The method will close the +// http.Response Body if it receives an error. +func (client EntitiesClient) ExpandSender(req *http.Request) (*http.Response, error) { + sd := autorest.GetSendDecorators(req.Context(), azure.DoRetryWithRegistration(client.Client)) + return autorest.SendWithSender(client, req, sd...) +} + +// ExpandResponder handles the response to the Expand request. The method always +// closes the http.Response Body. +func (client EntitiesClient) ExpandResponder(resp *http.Response) (result EntityExpandResponse, err error) { + err = autorest.Respond( + resp, + client.ByInspecting(), + azure.WithErrorUnlessStatusCode(http.StatusOK), + autorest.ByUnmarshallingJSON(&result), + autorest.ByClosing()) + result.Response = autorest.Response{Response: resp} + return +} + // Get gets an entity. // Parameters: // resourceGroupName - the name of the resource group within the user's subscription. The name is case diff --git a/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/models.go b/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/models.go index 9edc244aaa02..7f24440b5600 100644 --- a/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/models.go +++ b/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/models.go @@ -76,6 +76,27 @@ func PossibleAlertSeverityValues() []AlertSeverity { return []AlertSeverity{High, Informational, Low, Medium} } +// AlertStatus enumerates the values for alert status. +type AlertStatus string + +const ( + // AlertStatusDismissed Alert dismissed as false positive + AlertStatusDismissed AlertStatus = "Dismissed" + // AlertStatusInProgress Alert is being handled + AlertStatusInProgress AlertStatus = "InProgress" + // AlertStatusNew New alert + AlertStatusNew AlertStatus = "New" + // AlertStatusResolved Alert closed after handling + AlertStatusResolved AlertStatus = "Resolved" + // AlertStatusUnknown Unknown value + AlertStatusUnknown AlertStatus = "Unknown" +) + +// PossibleAlertStatusValues returns an array of possible values for the AlertStatus const type. +func PossibleAlertStatusValues() []AlertStatus { + return []AlertStatus{AlertStatusDismissed, AlertStatusInProgress, AlertStatusNew, AlertStatusResolved, AlertStatusUnknown} +} + // CaseSeverity enumerates the values for case severity. type CaseSeverity string @@ -133,27 +154,69 @@ func PossibleCloseReasonValues() []CloseReason { return []CloseReason{Dismissed, Other, Resolved} } +// ConfidenceLevel enumerates the values for confidence level. +type ConfidenceLevel string + +const ( + // ConfidenceLevelHigh High confidence that the alert is true positive malicious + ConfidenceLevelHigh ConfidenceLevel = "High" + // ConfidenceLevelLow Low confidence, meaning we have some doubts this is indeed malicious or part of an + // attack + ConfidenceLevelLow ConfidenceLevel = "Low" + // ConfidenceLevelUnknown Unknown confidence, the is the default value + ConfidenceLevelUnknown ConfidenceLevel = "Unknown" +) + +// PossibleConfidenceLevelValues returns an array of possible values for the ConfidenceLevel const type. +func PossibleConfidenceLevelValues() []ConfidenceLevel { + return []ConfidenceLevel{ConfidenceLevelHigh, ConfidenceLevelLow, ConfidenceLevelUnknown} +} + +// ConfidenceScoreStatus enumerates the values for confidence score status. +type ConfidenceScoreStatus string + +const ( + // Final Final score was calculated and available + Final ConfidenceScoreStatus = "Final" + // InProcess No score was set yet and calculation is in progress + InProcess ConfidenceScoreStatus = "InProcess" + // NotApplicable Score will not be calculated for this alert as it is not supported by virtual analyst + NotApplicable ConfidenceScoreStatus = "NotApplicable" + // NotFinal Score is calculated and shown as part of the alert, but may be updated again at a later time + // following the processing of additional data + NotFinal ConfidenceScoreStatus = "NotFinal" +) + +// PossibleConfidenceScoreStatusValues returns an array of possible values for the ConfidenceScoreStatus const type. +func PossibleConfidenceScoreStatusValues() []ConfidenceScoreStatus { + return []ConfidenceScoreStatus{Final, InProcess, NotApplicable, NotFinal} +} + // DataConnectorKind enumerates the values for data connector kind. type DataConnectorKind string const ( - // AmazonWebServicesCloudTrail ... - AmazonWebServicesCloudTrail DataConnectorKind = "AmazonWebServicesCloudTrail" - // AzureActiveDirectory ... - AzureActiveDirectory DataConnectorKind = "AzureActiveDirectory" - // AzureSecurityCenter ... - AzureSecurityCenter DataConnectorKind = "AzureSecurityCenter" - // MicrosoftCloudAppSecurity ... - MicrosoftCloudAppSecurity DataConnectorKind = "MicrosoftCloudAppSecurity" - // Office365 ... - Office365 DataConnectorKind = "Office365" - // ThreatIntelligence ... - ThreatIntelligence DataConnectorKind = "ThreatIntelligence" + // DataConnectorKindAmazonWebServicesCloudTrail ... + DataConnectorKindAmazonWebServicesCloudTrail DataConnectorKind = "AmazonWebServicesCloudTrail" + // DataConnectorKindAzureActiveDirectory ... + DataConnectorKindAzureActiveDirectory DataConnectorKind = "AzureActiveDirectory" + // DataConnectorKindAzureAdvancedThreatProtection ... + DataConnectorKindAzureAdvancedThreatProtection DataConnectorKind = "AzureAdvancedThreatProtection" + // DataConnectorKindAzureSecurityCenter ... + DataConnectorKindAzureSecurityCenter DataConnectorKind = "AzureSecurityCenter" + // DataConnectorKindMicrosoftCloudAppSecurity ... + DataConnectorKindMicrosoftCloudAppSecurity DataConnectorKind = "MicrosoftCloudAppSecurity" + // DataConnectorKindMicrosoftDefenderAdvancedThreatProtection ... + DataConnectorKindMicrosoftDefenderAdvancedThreatProtection DataConnectorKind = "MicrosoftDefenderAdvancedThreatProtection" + // DataConnectorKindOffice365 ... + DataConnectorKindOffice365 DataConnectorKind = "Office365" + // DataConnectorKindThreatIntelligence ... + DataConnectorKindThreatIntelligence DataConnectorKind = "ThreatIntelligence" ) // PossibleDataConnectorKindValues returns an array of possible values for the DataConnectorKind const type. func PossibleDataConnectorKindValues() []DataConnectorKind { - return []DataConnectorKind{AmazonWebServicesCloudTrail, AzureActiveDirectory, AzureSecurityCenter, MicrosoftCloudAppSecurity, Office365, ThreatIntelligence} + return []DataConnectorKind{DataConnectorKindAmazonWebServicesCloudTrail, DataConnectorKindAzureActiveDirectory, DataConnectorKindAzureAdvancedThreatProtection, DataConnectorKindAzureSecurityCenter, DataConnectorKindMicrosoftCloudAppSecurity, DataConnectorKindMicrosoftDefenderAdvancedThreatProtection, DataConnectorKindOffice365, DataConnectorKindThreatIntelligence} } // DataTypeState enumerates the values for data type state. @@ -171,21 +234,206 @@ func PossibleDataTypeStateValues() []DataTypeState { return []DataTypeState{Disabled, Enabled} } +// ElevationToken enumerates the values for elevation token. +type ElevationToken string + +const ( + // Default Default elevation token + Default ElevationToken = "Default" + // Full Full elevation token + Full ElevationToken = "Full" + // Limited Limited elevation token + Limited ElevationToken = "Limited" +) + +// PossibleElevationTokenValues returns an array of possible values for the ElevationToken const type. +func PossibleElevationTokenValues() []ElevationToken { + return []ElevationToken{Default, Full, Limited} +} + // EntityKind enumerates the values for entity kind. type EntityKind string const ( - // Account Entity represents account in the system. - Account EntityKind = "Account" - // File Entity represents file in the system. - File EntityKind = "File" - // Host Entity represents host in the system. - Host EntityKind = "Host" + // EntityKindAccount Entity represents account in the system. + EntityKindAccount EntityKind = "Account" + // EntityKindAzureResource Entity represents azure resource in the system. + EntityKindAzureResource EntityKind = "AzureResource" + // EntityKindBookmark Entity represents bookmark in the system. + EntityKindBookmark EntityKind = "Bookmark" + // EntityKindCloudApplication Entity represents cloud application in the system. + EntityKindCloudApplication EntityKind = "CloudApplication" + // EntityKindDNSResolution Entity represents dns resolution in the system. + EntityKindDNSResolution EntityKind = "DnsResolution" + // EntityKindFile Entity represents file in the system. + EntityKindFile EntityKind = "File" + // EntityKindFileHash Entity represents file hash in the system. + EntityKindFileHash EntityKind = "FileHash" + // EntityKindHost Entity represents host in the system. + EntityKindHost EntityKind = "Host" + // EntityKindIP Entity represents ip in the system. + EntityKindIP EntityKind = "Ip" + // EntityKindMalware Entity represents malware in the system. + EntityKindMalware EntityKind = "Malware" + // EntityKindProcess Entity represents process in the system. + EntityKindProcess EntityKind = "Process" + // EntityKindRegistryKey Entity represents registry key in the system. + EntityKindRegistryKey EntityKind = "RegistryKey" + // EntityKindRegistryValue Entity represents registry value in the system. + EntityKindRegistryValue EntityKind = "RegistryValue" + // EntityKindSecurityAlert Entity represents security alert in the system. + EntityKindSecurityAlert EntityKind = "SecurityAlert" + // EntityKindSecurityGroup Entity represents security group in the system. + EntityKindSecurityGroup EntityKind = "SecurityGroup" + // EntityKindURL Entity represents url in the system. + EntityKindURL EntityKind = "Url" ) // PossibleEntityKindValues returns an array of possible values for the EntityKind const type. func PossibleEntityKindValues() []EntityKind { - return []EntityKind{Account, File, Host} + return []EntityKind{EntityKindAccount, EntityKindAzureResource, EntityKindBookmark, EntityKindCloudApplication, EntityKindDNSResolution, EntityKindFile, EntityKindFileHash, EntityKindHost, EntityKindIP, EntityKindMalware, EntityKindProcess, EntityKindRegistryKey, EntityKindRegistryValue, EntityKindSecurityAlert, EntityKindSecurityGroup, EntityKindURL} +} + +// EntityType enumerates the values for entity type. +type EntityType string + +const ( + // EntityTypeAccount Entity represents account in the system. + EntityTypeAccount EntityType = "Account" + // EntityTypeAzureResource Entity represents azure resource in the system. + EntityTypeAzureResource EntityType = "AzureResource" + // EntityTypeCloudApplication Entity represents cloud application in the system. + EntityTypeCloudApplication EntityType = "CloudApplication" + // EntityTypeDNS Entity represents dns in the system. + EntityTypeDNS EntityType = "DNS" + // EntityTypeFile Entity represents file in the system. + EntityTypeFile EntityType = "File" + // EntityTypeFileHash Entity represents file hash in the system. + EntityTypeFileHash EntityType = "FileHash" + // EntityTypeHost Entity represents host in the system. + EntityTypeHost EntityType = "Host" + // EntityTypeHuntingBookmark Entity represents HuntingBookmark in the system. + EntityTypeHuntingBookmark EntityType = "HuntingBookmark" + // EntityTypeIP Entity represents ip in the system. + EntityTypeIP EntityType = "IP" + // EntityTypeMalware Entity represents malware in the system. + EntityTypeMalware EntityType = "Malware" + // EntityTypeProcess Entity represents process in the system. + EntityTypeProcess EntityType = "Process" + // EntityTypeRegistryKey Entity represents registry key in the system. + EntityTypeRegistryKey EntityType = "RegistryKey" + // EntityTypeRegistryValue Entity represents registry value in the system. + EntityTypeRegistryValue EntityType = "RegistryValue" + // EntityTypeSecurityAlert Entity represents security alert in the system. + EntityTypeSecurityAlert EntityType = "SecurityAlert" + // EntityTypeSecurityGroup Entity represents security group in the system. + EntityTypeSecurityGroup EntityType = "SecurityGroup" + // EntityTypeURL Entity represents url in the system. + EntityTypeURL EntityType = "URL" +) + +// PossibleEntityTypeValues returns an array of possible values for the EntityType const type. +func PossibleEntityTypeValues() []EntityType { + return []EntityType{EntityTypeAccount, EntityTypeAzureResource, EntityTypeCloudApplication, EntityTypeDNS, EntityTypeFile, EntityTypeFileHash, EntityTypeHost, EntityTypeHuntingBookmark, EntityTypeIP, EntityTypeMalware, EntityTypeProcess, EntityTypeRegistryKey, EntityTypeRegistryValue, EntityTypeSecurityAlert, EntityTypeSecurityGroup, EntityTypeURL} +} + +// FileHashAlgorithm enumerates the values for file hash algorithm. +type FileHashAlgorithm string + +const ( + // MD5 MD5 hash type + MD5 FileHashAlgorithm = "MD5" + // SHA1 SHA1 hash type + SHA1 FileHashAlgorithm = "SHA1" + // SHA256 SHA256 hash type + SHA256 FileHashAlgorithm = "SHA256" + // SHA256AC SHA256 Authenticode hash type + SHA256AC FileHashAlgorithm = "SHA256AC" + // Unknown Unknown hash algorithm + Unknown FileHashAlgorithm = "Unknown" +) + +// PossibleFileHashAlgorithmValues returns an array of possible values for the FileHashAlgorithm const type. +func PossibleFileHashAlgorithmValues() []FileHashAlgorithm { + return []FileHashAlgorithm{MD5, SHA1, SHA256, SHA256AC, Unknown} +} + +// KillChainIntent enumerates the values for kill chain intent. +type KillChainIntent string + +const ( + // KillChainIntentCollection Collection consists of techniques used to identify and gather information, + // such as sensitive files, from a target network prior to exfiltration. This category also covers + // locations on a system or network where the adversary may look for information to exfiltrate. + KillChainIntentCollection KillChainIntent = "Collection" + // KillChainIntentCommandAndControl The command and control tactic represents how adversaries communicate + // with systems under their control within a target network. + KillChainIntentCommandAndControl KillChainIntent = "CommandAndControl" + // KillChainIntentCredentialAccess Credential access represents techniques resulting in access to or + // control over system, domain, or service credentials that are used within an enterprise environment. + // Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts + // (local system administrator or domain users with administrator access) to use within the network. With + // sufficient access within a network, an adversary can create accounts for later use within the + // environment. + KillChainIntentCredentialAccess KillChainIntent = "CredentialAccess" + // KillChainIntentDefenseEvasion Defense evasion consists of techniques an adversary may use to evade + // detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques + // in other categories that have the added benefit of subverting a particular defense or mitigation. + KillChainIntentDefenseEvasion KillChainIntent = "DefenseEvasion" + // KillChainIntentDiscovery Discovery consists of techniques that allow the adversary to gain knowledge + // about the system and internal network. When adversaries gain access to a new system, they must orient + // themselves to what they now have control of and what benefits operating from that system give to their + // current objective or overall goals during the intrusion. The operating system provides many native tools + // that aid in this post-compromise information-gathering phase. + KillChainIntentDiscovery KillChainIntent = "Discovery" + // KillChainIntentExecution The execution tactic represents techniques that result in execution of + // adversary-controlled code on a local or remote system. This tactic is often used in conjunction with + // lateral movement to expand access to remote systems on a network. + KillChainIntentExecution KillChainIntent = "Execution" + // KillChainIntentExfiltration Exfiltration refers to techniques and attributes that result or aid in the + // adversary removing files and information from a target network. This category also covers locations on a + // system or network where the adversary may look for information to exfiltrate. + KillChainIntentExfiltration KillChainIntent = "Exfiltration" + // KillChainIntentExploitation Exploitation is the stage where an attacker manage to get foothold on the + // attacked resource. This stage is applicable not only for compute hosts, but also for resources such as + // user accounts, certificates etc. Adversaries will often be able to control the resource after this + // stage. + KillChainIntentExploitation KillChainIntent = "Exploitation" + // KillChainIntentImpact The impact intent primary objective is to directly reduce the availability or + // integrity of a system, service, or network; including manipulation of data to impact a business or + // operational process. This would often refer to techniques such as ransom-ware, defacement, data + // manipulation and others. + KillChainIntentImpact KillChainIntent = "Impact" + // KillChainIntentLateralMovement Lateral movement consists of techniques that enable an adversary to + // access and control remote systems on a network and could, but does not necessarily, include execution of + // tools on remote systems. The lateral movement techniques could allow an adversary to gather information + // from a system without needing additional tools, such as a remote access tool. An adversary can use + // lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, + // access to specific information or files, access to additional credentials, or to cause an effect. + KillChainIntentLateralMovement KillChainIntent = "LateralMovement" + // KillChainIntentPersistence Persistence is any access, action, or configuration change to a system that + // gives an adversary a persistent presence on that system. Adversaries will often need to maintain access + // to systems through interruptions such as system restarts, loss of credentials, or other failures that + // would require a remote access tool to restart or alternate backdoor for them to regain access. + KillChainIntentPersistence KillChainIntent = "Persistence" + // KillChainIntentPrivilegeEscalation Privilege escalation is the result of actions that allow an adversary + // to obtain a higher level of permissions on a system or network. Certain tools or actions require a + // higher level of privilege to work and are likely necessary at many points throughout an operation. User + // accounts with permissions to access specific systems or perform specific functions necessary for + // adversaries to achieve their objective may also be considered an escalation of privilege. + KillChainIntentPrivilegeEscalation KillChainIntent = "PrivilegeEscalation" + // KillChainIntentProbing Probing could be an attempt to access a certain resource regardless of a + // malicious intent or a failed attempt to gain access to a target system to gather information prior to + // exploitation. This step is usually detected as an attempt originating from outside the network in + // attempt to scan the target system and find a way in. + KillChainIntentProbing KillChainIntent = "Probing" + // KillChainIntentUnknown The default value. + KillChainIntentUnknown KillChainIntent = "Unknown" +) + +// PossibleKillChainIntentValues returns an array of possible values for the KillChainIntent const type. +func PossibleKillChainIntentValues() []KillChainIntent { + return []KillChainIntent{KillChainIntentCollection, KillChainIntentCommandAndControl, KillChainIntentCredentialAccess, KillChainIntentDefenseEvasion, KillChainIntentDiscovery, KillChainIntentExecution, KillChainIntentExfiltration, KillChainIntentExploitation, KillChainIntentImpact, KillChainIntentLateralMovement, KillChainIntentPersistence, KillChainIntentPrivilegeEscalation, KillChainIntentProbing, KillChainIntentUnknown} } // Kind enumerates the values for kind. @@ -226,12 +474,16 @@ const ( KindAmazonWebServicesCloudTrail KindBasicDataConnector = "AmazonWebServicesCloudTrail" // KindAzureActiveDirectory ... KindAzureActiveDirectory KindBasicDataConnector = "AzureActiveDirectory" + // KindAzureAdvancedThreatProtection ... + KindAzureAdvancedThreatProtection KindBasicDataConnector = "AzureAdvancedThreatProtection" // KindAzureSecurityCenter ... KindAzureSecurityCenter KindBasicDataConnector = "AzureSecurityCenter" // KindDataConnector ... KindDataConnector KindBasicDataConnector = "DataConnector" // KindMicrosoftCloudAppSecurity ... KindMicrosoftCloudAppSecurity KindBasicDataConnector = "MicrosoftCloudAppSecurity" + // KindMicrosoftDefenderAdvancedThreatProtection ... + KindMicrosoftDefenderAdvancedThreatProtection KindBasicDataConnector = "MicrosoftDefenderAdvancedThreatProtection" // KindOffice365 ... KindOffice365 KindBasicDataConnector = "Office365" // KindThreatIntelligence ... @@ -240,7 +492,7 @@ const ( // PossibleKindBasicDataConnectorValues returns an array of possible values for the KindBasicDataConnector const type. func PossibleKindBasicDataConnectorValues() []KindBasicDataConnector { - return []KindBasicDataConnector{KindAmazonWebServicesCloudTrail, KindAzureActiveDirectory, KindAzureSecurityCenter, KindDataConnector, KindMicrosoftCloudAppSecurity, KindOffice365, KindThreatIntelligence} + return []KindBasicDataConnector{KindAmazonWebServicesCloudTrail, KindAzureActiveDirectory, KindAzureAdvancedThreatProtection, KindAzureSecurityCenter, KindDataConnector, KindMicrosoftCloudAppSecurity, KindMicrosoftDefenderAdvancedThreatProtection, KindOffice365, KindThreatIntelligence} } // KindBasicEntity enumerates the values for kind basic entity. @@ -249,17 +501,41 @@ type KindBasicEntity string const ( // KindAccount ... KindAccount KindBasicEntity = "Account" + // KindAzureResource ... + KindAzureResource KindBasicEntity = "AzureResource" + // KindCloudApplication ... + KindCloudApplication KindBasicEntity = "CloudApplication" + // KindDNSResolution ... + KindDNSResolution KindBasicEntity = "DnsResolution" // KindEntity ... KindEntity KindBasicEntity = "Entity" // KindFile ... KindFile KindBasicEntity = "File" + // KindFileHash ... + KindFileHash KindBasicEntity = "FileHash" // KindHost ... KindHost KindBasicEntity = "Host" + // KindIP ... + KindIP KindBasicEntity = "Ip" + // KindMalware ... + KindMalware KindBasicEntity = "Malware" + // KindProcess ... + KindProcess KindBasicEntity = "Process" + // KindRegistryKey ... + KindRegistryKey KindBasicEntity = "RegistryKey" + // KindRegistryValue ... + KindRegistryValue KindBasicEntity = "RegistryValue" + // KindSecurityAlert ... + KindSecurityAlert KindBasicEntity = "SecurityAlert" + // KindSecurityGroup ... + KindSecurityGroup KindBasicEntity = "SecurityGroup" + // KindURL ... + KindURL KindBasicEntity = "Url" ) // PossibleKindBasicEntityValues returns an array of possible values for the KindBasicEntity const type. func PossibleKindBasicEntityValues() []KindBasicEntity { - return []KindBasicEntity{KindAccount, KindEntity, KindFile, KindHost} + return []KindBasicEntity{KindAccount, KindAzureResource, KindCloudApplication, KindDNSResolution, KindEntity, KindFile, KindFileHash, KindHost, KindIP, KindMalware, KindProcess, KindRegistryKey, KindRegistryValue, KindSecurityAlert, KindSecurityGroup, KindURL} } // KindBasicSettings enumerates the values for kind basic settings. @@ -313,6 +589,64 @@ func PossibleOSFamilyValues() []OSFamily { return []OSFamily{Android, IOS, Linux, Windows} } +// RegistryHive enumerates the values for registry hive. +type RegistryHive string + +const ( + // HKEYA HKEY_A + HKEYA RegistryHive = "HKEY_A" + // HKEYCLASSESROOT HKEY_CLASSES_ROOT + HKEYCLASSESROOT RegistryHive = "HKEY_CLASSES_ROOT" + // HKEYCURRENTCONFIG HKEY_CURRENT_CONFIG + HKEYCURRENTCONFIG RegistryHive = "HKEY_CURRENT_CONFIG" + // HKEYCURRENTUSER HKEY_CURRENT_USER + HKEYCURRENTUSER RegistryHive = "HKEY_CURRENT_USER" + // HKEYCURRENTUSERLOCALSETTINGS HKEY_CURRENT_USER_LOCAL_SETTINGS + HKEYCURRENTUSERLOCALSETTINGS RegistryHive = "HKEY_CURRENT_USER_LOCAL_SETTINGS" + // HKEYLOCALMACHINE HKEY_LOCAL_MACHINE + HKEYLOCALMACHINE RegistryHive = "HKEY_LOCAL_MACHINE" + // HKEYPERFORMANCEDATA HKEY_PERFORMANCE_DATA + HKEYPERFORMANCEDATA RegistryHive = "HKEY_PERFORMANCE_DATA" + // HKEYPERFORMANCENLSTEXT HKEY_PERFORMANCE_NLSTEXT + HKEYPERFORMANCENLSTEXT RegistryHive = "HKEY_PERFORMANCE_NLSTEXT" + // HKEYPERFORMANCETEXT HKEY_PERFORMANCE_TEXT + HKEYPERFORMANCETEXT RegistryHive = "HKEY_PERFORMANCE_TEXT" + // HKEYUSERS HKEY_USERS + HKEYUSERS RegistryHive = "HKEY_USERS" +) + +// PossibleRegistryHiveValues returns an array of possible values for the RegistryHive const type. +func PossibleRegistryHiveValues() []RegistryHive { + return []RegistryHive{HKEYA, HKEYCLASSESROOT, HKEYCURRENTCONFIG, HKEYCURRENTUSER, HKEYCURRENTUSERLOCALSETTINGS, HKEYLOCALMACHINE, HKEYPERFORMANCEDATA, HKEYPERFORMANCENLSTEXT, HKEYPERFORMANCETEXT, HKEYUSERS} +} + +// RegistryValueKind enumerates the values for registry value kind. +type RegistryValueKind string + +const ( + // RegistryValueKindBinary Binary value type + RegistryValueKindBinary RegistryValueKind = "Binary" + // RegistryValueKindDWord DWord value type + RegistryValueKindDWord RegistryValueKind = "DWord" + // RegistryValueKindExpandString ExpandString value type + RegistryValueKindExpandString RegistryValueKind = "ExpandString" + // RegistryValueKindMultiString MultiString value type + RegistryValueKindMultiString RegistryValueKind = "MultiString" + // RegistryValueKindNone None + RegistryValueKindNone RegistryValueKind = "None" + // RegistryValueKindQWord QWord value type + RegistryValueKindQWord RegistryValueKind = "QWord" + // RegistryValueKindString String value type + RegistryValueKindString RegistryValueKind = "String" + // RegistryValueKindUnknown Unknown value type + RegistryValueKindUnknown RegistryValueKind = "Unknown" +) + +// PossibleRegistryValueKindValues returns an array of possible values for the RegistryValueKind const type. +func PossibleRegistryValueKindValues() []RegistryValueKind { + return []RegistryValueKind{RegistryValueKindBinary, RegistryValueKindDWord, RegistryValueKindExpandString, RegistryValueKindMultiString, RegistryValueKindNone, RegistryValueKindQWord, RegistryValueKindString, RegistryValueKindUnknown} +} + // SettingKind enumerates the values for setting kind. type SettingKind string @@ -374,7 +708,7 @@ type AADDataConnector struct { Name *string `json:"name,omitempty"` // Etag - Etag of the data connector. Etag *string `json:"etag,omitempty"` - // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity' + // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity', 'KindAzureAdvancedThreatProtection', 'KindMicrosoftDefenderAdvancedThreatProtection' Kind KindBasicDataConnector `json:"kind,omitempty"` } @@ -424,6 +758,16 @@ func (adc AADDataConnector) AsMCASDataConnector() (*MCASDataConnector, bool) { return nil, false } +// AsAATPDataConnector is the BasicDataConnector implementation for AADDataConnector. +func (adc AADDataConnector) AsAATPDataConnector() (*AATPDataConnector, bool) { + return nil, false +} + +// AsMDATPDataConnector is the BasicDataConnector implementation for AADDataConnector. +func (adc AADDataConnector) AsMDATPDataConnector() (*MDATPDataConnector, bool) { + return nil, false +} + // AsDataConnector is the BasicDataConnector implementation for AADDataConnector. func (adc AADDataConnector) AsDataConnector() (*DataConnector, bool) { return nil, false @@ -511,6 +855,165 @@ type AADDataConnectorProperties struct { DataTypes *AlertsDataTypeOfDataConnector `json:"dataTypes,omitempty"` } +// AATPDataConnector represents AATP (Azure Advanced Threat Protection) data connector. +type AATPDataConnector struct { + // AATPDataConnectorProperties - AATP (Azure Advanced Threat Protection) data connector properties. + *AATPDataConnectorProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Etag - Etag of the data connector. + Etag *string `json:"etag,omitempty"` + // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity', 'KindAzureAdvancedThreatProtection', 'KindMicrosoftDefenderAdvancedThreatProtection' + Kind KindBasicDataConnector `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for AATPDataConnector. +func (adc AATPDataConnector) MarshalJSON() ([]byte, error) { + adc.Kind = KindAzureAdvancedThreatProtection + objectMap := make(map[string]interface{}) + if adc.AATPDataConnectorProperties != nil { + objectMap["properties"] = adc.AATPDataConnectorProperties + } + if adc.Etag != nil { + objectMap["etag"] = adc.Etag + } + if adc.Kind != "" { + objectMap["kind"] = adc.Kind + } + return json.Marshal(objectMap) +} + +// AsOfficeDataConnector is the BasicDataConnector implementation for AATPDataConnector. +func (adc AATPDataConnector) AsOfficeDataConnector() (*OfficeDataConnector, bool) { + return nil, false +} + +// AsTIDataConnector is the BasicDataConnector implementation for AATPDataConnector. +func (adc AATPDataConnector) AsTIDataConnector() (*TIDataConnector, bool) { + return nil, false +} + +// AsAwsCloudTrailDataConnector is the BasicDataConnector implementation for AATPDataConnector. +func (adc AATPDataConnector) AsAwsCloudTrailDataConnector() (*AwsCloudTrailDataConnector, bool) { + return nil, false +} + +// AsAADDataConnector is the BasicDataConnector implementation for AATPDataConnector. +func (adc AATPDataConnector) AsAADDataConnector() (*AADDataConnector, bool) { + return nil, false +} + +// AsASCDataConnector is the BasicDataConnector implementation for AATPDataConnector. +func (adc AATPDataConnector) AsASCDataConnector() (*ASCDataConnector, bool) { + return nil, false +} + +// AsMCASDataConnector is the BasicDataConnector implementation for AATPDataConnector. +func (adc AATPDataConnector) AsMCASDataConnector() (*MCASDataConnector, bool) { + return nil, false +} + +// AsAATPDataConnector is the BasicDataConnector implementation for AATPDataConnector. +func (adc AATPDataConnector) AsAATPDataConnector() (*AATPDataConnector, bool) { + return &adc, true +} + +// AsMDATPDataConnector is the BasicDataConnector implementation for AATPDataConnector. +func (adc AATPDataConnector) AsMDATPDataConnector() (*MDATPDataConnector, bool) { + return nil, false +} + +// AsDataConnector is the BasicDataConnector implementation for AATPDataConnector. +func (adc AATPDataConnector) AsDataConnector() (*DataConnector, bool) { + return nil, false +} + +// AsBasicDataConnector is the BasicDataConnector implementation for AATPDataConnector. +func (adc AATPDataConnector) AsBasicDataConnector() (BasicDataConnector, bool) { + return &adc, true +} + +// UnmarshalJSON is the custom unmarshaler for AATPDataConnector struct. +func (adc *AATPDataConnector) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var aATPDataConnectorProperties AATPDataConnectorProperties + err = json.Unmarshal(*v, &aATPDataConnectorProperties) + if err != nil { + return err + } + adc.AATPDataConnectorProperties = &aATPDataConnectorProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + adc.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + adc.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + adc.Name = &name + } + case "etag": + if v != nil { + var etag string + err = json.Unmarshal(*v, &etag) + if err != nil { + return err + } + adc.Etag = &etag + } + case "kind": + if v != nil { + var kind KindBasicDataConnector + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + adc.Kind = kind + } + } + } + + return nil +} + +// AATPDataConnectorProperties AATP (Azure Advanced Threat Protection) data connector properties. +type AATPDataConnectorProperties struct { + // TenantID - The tenant id to connect to, and get the data from. + TenantID *string `json:"tenantId,omitempty"` + // DataTypes - The available data types for the connector. + DataTypes *AlertsDataTypeOfDataConnector `json:"dataTypes,omitempty"` +} + // AccountEntity represents an account entity. type AccountEntity struct { // AccountEntityProperties - Account entity properties @@ -521,7 +1024,7 @@ type AccountEntity struct { Type *string `json:"type,omitempty"` // Name - READ-ONLY; Azure resource name Name *string `json:"name,omitempty"` - // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile' + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' Kind KindBasicEntity `json:"kind,omitempty"` } @@ -553,6 +1056,66 @@ func (ae AccountEntity) AsFileEntity() (*FileEntity, bool) { return nil, false } +// AsSecurityAlert is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for AccountEntity. +func (ae AccountEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + // AsEntity is the BasicEntity implementation for AccountEntity. func (ae AccountEntity) AsEntity() (*Entity, bool) { return nil, false @@ -641,8 +1204,22 @@ type AccountEntityProperties struct { Puid *string `json:"puid,omitempty"` // IsDomainJoined - READ-ONLY; Determines whether this is a domain account. IsDomainJoined *bool `json:"isDomainJoined,omitempty"` + // DisplayName - READ-ONLY; The display name of the account. + DisplayName *string `json:"displayName,omitempty"` // ObjectGUID - READ-ONLY; The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory. ObjectGUID *uuid.UUID `json:"objectGuid,omitempty"` + // HostEntityID - READ-ONLY; The Host entity id that contains the account in case it is a local account (not domain joined) + HostEntityID *string `json:"hostEntityId,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for AccountEntityProperties. +func (aep AccountEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) } // Action action for alert rule. @@ -1299,7 +1876,7 @@ type ASCDataConnector struct { Name *string `json:"name,omitempty"` // Etag - Etag of the data connector. Etag *string `json:"etag,omitempty"` - // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity' + // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity', 'KindAzureAdvancedThreatProtection', 'KindMicrosoftDefenderAdvancedThreatProtection' Kind KindBasicDataConnector `json:"kind,omitempty"` } @@ -1349,6 +1926,16 @@ func (adc ASCDataConnector) AsMCASDataConnector() (*MCASDataConnector, bool) { return nil, false } +// AsAATPDataConnector is the BasicDataConnector implementation for ASCDataConnector. +func (adc ASCDataConnector) AsAATPDataConnector() (*AATPDataConnector, bool) { + return nil, false +} + +// AsMDATPDataConnector is the BasicDataConnector implementation for ASCDataConnector. +func (adc ASCDataConnector) AsMDATPDataConnector() (*MDATPDataConnector, bool) { + return nil, false +} + // AsDataConnector is the BasicDataConnector implementation for ASCDataConnector. func (adc ASCDataConnector) AsDataConnector() (*DataConnector, bool) { return nil, false @@ -1448,7 +2035,7 @@ type AwsCloudTrailDataConnector struct { Name *string `json:"name,omitempty"` // Etag - Etag of the data connector. Etag *string `json:"etag,omitempty"` - // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity' + // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity', 'KindAzureAdvancedThreatProtection', 'KindMicrosoftDefenderAdvancedThreatProtection' Kind KindBasicDataConnector `json:"kind,omitempty"` } @@ -1498,6 +2085,16 @@ func (actdc AwsCloudTrailDataConnector) AsMCASDataConnector() (*MCASDataConnecto return nil, false } +// AsAATPDataConnector is the BasicDataConnector implementation for AwsCloudTrailDataConnector. +func (actdc AwsCloudTrailDataConnector) AsAATPDataConnector() (*AATPDataConnector, bool) { + return nil, false +} + +// AsMDATPDataConnector is the BasicDataConnector implementation for AwsCloudTrailDataConnector. +func (actdc AwsCloudTrailDataConnector) AsMDATPDataConnector() (*MDATPDataConnector, bool) { + return nil, false +} + // AsDataConnector is the BasicDataConnector implementation for AwsCloudTrailDataConnector. func (actdc AwsCloudTrailDataConnector) AsDataConnector() (*DataConnector, bool) { return nil, false @@ -1598,40 +2195,228 @@ type AwsCloudTrailDataConnectorProperties struct { DataTypes *AwsCloudTrailDataConnectorDataTypes `json:"dataTypes,omitempty"` } -// Bookmark represents a bookmark in Azure Security Insights. -type Bookmark struct { - autorest.Response `json:"-"` - // Etag - Etag of the bookmark. - Etag *string `json:"etag,omitempty"` - // BookmarkProperties - Bookmark properties - *BookmarkProperties `json:"properties,omitempty"` +// AzureResourceEntity represents an azure resource entity. +type AzureResourceEntity struct { + // AzureResourceEntityProperties - AzureResource entity properties + *AzureResourceEntityProperties `json:"properties,omitempty"` // ID - READ-ONLY; Azure resource Id ID *string `json:"id,omitempty"` // Type - READ-ONLY; Azure resource type Type *string `json:"type,omitempty"` // Name - READ-ONLY; Azure resource name Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` } -// MarshalJSON is the custom marshaler for Bookmark. -func (b Bookmark) MarshalJSON() ([]byte, error) { +// MarshalJSON is the custom marshaler for AzureResourceEntity. +func (are AzureResourceEntity) MarshalJSON() ([]byte, error) { + are.Kind = KindAzureResource objectMap := make(map[string]interface{}) - if b.Etag != nil { - objectMap["etag"] = b.Etag + if are.AzureResourceEntityProperties != nil { + objectMap["properties"] = are.AzureResourceEntityProperties } - if b.BookmarkProperties != nil { - objectMap["properties"] = b.BookmarkProperties + if are.Kind != "" { + objectMap["kind"] = are.Kind } return json.Marshal(objectMap) } -// UnmarshalJSON is the custom unmarshaler for Bookmark struct. -func (b *Bookmark) UnmarshalJSON(body []byte) error { - var m map[string]*json.RawMessage - err := json.Unmarshal(body, &m) - if err != nil { - return err - } +// AsAccountEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return &are, true +} + +// AsCloudApplicationEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + +// AsEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for AzureResourceEntity. +func (are AzureResourceEntity) AsBasicEntity() (BasicEntity, bool) { + return &are, true +} + +// UnmarshalJSON is the custom unmarshaler for AzureResourceEntity struct. +func (are *AzureResourceEntity) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var azureResourceEntityProperties AzureResourceEntityProperties + err = json.Unmarshal(*v, &azureResourceEntityProperties) + if err != nil { + return err + } + are.AzureResourceEntityProperties = &azureResourceEntityProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + are.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + are.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + are.Name = &name + } + case "kind": + if v != nil { + var kind KindBasicEntity + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + are.Kind = kind + } + } + } + + return nil +} + +// AzureResourceEntityProperties azureResource entity property bag. +type AzureResourceEntityProperties struct { + // ResourceID - READ-ONLY; The azure resource id of the resource + ResourceID *string `json:"resourceId,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for AzureResourceEntityProperties. +func (arep AzureResourceEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) +} + +// Bookmark represents a bookmark in Azure Security Insights. +type Bookmark struct { + autorest.Response `json:"-"` + // Etag - Etag of the bookmark. + Etag *string `json:"etag,omitempty"` + // BookmarkProperties - Bookmark properties + *BookmarkProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` +} + +// MarshalJSON is the custom marshaler for Bookmark. +func (b Bookmark) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + if b.Etag != nil { + objectMap["etag"] = b.Etag + } + if b.BookmarkProperties != nil { + objectMap["properties"] = b.BookmarkProperties + } + return json.Marshal(objectMap) +} + +// UnmarshalJSON is the custom unmarshaler for Bookmark struct. +func (b *Bookmark) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } for k, v := range m { switch k { case "etag": @@ -2246,23 +3031,120 @@ type CasesAggregationProperties struct { AggregationByStatus *CasesAggregationByStatusProperties `json:"aggregationByStatus,omitempty"` } -// CloudError error response structure. -type CloudError struct { - // CloudErrorBody - Error data - *CloudErrorBody `json:"error,omitempty"` +// CloudApplicationEntity represents a cloud application entity. +type CloudApplicationEntity struct { + // CloudApplicationEntityProperties - CloudApplication entity properties + *CloudApplicationEntityProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` } -// MarshalJSON is the custom marshaler for CloudError. -func (ce CloudError) MarshalJSON() ([]byte, error) { +// MarshalJSON is the custom marshaler for CloudApplicationEntity. +func (cae CloudApplicationEntity) MarshalJSON() ([]byte, error) { + cae.Kind = KindCloudApplication objectMap := make(map[string]interface{}) - if ce.CloudErrorBody != nil { - objectMap["error"] = ce.CloudErrorBody + if cae.CloudApplicationEntityProperties != nil { + objectMap["properties"] = cae.CloudApplicationEntityProperties + } + if cae.Kind != "" { + objectMap["kind"] = cae.Kind } return json.Marshal(objectMap) } -// UnmarshalJSON is the custom unmarshaler for CloudError struct. -func (ce *CloudError) UnmarshalJSON(body []byte) error { +// AsAccountEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return &cae, true +} + +// AsProcessEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + +// AsEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for CloudApplicationEntity. +func (cae CloudApplicationEntity) AsBasicEntity() (BasicEntity, bool) { + return &cae, true +} + +// UnmarshalJSON is the custom unmarshaler for CloudApplicationEntity struct. +func (cae *CloudApplicationEntity) UnmarshalJSON(body []byte) error { var m map[string]*json.RawMessage err := json.Unmarshal(body, &m) if err != nil { @@ -2270,14 +3152,50 @@ func (ce *CloudError) UnmarshalJSON(body []byte) error { } for k, v := range m { switch k { - case "error": + case "properties": if v != nil { - var cloudErrorBody CloudErrorBody - err = json.Unmarshal(*v, &cloudErrorBody) + var cloudApplicationEntityProperties CloudApplicationEntityProperties + err = json.Unmarshal(*v, &cloudApplicationEntityProperties) if err != nil { return err } - ce.CloudErrorBody = &cloudErrorBody + cae.CloudApplicationEntityProperties = &cloudApplicationEntityProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + cae.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + cae.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + cae.Name = &name + } + case "kind": + if v != nil { + var kind KindBasicEntity + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + cae.Kind = kind } } } @@ -2285,22 +3203,83 @@ func (ce *CloudError) UnmarshalJSON(body []byte) error { return nil } -// CloudErrorBody error details. -type CloudErrorBody struct { - // Code - READ-ONLY; An identifier for the error. Codes are invariant and are intended to be consumed programmatically. - Code *string `json:"code,omitempty"` - // Message - READ-ONLY; A message describing the error, intended to be suitable for display in a user interface. - Message *string `json:"message,omitempty"` +// CloudApplicationEntityProperties cloudApplication entity property bag. +type CloudApplicationEntityProperties struct { + // AppID - READ-ONLY; The technical identifier of the application. + AppID *int32 `json:"appId,omitempty"` + // AppName - READ-ONLY; The name of the related cloud application. + AppName *string `json:"appName,omitempty"` + // InstanceName - READ-ONLY; The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has. + InstanceName *string `json:"instanceName,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` } -// BasicDataConnector data connector. -type BasicDataConnector interface { - AsOfficeDataConnector() (*OfficeDataConnector, bool) - AsTIDataConnector() (*TIDataConnector, bool) - AsAwsCloudTrailDataConnector() (*AwsCloudTrailDataConnector, bool) - AsAADDataConnector() (*AADDataConnector, bool) +// MarshalJSON is the custom marshaler for CloudApplicationEntityProperties. +func (caep CloudApplicationEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) +} + +// CloudError error response structure. +type CloudError struct { + // CloudErrorBody - Error data + *CloudErrorBody `json:"error,omitempty"` +} + +// MarshalJSON is the custom marshaler for CloudError. +func (ce CloudError) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + if ce.CloudErrorBody != nil { + objectMap["error"] = ce.CloudErrorBody + } + return json.Marshal(objectMap) +} + +// UnmarshalJSON is the custom unmarshaler for CloudError struct. +func (ce *CloudError) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "error": + if v != nil { + var cloudErrorBody CloudErrorBody + err = json.Unmarshal(*v, &cloudErrorBody) + if err != nil { + return err + } + ce.CloudErrorBody = &cloudErrorBody + } + } + } + + return nil +} + +// CloudErrorBody error details. +type CloudErrorBody struct { + // Code - READ-ONLY; An identifier for the error. Codes are invariant and are intended to be consumed programmatically. + Code *string `json:"code,omitempty"` + // Message - READ-ONLY; A message describing the error, intended to be suitable for display in a user interface. + Message *string `json:"message,omitempty"` +} + +// BasicDataConnector data connector. +type BasicDataConnector interface { + AsOfficeDataConnector() (*OfficeDataConnector, bool) + AsTIDataConnector() (*TIDataConnector, bool) + AsAwsCloudTrailDataConnector() (*AwsCloudTrailDataConnector, bool) + AsAADDataConnector() (*AADDataConnector, bool) AsASCDataConnector() (*ASCDataConnector, bool) AsMCASDataConnector() (*MCASDataConnector, bool) + AsAATPDataConnector() (*AATPDataConnector, bool) + AsMDATPDataConnector() (*MDATPDataConnector, bool) AsDataConnector() (*DataConnector, bool) } @@ -2315,7 +3294,7 @@ type DataConnector struct { Name *string `json:"name,omitempty"` // Etag - Etag of the data connector. Etag *string `json:"etag,omitempty"` - // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity' + // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity', 'KindAzureAdvancedThreatProtection', 'KindMicrosoftDefenderAdvancedThreatProtection' Kind KindBasicDataConnector `json:"kind,omitempty"` } @@ -2351,6 +3330,14 @@ func unmarshalBasicDataConnector(body []byte) (BasicDataConnector, error) { var mdc MCASDataConnector err := json.Unmarshal(body, &mdc) return mdc, err + case string(KindAzureAdvancedThreatProtection): + var adc AATPDataConnector + err := json.Unmarshal(body, &adc) + return adc, err + case string(KindMicrosoftDefenderAdvancedThreatProtection): + var mdc MDATPDataConnector + err := json.Unmarshal(body, &mdc) + return mdc, err default: var dc DataConnector err := json.Unmarshal(body, &dc) @@ -2419,6 +3406,16 @@ func (dc DataConnector) AsMCASDataConnector() (*MCASDataConnector, bool) { return nil, false } +// AsAATPDataConnector is the BasicDataConnector implementation for DataConnector. +func (dc DataConnector) AsAATPDataConnector() (*AATPDataConnector, bool) { + return nil, false +} + +// AsMDATPDataConnector is the BasicDataConnector implementation for DataConnector. +func (dc DataConnector) AsMDATPDataConnector() (*MDATPDataConnector, bool) { + return nil, false +} + // AsDataConnector is the BasicDataConnector implementation for DataConnector. func (dc DataConnector) AsDataConnector() (*DataConnector, bool) { return &dc, true @@ -2437,7 +3434,7 @@ type DataConnectorDataTypeCommon struct { // DataConnectorKind1 describes an Azure resource with kind. type DataConnectorKind1 struct { - // Kind - The kind of the data connector. Possible values include: 'AzureActiveDirectory', 'AzureSecurityCenter', 'MicrosoftCloudAppSecurity', 'ThreatIntelligence', 'Office365', 'AmazonWebServicesCloudTrail' + // Kind - The kind of the data connector. Possible values include: 'DataConnectorKindAzureActiveDirectory', 'DataConnectorKindAzureSecurityCenter', 'DataConnectorKindMicrosoftCloudAppSecurity', 'DataConnectorKindThreatIntelligence', 'DataConnectorKindOffice365', 'DataConnectorKindAmazonWebServicesCloudTrail', 'DataConnectorKindAzureAdvancedThreatProtection', 'DataConnectorKindMicrosoftDefenderAdvancedThreatProtection' Kind DataConnectorKind `json:"kind,omitempty"` } @@ -2648,11 +3645,217 @@ type DataConnectorWithAlertsProperties struct { DataTypes *AlertsDataTypeOfDataConnector `json:"dataTypes,omitempty"` } +// DNSEntity represents a dns entity. +type DNSEntity struct { + // DNSEntityProperties - Dns entity properties + *DNSEntityProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for DNSEntity. +func (de DNSEntity) MarshalJSON() ([]byte, error) { + de.Kind = KindDNSResolution + objectMap := make(map[string]interface{}) + if de.DNSEntityProperties != nil { + objectMap["properties"] = de.DNSEntityProperties + } + if de.Kind != "" { + objectMap["kind"] = de.Kind + } + return json.Marshal(objectMap) +} + +// AsAccountEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsDNSEntity() (*DNSEntity, bool) { + return &de, true +} + +// AsIPEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + +// AsEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for DNSEntity. +func (de DNSEntity) AsBasicEntity() (BasicEntity, bool) { + return &de, true +} + +// UnmarshalJSON is the custom unmarshaler for DNSEntity struct. +func (de *DNSEntity) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var DNSEntityProperties DNSEntityProperties + err = json.Unmarshal(*v, &DNSEntityProperties) + if err != nil { + return err + } + de.DNSEntityProperties = &DNSEntityProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + de.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + de.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + de.Name = &name + } + case "kind": + if v != nil { + var kind KindBasicEntity + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + de.Kind = kind + } + } + } + + return nil +} + +// DNSEntityProperties dns entity property bag. +type DNSEntityProperties struct { + // DomainName - READ-ONLY; The name of the dns record associated with the alert + DomainName *string `json:"domainName,omitempty"` + // IPAddressEntityIds - READ-ONLY; Ip entity identifiers for the resolved ip address. + IPAddressEntityIds *[]string `json:"ipAddressEntityIds,omitempty"` + // DNSServerIPEntityID - READ-ONLY; An ip entity id for the dns server resolving the request + DNSServerIPEntityID *string `json:"dnsServerIpEntityId,omitempty"` + // HostIPAddressEntityID - READ-ONLY; An ip entity id for the dns request client + HostIPAddressEntityID *string `json:"hostIpAddressEntityId,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for DNSEntityProperties. +func (dep DNSEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) +} + // BasicEntity specific entity. type BasicEntity interface { AsAccountEntity() (*AccountEntity, bool) AsHostEntity() (*HostEntity, bool) AsFileEntity() (*FileEntity, bool) + AsSecurityAlert() (*SecurityAlert, bool) + AsFileHashEntity() (*FileHashEntity, bool) + AsMalwareEntity() (*MalwareEntity, bool) + AsSecurityGroupEntity() (*SecurityGroupEntity, bool) + AsAzureResourceEntity() (*AzureResourceEntity, bool) + AsCloudApplicationEntity() (*CloudApplicationEntity, bool) + AsProcessEntity() (*ProcessEntity, bool) + AsDNSEntity() (*DNSEntity, bool) + AsIPEntity() (*IPEntity, bool) + AsRegistryKeyEntity() (*RegistryKeyEntity, bool) + AsRegistryValueEntity() (*RegistryValueEntity, bool) + AsURLEntity() (*URLEntity, bool) AsEntity() (*Entity, bool) } @@ -2665,7 +3868,7 @@ type Entity struct { Type *string `json:"type,omitempty"` // Name - READ-ONLY; Azure resource name Name *string `json:"name,omitempty"` - // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile' + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' Kind KindBasicEntity `json:"kind,omitempty"` } @@ -2689,6 +3892,54 @@ func unmarshalBasicEntity(body []byte) (BasicEntity, error) { var fe FileEntity err := json.Unmarshal(body, &fe) return fe, err + case string(KindSecurityAlert): + var sa SecurityAlert + err := json.Unmarshal(body, &sa) + return sa, err + case string(KindFileHash): + var fhe FileHashEntity + err := json.Unmarshal(body, &fhe) + return fhe, err + case string(KindMalware): + var me MalwareEntity + err := json.Unmarshal(body, &me) + return me, err + case string(KindSecurityGroup): + var sge SecurityGroupEntity + err := json.Unmarshal(body, &sge) + return sge, err + case string(KindAzureResource): + var are AzureResourceEntity + err := json.Unmarshal(body, &are) + return are, err + case string(KindCloudApplication): + var cae CloudApplicationEntity + err := json.Unmarshal(body, &cae) + return cae, err + case string(KindProcess): + var peVar ProcessEntity + err := json.Unmarshal(body, &peVar) + return peVar, err + case string(KindDNSResolution): + var de DNSEntity + err := json.Unmarshal(body, &de) + return de, err + case string(KindIP): + var ie IPEntity + err := json.Unmarshal(body, &ie) + return ie, err + case string(KindRegistryKey): + var rke RegistryKeyEntity + err := json.Unmarshal(body, &rke) + return rke, err + case string(KindRegistryValue): + var rve RegistryValueEntity + err := json.Unmarshal(body, &rve) + return rve, err + case string(KindURL): + var ue URLEntity + err := json.Unmarshal(body, &ue) + return ue, err default: var e Entity err := json.Unmarshal(body, &e) @@ -2739,6 +3990,66 @@ func (e Entity) AsFileEntity() (*FileEntity, bool) { return nil, false } +// AsSecurityAlert is the BasicEntity implementation for Entity. +func (e Entity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for Entity. +func (e Entity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for Entity. +func (e Entity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for Entity. +func (e Entity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for Entity. +func (e Entity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for Entity. +func (e Entity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for Entity. +func (e Entity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for Entity. +func (e Entity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for Entity. +func (e Entity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for Entity. +func (e Entity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for Entity. +func (e Entity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for Entity. +func (e Entity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + // AsEntity is the BasicEntity implementation for Entity. func (e Entity) AsEntity() (*Entity, bool) { return &e, true @@ -2749,9 +4060,71 @@ func (e Entity) AsBasicEntity() (BasicEntity, bool) { return &e, true } -// EntityKind1 describes an Azure resource with kind. +// EntityCommonProperties entity common property bag. +type EntityCommonProperties struct { + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for EntityCommonProperties. +func (ecp EntityCommonProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) +} + +// EntityExpandParameters the parameters required to execute an expand operation on the given entity. +type EntityExpandParameters struct { + // ExpansionID - The Id of the expansion to perform. + ExpansionID *uuid.UUID `json:"expansionId,omitempty"` + // StartTime - The start date filter, so the only expansion results returned are after this date. + StartTime *date.Time `json:"startTime,omitempty"` + // EndTime - The end date filter, so the only expansion results returned are before this date. + EndTime *date.Time `json:"endTime,omitempty"` +} + +// EntityExpandResponse the entity expansion result operation response. +type EntityExpandResponse struct { + autorest.Response `json:"-"` + // Value - The expansion result values. + Value *EntityExpandResponseValue `json:"value,omitempty"` + // MetaData - The metadata from the expansion operation results. + MetaData *ExpansionResultsMetadata `json:"metaData,omitempty"` +} + +// EntityExpandResponseValue the expansion result values. +type EntityExpandResponseValue struct { + // Entities - Array of the expansion result entities. + Entities *[]BasicEntity `json:"entities,omitempty"` +} + +// UnmarshalJSON is the custom unmarshaler for EntityExpandResponseValue struct. +func (eer *EntityExpandResponseValue) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "entities": + if v != nil { + entities, err := unmarshalBasicEntityArray(*v) + if err != nil { + return err + } + eer.Entities = &entities + } + } + } + + return nil +} + +// EntityKind1 describes an entity with kind. type EntityKind1 struct { - // Kind - The kind of the entity. Possible values include: 'Account', 'Host', 'File' + // Kind - The kind of the entity. Possible values include: 'EntityKindAccount', 'EntityKindHost', 'EntityKindFile', 'EntityKindAzureResource', 'EntityKindCloudApplication', 'EntityKindDNSResolution', 'EntityKindFileHash', 'EntityKindIP', 'EntityKindMalware', 'EntityKindProcess', 'EntityKindRegistryKey', 'EntityKindRegistryValue', 'EntityKindSecurityGroup', 'EntityKindURL', 'EntityKindSecurityAlert', 'EntityKindBookmark' Kind EntityKind `json:"kind,omitempty"` } @@ -3173,21 +4546,39 @@ func NewEntityQueryListPage(getNextPage func(context.Context, EntityQueryList) ( type EntityQueryProperties struct { // QueryTemplate - The template query string to be parsed and formatted QueryTemplate *string `json:"queryTemplate,omitempty"` - // InputEntityType - The type of the query's source entity - InputEntityType *string `json:"inputEntityType,omitempty"` + // InputEntityType - The type of the query's source entity. Possible values include: 'EntityTypeAccount', 'EntityTypeHost', 'EntityTypeFile', 'EntityTypeAzureResource', 'EntityTypeCloudApplication', 'EntityTypeDNS', 'EntityTypeFileHash', 'EntityTypeIP', 'EntityTypeMalware', 'EntityTypeProcess', 'EntityTypeRegistryKey', 'EntityTypeRegistryValue', 'EntityTypeSecurityGroup', 'EntityTypeURL', 'EntityTypeSecurityAlert', 'EntityTypeHuntingBookmark' + InputEntityType EntityType `json:"inputEntityType,omitempty"` // InputFields - List of the fields of the source entity that are required to run the query InputFields *[]string `json:"inputFields,omitempty"` // OutputEntityTypes - List of the desired output types to be constructed from the result - OutputEntityTypes *[]string `json:"outputEntityTypes,omitempty"` + OutputEntityTypes *[]EntityType `json:"outputEntityTypes,omitempty"` // DataSources - List of the data sources that are required to run the query DataSources *[]string `json:"dataSources,omitempty"` // DisplayName - The query display name DisplayName *string `json:"displayName,omitempty"` } -// FileEntity represents a file entity. -type FileEntity struct { - // FileEntityProperties - File entity properties +// ExpansionResultAggregation information of a specific aggregation in the expansion result. +type ExpansionResultAggregation struct { + // EntityKind - The kind of the aggregated entity. Possible values include: 'EntityKindAccount', 'EntityKindHost', 'EntityKindFile', 'EntityKindAzureResource', 'EntityKindCloudApplication', 'EntityKindDNSResolution', 'EntityKindFileHash', 'EntityKindIP', 'EntityKindMalware', 'EntityKindProcess', 'EntityKindRegistryKey', 'EntityKindRegistryValue', 'EntityKindSecurityGroup', 'EntityKindURL', 'EntityKindSecurityAlert', 'EntityKindBookmark' + EntityKind EntityKind `json:"entityKind,omitempty"` + // Count - Total number of aggregations of the given kind (and aggregationType if given) in the expansion result. + Count *int32 `json:"count,omitempty"` + // AggregationType - The common type of the aggregation. (for e.g. entity field name) + AggregationType *string `json:"aggregationType,omitempty"` + // DisplayName - The display name of the aggregation by type. + DisplayName *string `json:"displayName,omitempty"` +} + +// ExpansionResultsMetadata expansion result metadata. +type ExpansionResultsMetadata struct { + // Aggregations - Information of the aggregated nodes in the expansion result. + Aggregations *[]ExpansionResultAggregation `json:"aggregations,omitempty"` +} + +// FileEntity represents a file entity. +type FileEntity struct { + // FileEntityProperties - File entity properties *FileEntityProperties `json:"properties,omitempty"` // ID - READ-ONLY; Azure resource Id ID *string `json:"id,omitempty"` @@ -3195,7 +4586,7 @@ type FileEntity struct { Type *string `json:"type,omitempty"` // Name - READ-ONLY; Azure resource name Name *string `json:"name,omitempty"` - // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile' + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' Kind KindBasicEntity `json:"kind,omitempty"` } @@ -3227,6 +4618,66 @@ func (fe FileEntity) AsFileEntity() (*FileEntity, bool) { return &fe, true } +// AsSecurityAlert is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for FileEntity. +func (fe FileEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + // AsEntity is the BasicEntity implementation for FileEntity. func (fe FileEntity) AsEntity() (*Entity, bool) { return nil, false @@ -3303,6 +4754,228 @@ type FileEntityProperties struct { Directory *string `json:"directory,omitempty"` // FileName - READ-ONLY; The file name without path (some alerts might not include path). FileName *string `json:"fileName,omitempty"` + // HostEntityID - READ-ONLY; The Host entity id which the file belongs to + HostEntityID *string `json:"hostEntityId,omitempty"` + // FileHashEntityIds - READ-ONLY; The file hash entity identifiers associated with this file + FileHashEntityIds *[]string `json:"fileHashEntityIds,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for FileEntityProperties. +func (fep FileEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) +} + +// FileHashEntity represents a file hash entity. +type FileHashEntity struct { + // FileHashEntityProperties - FileHash entity properties + *FileHashEntityProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for FileHashEntity. +func (fhe FileHashEntity) MarshalJSON() ([]byte, error) { + fhe.Kind = KindFileHash + objectMap := make(map[string]interface{}) + if fhe.FileHashEntityProperties != nil { + objectMap["properties"] = fhe.FileHashEntityProperties + } + if fhe.Kind != "" { + objectMap["kind"] = fhe.Kind + } + return json.Marshal(objectMap) +} + +// AsAccountEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return &fhe, true +} + +// AsMalwareEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + +// AsEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for FileHashEntity. +func (fhe FileHashEntity) AsBasicEntity() (BasicEntity, bool) { + return &fhe, true +} + +// UnmarshalJSON is the custom unmarshaler for FileHashEntity struct. +func (fhe *FileHashEntity) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var fileHashEntityProperties FileHashEntityProperties + err = json.Unmarshal(*v, &fileHashEntityProperties) + if err != nil { + return err + } + fhe.FileHashEntityProperties = &fileHashEntityProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + fhe.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + fhe.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + fhe.Name = &name + } + case "kind": + if v != nil { + var kind KindBasicEntity + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + fhe.Kind = kind + } + } + } + + return nil +} + +// FileHashEntityProperties fileHash entity property bag. +type FileHashEntityProperties struct { + // HashValue - READ-ONLY; The file hash value. + HashValue *string `json:"hashValue,omitempty"` + // Algorithm - READ-ONLY; The hash algorithm type. Possible values include: 'Unknown', 'MD5', 'SHA1', 'SHA256', 'SHA256AC' + Algorithm FileHashAlgorithm `json:"algorithm,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for FileHashEntityProperties. +func (fhep FileHashEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) +} + +// GeoLocation the geo-location context attached to the ip entity +type GeoLocation struct { + // CountryCode - READ-ONLY; The country code according to ISO 3166 format + CountryCode *string `json:"countryCode,omitempty"` + // CountryName - READ-ONLY; Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name + CountryName *string `json:"countryName,omitempty"` + // State - READ-ONLY; State name + State *string `json:"state,omitempty"` + // City - READ-ONLY; City name + City *string `json:"city,omitempty"` + // Longitude - READ-ONLY; The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code. + Longitude *float64 `json:"longitude,omitempty"` + // Latitude - READ-ONLY; The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code. + Latitude *float64 `json:"latitude,omitempty"` + // Asn - READ-ONLY; Autonomous System Number + Asn *int32 `json:"asn,omitempty"` } // HostEntity represents a host entity. @@ -3315,7 +4988,7 @@ type HostEntity struct { Type *string `json:"type,omitempty"` // Name - READ-ONLY; Azure resource name Name *string `json:"name,omitempty"` - // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile' + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' Kind KindBasicEntity `json:"kind,omitempty"` } @@ -3347,6 +5020,66 @@ func (he HostEntity) AsFileEntity() (*FileEntity, bool) { return nil, false } +// AsSecurityAlert is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for HostEntity. +func (he HostEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + // AsEntity is the BasicEntity implementation for HostEntity. func (he HostEntity) AsEntity() (*Entity, bool) { return nil, false @@ -3437,97 +5170,150 @@ type HostEntityProperties struct { OsVersion *string `json:"osVersion,omitempty"` // IsDomainJoined - READ-ONLY; Determines whether this host belongs to a domain. IsDomainJoined *bool `json:"isDomainJoined,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` } -// MCASDataConnector represents MCAS (Microsoft Cloud App Security) data connector. -type MCASDataConnector struct { - // MCASDataConnectorProperties - MCAS (Microsoft Cloud App Security) data connector properties. - *MCASDataConnectorProperties `json:"properties,omitempty"` +// MarshalJSON is the custom marshaler for HostEntityProperties. +func (hep HostEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + if hep.OsFamily != "" { + objectMap["osFamily"] = hep.OsFamily + } + return json.Marshal(objectMap) +} + +// IPEntity represents an ip entity. +type IPEntity struct { + // IPEntityProperties - Ip entity properties + *IPEntityProperties `json:"properties,omitempty"` // ID - READ-ONLY; Azure resource Id ID *string `json:"id,omitempty"` // Type - READ-ONLY; Azure resource type Type *string `json:"type,omitempty"` // Name - READ-ONLY; Azure resource name Name *string `json:"name,omitempty"` - // Etag - Etag of the data connector. - Etag *string `json:"etag,omitempty"` - // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity' - Kind KindBasicDataConnector `json:"kind,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` } -// MarshalJSON is the custom marshaler for MCASDataConnector. -func (mdc MCASDataConnector) MarshalJSON() ([]byte, error) { - mdc.Kind = KindMicrosoftCloudAppSecurity +// MarshalJSON is the custom marshaler for IPEntity. +func (ie IPEntity) MarshalJSON() ([]byte, error) { + ie.Kind = KindIP objectMap := make(map[string]interface{}) - if mdc.MCASDataConnectorProperties != nil { - objectMap["properties"] = mdc.MCASDataConnectorProperties - } - if mdc.Etag != nil { - objectMap["etag"] = mdc.Etag + if ie.IPEntityProperties != nil { + objectMap["properties"] = ie.IPEntityProperties } - if mdc.Kind != "" { - objectMap["kind"] = mdc.Kind + if ie.Kind != "" { + objectMap["kind"] = ie.Kind } return json.Marshal(objectMap) } -// AsOfficeDataConnector is the BasicDataConnector implementation for MCASDataConnector. -func (mdc MCASDataConnector) AsOfficeDataConnector() (*OfficeDataConnector, bool) { +// AsAccountEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsAccountEntity() (*AccountEntity, bool) { return nil, false } -// AsTIDataConnector is the BasicDataConnector implementation for MCASDataConnector. -func (mdc MCASDataConnector) AsTIDataConnector() (*TIDataConnector, bool) { +// AsHostEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsHostEntity() (*HostEntity, bool) { return nil, false } -// AsAwsCloudTrailDataConnector is the BasicDataConnector implementation for MCASDataConnector. -func (mdc MCASDataConnector) AsAwsCloudTrailDataConnector() (*AwsCloudTrailDataConnector, bool) { +// AsFileEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsFileEntity() (*FileEntity, bool) { return nil, false } -// AsAADDataConnector is the BasicDataConnector implementation for MCASDataConnector. -func (mdc MCASDataConnector) AsAADDataConnector() (*AADDataConnector, bool) { +// AsSecurityAlert is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsSecurityAlert() (*SecurityAlert, bool) { return nil, false } -// AsASCDataConnector is the BasicDataConnector implementation for MCASDataConnector. -func (mdc MCASDataConnector) AsASCDataConnector() (*ASCDataConnector, bool) { +// AsFileHashEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsFileHashEntity() (*FileHashEntity, bool) { return nil, false } -// AsMCASDataConnector is the BasicDataConnector implementation for MCASDataConnector. -func (mdc MCASDataConnector) AsMCASDataConnector() (*MCASDataConnector, bool) { - return &mdc, true +// AsMalwareEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false } -// AsDataConnector is the BasicDataConnector implementation for MCASDataConnector. -func (mdc MCASDataConnector) AsDataConnector() (*DataConnector, bool) { +// AsSecurityGroupEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { return nil, false } -// AsBasicDataConnector is the BasicDataConnector implementation for MCASDataConnector. -func (mdc MCASDataConnector) AsBasicDataConnector() (BasicDataConnector, bool) { - return &mdc, true +// AsAzureResourceEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false } -// UnmarshalJSON is the custom unmarshaler for MCASDataConnector struct. -func (mdc *MCASDataConnector) UnmarshalJSON(body []byte) error { - var m map[string]*json.RawMessage - err := json.Unmarshal(body, &m) - if err != nil { - return err - } - for k, v := range m { +// AsCloudApplicationEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsIPEntity() (*IPEntity, bool) { + return &ie, true +} + +// AsRegistryKeyEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + +// AsEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for IPEntity. +func (ie IPEntity) AsBasicEntity() (BasicEntity, bool) { + return &ie, true +} + +// UnmarshalJSON is the custom unmarshaler for IPEntity struct. +func (ie *IPEntity) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { switch k { case "properties": if v != nil { - var mCASDataConnectorProperties MCASDataConnectorProperties - err = json.Unmarshal(*v, &mCASDataConnectorProperties) + var IPEntityProperties IPEntityProperties + err = json.Unmarshal(*v, &IPEntityProperties) if err != nil { return err } - mdc.MCASDataConnectorProperties = &mCASDataConnectorProperties + ie.IPEntityProperties = &IPEntityProperties } case "id": if v != nil { @@ -3536,7 +5322,7 @@ func (mdc *MCASDataConnector) UnmarshalJSON(body []byte) error { if err != nil { return err } - mdc.ID = &ID + ie.ID = &ID } case "type": if v != nil { @@ -3545,7 +5331,7 @@ func (mdc *MCASDataConnector) UnmarshalJSON(body []byte) error { if err != nil { return err } - mdc.Type = &typeVar + ie.Type = &typeVar } case "name": if v != nil { @@ -3554,25 +5340,16 @@ func (mdc *MCASDataConnector) UnmarshalJSON(body []byte) error { if err != nil { return err } - mdc.Name = &name - } - case "etag": - if v != nil { - var etag string - err = json.Unmarshal(*v, &etag) - if err != nil { - return err - } - mdc.Etag = &etag + ie.Name = &name } case "kind": if v != nil { - var kind KindBasicDataConnector + var kind KindBasicEntity err = json.Unmarshal(*v, &kind) if err != nil { return err } - mdc.Kind = kind + ie.Kind = kind } } } @@ -3580,38 +5357,143 @@ func (mdc *MCASDataConnector) UnmarshalJSON(body []byte) error { return nil } -// MCASDataConnectorProperties MCAS (Microsoft Cloud App Security) data connector properties. -type MCASDataConnectorProperties struct { - // TenantID - The tenant id to connect to, and get the data from. - TenantID *string `json:"tenantId,omitempty"` - // DataTypes - The available data types for the connector. - DataTypes *AlertsDataTypeOfDataConnector `json:"dataTypes,omitempty"` +// IPEntityProperties ip entity property bag. +type IPEntityProperties struct { + // Address - READ-ONLY; The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6) + Address *string `json:"address,omitempty"` + // Location - The geo-location context attached to the ip entity + Location *GeoLocation `json:"location,omitempty"` + // ThreatIntelligence - READ-ONLY; A list of TI contexts attached to the ip entity. + ThreatIntelligence *[]ThreatIntelligence `json:"threatIntelligence,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` } -// OfficeConsent consent for Office365 tenant that already made. -type OfficeConsent struct { - autorest.Response `json:"-"` - // OfficeConsentProperties - Office consent properties - *OfficeConsentProperties `json:"properties,omitempty"` +// MarshalJSON is the custom marshaler for IPEntityProperties. +func (iep IPEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + if iep.Location != nil { + objectMap["location"] = iep.Location + } + return json.Marshal(objectMap) +} + +// MalwareEntity represents a malware entity. +type MalwareEntity struct { + // MalwareEntityProperties - File entity properties + *MalwareEntityProperties `json:"properties,omitempty"` // ID - READ-ONLY; Azure resource Id ID *string `json:"id,omitempty"` // Type - READ-ONLY; Azure resource type Type *string `json:"type,omitempty"` // Name - READ-ONLY; Azure resource name Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` } -// MarshalJSON is the custom marshaler for OfficeConsent. -func (oc OfficeConsent) MarshalJSON() ([]byte, error) { +// MarshalJSON is the custom marshaler for MalwareEntity. +func (me MalwareEntity) MarshalJSON() ([]byte, error) { + me.Kind = KindMalware objectMap := make(map[string]interface{}) - if oc.OfficeConsentProperties != nil { - objectMap["properties"] = oc.OfficeConsentProperties + if me.MalwareEntityProperties != nil { + objectMap["properties"] = me.MalwareEntityProperties + } + if me.Kind != "" { + objectMap["kind"] = me.Kind } return json.Marshal(objectMap) } -// UnmarshalJSON is the custom unmarshaler for OfficeConsent struct. -func (oc *OfficeConsent) UnmarshalJSON(body []byte) error { +// AsAccountEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return &me, true +} + +// AsSecurityGroupEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + +// AsEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for MalwareEntity. +func (me MalwareEntity) AsBasicEntity() (BasicEntity, bool) { + return &me, true +} + +// UnmarshalJSON is the custom unmarshaler for MalwareEntity struct. +func (me *MalwareEntity) UnmarshalJSON(body []byte) error { var m map[string]*json.RawMessage err := json.Unmarshal(body, &m) if err != nil { @@ -3621,12 +5503,12 @@ func (oc *OfficeConsent) UnmarshalJSON(body []byte) error { switch k { case "properties": if v != nil { - var officeConsentProperties OfficeConsentProperties - err = json.Unmarshal(*v, &officeConsentProperties) + var malwareEntityProperties MalwareEntityProperties + err = json.Unmarshal(*v, &malwareEntityProperties) if err != nil { return err } - oc.OfficeConsentProperties = &officeConsentProperties + me.MalwareEntityProperties = &malwareEntityProperties } case "id": if v != nil { @@ -3635,7 +5517,7 @@ func (oc *OfficeConsent) UnmarshalJSON(body []byte) error { if err != nil { return err } - oc.ID = &ID + me.ID = &ID } case "type": if v != nil { @@ -3644,7 +5526,7 @@ func (oc *OfficeConsent) UnmarshalJSON(body []byte) error { if err != nil { return err } - oc.Type = &typeVar + me.Type = &typeVar } case "name": if v != nil { @@ -3653,7 +5535,16 @@ func (oc *OfficeConsent) UnmarshalJSON(body []byte) error { if err != nil { return err } - oc.Name = &name + me.Name = &name + } + case "kind": + if v != nil { + var kind KindBasicEntity + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + me.Kind = kind } } } @@ -3661,164 +5552,206 @@ func (oc *OfficeConsent) UnmarshalJSON(body []byte) error { return nil } -// OfficeConsentList list of all the office365 consents. -type OfficeConsentList struct { - autorest.Response `json:"-"` - // NextLink - READ-ONLY; URL to fetch the next set of office consents. - NextLink *string `json:"nextLink,omitempty"` - // Value - Array of the consents. - Value *[]OfficeConsent `json:"value,omitempty"` +// MalwareEntityProperties malware entity property bag. +type MalwareEntityProperties struct { + // MalwareName - READ-ONLY; The malware name by the vendor, e.g. Win32/Toga!rfn + MalwareName *string `json:"malwareName,omitempty"` + // Category - READ-ONLY; The malware category by the vendor, e.g. Trojan + Category *string `json:"category,omitempty"` + // FileEntityIds - READ-ONLY; List of linked file entity identifiers on which the malware was found + FileEntityIds *[]string `json:"fileEntityIds,omitempty"` + // ProcessEntityIds - READ-ONLY; List of linked process entity identifiers on which the malware was found. + ProcessEntityIds *[]string `json:"processEntityIds,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for MalwareEntityProperties. +func (mep MalwareEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) } -// OfficeConsentListIterator provides access to a complete listing of OfficeConsent values. -type OfficeConsentListIterator struct { - i int - page OfficeConsentListPage +// MCASDataConnector represents MCAS (Microsoft Cloud App Security) data connector. +type MCASDataConnector struct { + // MCASDataConnectorProperties - MCAS (Microsoft Cloud App Security) data connector properties. + *MCASDataConnectorProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Etag - Etag of the data connector. + Etag *string `json:"etag,omitempty"` + // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity', 'KindAzureAdvancedThreatProtection', 'KindMicrosoftDefenderAdvancedThreatProtection' + Kind KindBasicDataConnector `json:"kind,omitempty"` } -// NextWithContext advances to the next value. If there was an error making -// the request the iterator does not advance and the error is returned. -func (iter *OfficeConsentListIterator) NextWithContext(ctx context.Context) (err error) { - if tracing.IsEnabled() { - ctx = tracing.StartSpan(ctx, fqdn+"/OfficeConsentListIterator.NextWithContext") - defer func() { - sc := -1 - if iter.Response().Response.Response != nil { - sc = iter.Response().Response.Response.StatusCode - } - tracing.EndSpan(ctx, sc, err) - }() +// MarshalJSON is the custom marshaler for MCASDataConnector. +func (mdc MCASDataConnector) MarshalJSON() ([]byte, error) { + mdc.Kind = KindMicrosoftCloudAppSecurity + objectMap := make(map[string]interface{}) + if mdc.MCASDataConnectorProperties != nil { + objectMap["properties"] = mdc.MCASDataConnectorProperties } - iter.i++ - if iter.i < len(iter.page.Values()) { - return nil + if mdc.Etag != nil { + objectMap["etag"] = mdc.Etag } - err = iter.page.NextWithContext(ctx) - if err != nil { - iter.i-- - return err + if mdc.Kind != "" { + objectMap["kind"] = mdc.Kind } - iter.i = 0 - return nil + return json.Marshal(objectMap) } -// Next advances to the next value. If there was an error making -// the request the iterator does not advance and the error is returned. -// Deprecated: Use NextWithContext() instead. -func (iter *OfficeConsentListIterator) Next() error { - return iter.NextWithContext(context.Background()) +// AsOfficeDataConnector is the BasicDataConnector implementation for MCASDataConnector. +func (mdc MCASDataConnector) AsOfficeDataConnector() (*OfficeDataConnector, bool) { + return nil, false } -// NotDone returns true if the enumeration should be started or is not yet complete. -func (iter OfficeConsentListIterator) NotDone() bool { - return iter.page.NotDone() && iter.i < len(iter.page.Values()) +// AsTIDataConnector is the BasicDataConnector implementation for MCASDataConnector. +func (mdc MCASDataConnector) AsTIDataConnector() (*TIDataConnector, bool) { + return nil, false } -// Response returns the raw server response from the last page request. -func (iter OfficeConsentListIterator) Response() OfficeConsentList { - return iter.page.Response() +// AsAwsCloudTrailDataConnector is the BasicDataConnector implementation for MCASDataConnector. +func (mdc MCASDataConnector) AsAwsCloudTrailDataConnector() (*AwsCloudTrailDataConnector, bool) { + return nil, false } -// Value returns the current value or a zero-initialized value if the -// iterator has advanced beyond the end of the collection. -func (iter OfficeConsentListIterator) Value() OfficeConsent { - if !iter.page.NotDone() { - return OfficeConsent{} - } - return iter.page.Values()[iter.i] +// AsAADDataConnector is the BasicDataConnector implementation for MCASDataConnector. +func (mdc MCASDataConnector) AsAADDataConnector() (*AADDataConnector, bool) { + return nil, false } -// Creates a new instance of the OfficeConsentListIterator type. -func NewOfficeConsentListIterator(page OfficeConsentListPage) OfficeConsentListIterator { - return OfficeConsentListIterator{page: page} +// AsASCDataConnector is the BasicDataConnector implementation for MCASDataConnector. +func (mdc MCASDataConnector) AsASCDataConnector() (*ASCDataConnector, bool) { + return nil, false } -// IsEmpty returns true if the ListResult contains no values. -func (ocl OfficeConsentList) IsEmpty() bool { - return ocl.Value == nil || len(*ocl.Value) == 0 +// AsMCASDataConnector is the BasicDataConnector implementation for MCASDataConnector. +func (mdc MCASDataConnector) AsMCASDataConnector() (*MCASDataConnector, bool) { + return &mdc, true } -// officeConsentListPreparer prepares a request to retrieve the next set of results. -// It returns nil if no more results exist. -func (ocl OfficeConsentList) officeConsentListPreparer(ctx context.Context) (*http.Request, error) { - if ocl.NextLink == nil || len(to.String(ocl.NextLink)) < 1 { - return nil, nil - } - return autorest.Prepare((&http.Request{}).WithContext(ctx), - autorest.AsJSON(), - autorest.AsGet(), - autorest.WithBaseURL(to.String(ocl.NextLink))) +// AsAATPDataConnector is the BasicDataConnector implementation for MCASDataConnector. +func (mdc MCASDataConnector) AsAATPDataConnector() (*AATPDataConnector, bool) { + return nil, false } -// OfficeConsentListPage contains a page of OfficeConsent values. -type OfficeConsentListPage struct { - fn func(context.Context, OfficeConsentList) (OfficeConsentList, error) - ocl OfficeConsentList +// AsMDATPDataConnector is the BasicDataConnector implementation for MCASDataConnector. +func (mdc MCASDataConnector) AsMDATPDataConnector() (*MDATPDataConnector, bool) { + return nil, false } -// NextWithContext advances to the next page of values. If there was an error making -// the request the page does not advance and the error is returned. -func (page *OfficeConsentListPage) NextWithContext(ctx context.Context) (err error) { - if tracing.IsEnabled() { - ctx = tracing.StartSpan(ctx, fqdn+"/OfficeConsentListPage.NextWithContext") - defer func() { - sc := -1 - if page.Response().Response.Response != nil { - sc = page.Response().Response.Response.StatusCode - } - tracing.EndSpan(ctx, sc, err) - }() - } - next, err := page.fn(ctx, page.ocl) - if err != nil { - return err - } - page.ocl = next - return nil +// AsDataConnector is the BasicDataConnector implementation for MCASDataConnector. +func (mdc MCASDataConnector) AsDataConnector() (*DataConnector, bool) { + return nil, false } -// Next advances to the next page of values. If there was an error making -// the request the page does not advance and the error is returned. -// Deprecated: Use NextWithContext() instead. -func (page *OfficeConsentListPage) Next() error { - return page.NextWithContext(context.Background()) +// AsBasicDataConnector is the BasicDataConnector implementation for MCASDataConnector. +func (mdc MCASDataConnector) AsBasicDataConnector() (BasicDataConnector, bool) { + return &mdc, true } -// NotDone returns true if the page enumeration should be started or is not yet complete. -func (page OfficeConsentListPage) NotDone() bool { - return !page.ocl.IsEmpty() -} +// UnmarshalJSON is the custom unmarshaler for MCASDataConnector struct. +func (mdc *MCASDataConnector) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var mCASDataConnectorProperties MCASDataConnectorProperties + err = json.Unmarshal(*v, &mCASDataConnectorProperties) + if err != nil { + return err + } + mdc.MCASDataConnectorProperties = &mCASDataConnectorProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + mdc.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + mdc.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + mdc.Name = &name + } + case "etag": + if v != nil { + var etag string + err = json.Unmarshal(*v, &etag) + if err != nil { + return err + } + mdc.Etag = &etag + } + case "kind": + if v != nil { + var kind KindBasicDataConnector + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + mdc.Kind = kind + } + } + } -// Response returns the raw server response from the last page request. -func (page OfficeConsentListPage) Response() OfficeConsentList { - return page.ocl + return nil } -// Values returns the slice of values for the current page or nil if there are no values. -func (page OfficeConsentListPage) Values() []OfficeConsent { - if page.ocl.IsEmpty() { - return nil - } - return *page.ocl.Value +// MCASDataConnectorDataTypes the available data types for MCAS (Microsoft Cloud App Security) data +// connector. +type MCASDataConnectorDataTypes struct { + // DiscoveryLogs - Discovery log data type connection. + DiscoveryLogs *MCASDataConnectorDataTypesDiscoveryLogs `json:"discoveryLogs,omitempty"` + // Alerts - Alerts data type connection. + Alerts *AlertsDataTypeOfDataConnectorAlerts `json:"alerts,omitempty"` } -// Creates a new instance of the OfficeConsentListPage type. -func NewOfficeConsentListPage(getNextPage func(context.Context, OfficeConsentList) (OfficeConsentList, error)) OfficeConsentListPage { - return OfficeConsentListPage{fn: getNextPage} +// MCASDataConnectorDataTypesDiscoveryLogs discovery log data type connection. +type MCASDataConnectorDataTypesDiscoveryLogs struct { + // State - Describe whether this data type connection is enabled or not. Possible values include: 'Enabled', 'Disabled' + State DataTypeState `json:"state,omitempty"` } -// OfficeConsentProperties consent property bag. -type OfficeConsentProperties struct { - // TenantID - The tenantId of the Office365 with the consent. +// MCASDataConnectorProperties MCAS (Microsoft Cloud App Security) data connector properties. +type MCASDataConnectorProperties struct { + // DataTypes - The available data types for the connector. + DataTypes *MCASDataConnectorDataTypes `json:"dataTypes,omitempty"` + // TenantID - The tenant id to connect to, and get the data from. TenantID *string `json:"tenantId,omitempty"` - // TenantName - READ-ONLY; The tenant name of the Office365 with the consent. - TenantName *string `json:"tenantName,omitempty"` } -// OfficeDataConnector represents office data connector. -type OfficeDataConnector struct { - // OfficeDataConnectorProperties - Office data connector properties. - *OfficeDataConnectorProperties `json:"properties,omitempty"` +// MDATPDataConnector represents MDATP (Microsoft Defender Advanced Threat Protection) data connector. +type MDATPDataConnector struct { + // MDATPDataConnectorProperties - MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. + *MDATPDataConnectorProperties `json:"properties,omitempty"` // ID - READ-ONLY; Azure resource Id ID *string `json:"id,omitempty"` // Type - READ-ONLY; Azure resource type @@ -3827,68 +5760,78 @@ type OfficeDataConnector struct { Name *string `json:"name,omitempty"` // Etag - Etag of the data connector. Etag *string `json:"etag,omitempty"` - // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity' + // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity', 'KindAzureAdvancedThreatProtection', 'KindMicrosoftDefenderAdvancedThreatProtection' Kind KindBasicDataConnector `json:"kind,omitempty"` } -// MarshalJSON is the custom marshaler for OfficeDataConnector. -func (odc OfficeDataConnector) MarshalJSON() ([]byte, error) { - odc.Kind = KindOffice365 +// MarshalJSON is the custom marshaler for MDATPDataConnector. +func (mdc MDATPDataConnector) MarshalJSON() ([]byte, error) { + mdc.Kind = KindMicrosoftDefenderAdvancedThreatProtection objectMap := make(map[string]interface{}) - if odc.OfficeDataConnectorProperties != nil { - objectMap["properties"] = odc.OfficeDataConnectorProperties + if mdc.MDATPDataConnectorProperties != nil { + objectMap["properties"] = mdc.MDATPDataConnectorProperties } - if odc.Etag != nil { - objectMap["etag"] = odc.Etag + if mdc.Etag != nil { + objectMap["etag"] = mdc.Etag } - if odc.Kind != "" { - objectMap["kind"] = odc.Kind + if mdc.Kind != "" { + objectMap["kind"] = mdc.Kind } return json.Marshal(objectMap) } -// AsOfficeDataConnector is the BasicDataConnector implementation for OfficeDataConnector. -func (odc OfficeDataConnector) AsOfficeDataConnector() (*OfficeDataConnector, bool) { - return &odc, true +// AsOfficeDataConnector is the BasicDataConnector implementation for MDATPDataConnector. +func (mdc MDATPDataConnector) AsOfficeDataConnector() (*OfficeDataConnector, bool) { + return nil, false } -// AsTIDataConnector is the BasicDataConnector implementation for OfficeDataConnector. -func (odc OfficeDataConnector) AsTIDataConnector() (*TIDataConnector, bool) { +// AsTIDataConnector is the BasicDataConnector implementation for MDATPDataConnector. +func (mdc MDATPDataConnector) AsTIDataConnector() (*TIDataConnector, bool) { return nil, false } -// AsAwsCloudTrailDataConnector is the BasicDataConnector implementation for OfficeDataConnector. -func (odc OfficeDataConnector) AsAwsCloudTrailDataConnector() (*AwsCloudTrailDataConnector, bool) { +// AsAwsCloudTrailDataConnector is the BasicDataConnector implementation for MDATPDataConnector. +func (mdc MDATPDataConnector) AsAwsCloudTrailDataConnector() (*AwsCloudTrailDataConnector, bool) { return nil, false } -// AsAADDataConnector is the BasicDataConnector implementation for OfficeDataConnector. -func (odc OfficeDataConnector) AsAADDataConnector() (*AADDataConnector, bool) { +// AsAADDataConnector is the BasicDataConnector implementation for MDATPDataConnector. +func (mdc MDATPDataConnector) AsAADDataConnector() (*AADDataConnector, bool) { return nil, false } -// AsASCDataConnector is the BasicDataConnector implementation for OfficeDataConnector. -func (odc OfficeDataConnector) AsASCDataConnector() (*ASCDataConnector, bool) { +// AsASCDataConnector is the BasicDataConnector implementation for MDATPDataConnector. +func (mdc MDATPDataConnector) AsASCDataConnector() (*ASCDataConnector, bool) { return nil, false } -// AsMCASDataConnector is the BasicDataConnector implementation for OfficeDataConnector. -func (odc OfficeDataConnector) AsMCASDataConnector() (*MCASDataConnector, bool) { +// AsMCASDataConnector is the BasicDataConnector implementation for MDATPDataConnector. +func (mdc MDATPDataConnector) AsMCASDataConnector() (*MCASDataConnector, bool) { return nil, false } -// AsDataConnector is the BasicDataConnector implementation for OfficeDataConnector. -func (odc OfficeDataConnector) AsDataConnector() (*DataConnector, bool) { +// AsAATPDataConnector is the BasicDataConnector implementation for MDATPDataConnector. +func (mdc MDATPDataConnector) AsAATPDataConnector() (*AATPDataConnector, bool) { return nil, false } -// AsBasicDataConnector is the BasicDataConnector implementation for OfficeDataConnector. -func (odc OfficeDataConnector) AsBasicDataConnector() (BasicDataConnector, bool) { - return &odc, true +// AsMDATPDataConnector is the BasicDataConnector implementation for MDATPDataConnector. +func (mdc MDATPDataConnector) AsMDATPDataConnector() (*MDATPDataConnector, bool) { + return &mdc, true } -// UnmarshalJSON is the custom unmarshaler for OfficeDataConnector struct. -func (odc *OfficeDataConnector) UnmarshalJSON(body []byte) error { +// AsDataConnector is the BasicDataConnector implementation for MDATPDataConnector. +func (mdc MDATPDataConnector) AsDataConnector() (*DataConnector, bool) { + return nil, false +} + +// AsBasicDataConnector is the BasicDataConnector implementation for MDATPDataConnector. +func (mdc MDATPDataConnector) AsBasicDataConnector() (BasicDataConnector, bool) { + return &mdc, true +} + +// UnmarshalJSON is the custom unmarshaler for MDATPDataConnector struct. +func (mdc *MDATPDataConnector) UnmarshalJSON(body []byte) error { var m map[string]*json.RawMessage err := json.Unmarshal(body, &m) if err != nil { @@ -3898,12 +5841,12 @@ func (odc *OfficeDataConnector) UnmarshalJSON(body []byte) error { switch k { case "properties": if v != nil { - var officeDataConnectorProperties OfficeDataConnectorProperties - err = json.Unmarshal(*v, &officeDataConnectorProperties) + var mDATPDataConnectorProperties MDATPDataConnectorProperties + err = json.Unmarshal(*v, &mDATPDataConnectorProperties) if err != nil { return err } - odc.OfficeDataConnectorProperties = &officeDataConnectorProperties + mdc.MDATPDataConnectorProperties = &mDATPDataConnectorProperties } case "id": if v != nil { @@ -3912,7 +5855,7 @@ func (odc *OfficeDataConnector) UnmarshalJSON(body []byte) error { if err != nil { return err } - odc.ID = &ID + mdc.ID = &ID } case "type": if v != nil { @@ -3921,7 +5864,7 @@ func (odc *OfficeDataConnector) UnmarshalJSON(body []byte) error { if err != nil { return err } - odc.Type = &typeVar + mdc.Type = &typeVar } case "name": if v != nil { @@ -3930,7 +5873,7 @@ func (odc *OfficeDataConnector) UnmarshalJSON(body []byte) error { if err != nil { return err } - odc.Name = &name + mdc.Name = &name } case "etag": if v != nil { @@ -3939,7 +5882,7 @@ func (odc *OfficeDataConnector) UnmarshalJSON(body []byte) error { if err != nil { return err } - odc.Etag = &etag + mdc.Etag = &etag } case "kind": if v != nil { @@ -3948,7 +5891,7 @@ func (odc *OfficeDataConnector) UnmarshalJSON(body []byte) error { if err != nil { return err } - odc.Kind = kind + mdc.Kind = kind } } } @@ -3956,74 +5899,108 @@ func (odc *OfficeDataConnector) UnmarshalJSON(body []byte) error { return nil } -// OfficeDataConnectorDataTypes the available data types for office data connector. -type OfficeDataConnectorDataTypes struct { - // SharePoint - SharePoint data type connection. - SharePoint *OfficeDataConnectorDataTypesSharePoint `json:"sharePoint,omitempty"` - // Exchange - Exchange data type connection. - Exchange *OfficeDataConnectorDataTypesExchange `json:"exchange,omitempty"` -} - -// OfficeDataConnectorDataTypesExchange exchange data type connection. -type OfficeDataConnectorDataTypesExchange struct { - // State - Describe whether this data type connection is enabled or not. Possible values include: 'Enabled', 'Disabled' - State DataTypeState `json:"state,omitempty"` -} - -// OfficeDataConnectorDataTypesSharePoint sharePoint data type connection. -type OfficeDataConnectorDataTypesSharePoint struct { - // State - Describe whether this data type connection is enabled or not. Possible values include: 'Enabled', 'Disabled' - State DataTypeState `json:"state,omitempty"` -} - -// OfficeDataConnectorProperties office data connector properties. -type OfficeDataConnectorProperties struct { - // DataTypes - The available data types for the connector. - DataTypes *OfficeDataConnectorDataTypes `json:"dataTypes,omitempty"` +// MDATPDataConnectorProperties MDATP (Microsoft Defender Advanced Threat Protection) data connector +// properties. +type MDATPDataConnectorProperties struct { // TenantID - The tenant id to connect to, and get the data from. TenantID *string `json:"tenantId,omitempty"` + // DataTypes - The available data types for the connector. + DataTypes *AlertsDataTypeOfDataConnector `json:"dataTypes,omitempty"` } -// Operation operation provided by provider -type Operation struct { - // Name - Name of the operation - Name *string `json:"name,omitempty"` - // Display - Properties of the operation - Display *OperationDisplay `json:"display,omitempty"` -} - -// OperationDisplay properties of the operation -type OperationDisplay struct { - // Provider - Provider name - Provider *string `json:"provider,omitempty"` - // Resource - Resource name - Resource *string `json:"resource,omitempty"` - // Operation - Operation name - Operation *string `json:"operation,omitempty"` - // Description - Description of the operation - Description *string `json:"description,omitempty"` -} - -// OperationsList lists the operations available in the SecurityInsights RP. -type OperationsList struct { +// OfficeConsent consent for Office365 tenant that already made. +type OfficeConsent struct { autorest.Response `json:"-"` - // NextLink - URL to fetch the next set of operations. - NextLink *string `json:"nextLink,omitempty"` - // Value - Array of operations - Value *[]Operation `json:"value,omitempty"` + // OfficeConsentProperties - Office consent properties + *OfficeConsentProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` } -// OperationsListIterator provides access to a complete listing of Operation values. -type OperationsListIterator struct { - i int - page OperationsListPage +// MarshalJSON is the custom marshaler for OfficeConsent. +func (oc OfficeConsent) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + if oc.OfficeConsentProperties != nil { + objectMap["properties"] = oc.OfficeConsentProperties + } + return json.Marshal(objectMap) } -// NextWithContext advances to the next value. If there was an error making -// the request the iterator does not advance and the error is returned. -func (iter *OperationsListIterator) NextWithContext(ctx context.Context) (err error) { +// UnmarshalJSON is the custom unmarshaler for OfficeConsent struct. +func (oc *OfficeConsent) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var officeConsentProperties OfficeConsentProperties + err = json.Unmarshal(*v, &officeConsentProperties) + if err != nil { + return err + } + oc.OfficeConsentProperties = &officeConsentProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + oc.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + oc.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + oc.Name = &name + } + } + } + + return nil +} + +// OfficeConsentList list of all the office365 consents. +type OfficeConsentList struct { + autorest.Response `json:"-"` + // NextLink - READ-ONLY; URL to fetch the next set of office consents. + NextLink *string `json:"nextLink,omitempty"` + // Value - Array of the consents. + Value *[]OfficeConsent `json:"value,omitempty"` +} + +// OfficeConsentListIterator provides access to a complete listing of OfficeConsent values. +type OfficeConsentListIterator struct { + i int + page OfficeConsentListPage +} + +// NextWithContext advances to the next value. If there was an error making +// the request the iterator does not advance and the error is returned. +func (iter *OfficeConsentListIterator) NextWithContext(ctx context.Context) (err error) { if tracing.IsEnabled() { - ctx = tracing.StartSpan(ctx, fqdn+"/OperationsListIterator.NextWithContext") + ctx = tracing.StartSpan(ctx, fqdn+"/OfficeConsentListIterator.NextWithContext") defer func() { sc := -1 if iter.Response().Response.Response != nil { @@ -4048,62 +6025,62 @@ func (iter *OperationsListIterator) NextWithContext(ctx context.Context) (err er // Next advances to the next value. If there was an error making // the request the iterator does not advance and the error is returned. // Deprecated: Use NextWithContext() instead. -func (iter *OperationsListIterator) Next() error { +func (iter *OfficeConsentListIterator) Next() error { return iter.NextWithContext(context.Background()) } // NotDone returns true if the enumeration should be started or is not yet complete. -func (iter OperationsListIterator) NotDone() bool { +func (iter OfficeConsentListIterator) NotDone() bool { return iter.page.NotDone() && iter.i < len(iter.page.Values()) } // Response returns the raw server response from the last page request. -func (iter OperationsListIterator) Response() OperationsList { +func (iter OfficeConsentListIterator) Response() OfficeConsentList { return iter.page.Response() } // Value returns the current value or a zero-initialized value if the // iterator has advanced beyond the end of the collection. -func (iter OperationsListIterator) Value() Operation { +func (iter OfficeConsentListIterator) Value() OfficeConsent { if !iter.page.NotDone() { - return Operation{} + return OfficeConsent{} } return iter.page.Values()[iter.i] } -// Creates a new instance of the OperationsListIterator type. -func NewOperationsListIterator(page OperationsListPage) OperationsListIterator { - return OperationsListIterator{page: page} +// Creates a new instance of the OfficeConsentListIterator type. +func NewOfficeConsentListIterator(page OfficeConsentListPage) OfficeConsentListIterator { + return OfficeConsentListIterator{page: page} } // IsEmpty returns true if the ListResult contains no values. -func (ol OperationsList) IsEmpty() bool { - return ol.Value == nil || len(*ol.Value) == 0 +func (ocl OfficeConsentList) IsEmpty() bool { + return ocl.Value == nil || len(*ocl.Value) == 0 } -// operationsListPreparer prepares a request to retrieve the next set of results. +// officeConsentListPreparer prepares a request to retrieve the next set of results. // It returns nil if no more results exist. -func (ol OperationsList) operationsListPreparer(ctx context.Context) (*http.Request, error) { - if ol.NextLink == nil || len(to.String(ol.NextLink)) < 1 { +func (ocl OfficeConsentList) officeConsentListPreparer(ctx context.Context) (*http.Request, error) { + if ocl.NextLink == nil || len(to.String(ocl.NextLink)) < 1 { return nil, nil } return autorest.Prepare((&http.Request{}).WithContext(ctx), autorest.AsJSON(), autorest.AsGet(), - autorest.WithBaseURL(to.String(ol.NextLink))) + autorest.WithBaseURL(to.String(ocl.NextLink))) } -// OperationsListPage contains a page of Operation values. -type OperationsListPage struct { - fn func(context.Context, OperationsList) (OperationsList, error) - ol OperationsList +// OfficeConsentListPage contains a page of OfficeConsent values. +type OfficeConsentListPage struct { + fn func(context.Context, OfficeConsentList) (OfficeConsentList, error) + ocl OfficeConsentList } // NextWithContext advances to the next page of values. If there was an error making // the request the page does not advance and the error is returned. -func (page *OperationsListPage) NextWithContext(ctx context.Context) (err error) { +func (page *OfficeConsentListPage) NextWithContext(ctx context.Context) (err error) { if tracing.IsEnabled() { - ctx = tracing.StartSpan(ctx, fqdn+"/OperationsListPage.NextWithContext") + ctx = tracing.StartSpan(ctx, fqdn+"/OfficeConsentListPage.NextWithContext") defer func() { sc := -1 if page.Response().Response.Response != nil { @@ -4112,103 +6089,1495 @@ func (page *OperationsListPage) NextWithContext(ctx context.Context) (err error) tracing.EndSpan(ctx, sc, err) }() } - next, err := page.fn(ctx, page.ol) + next, err := page.fn(ctx, page.ocl) if err != nil { return err } - page.ol = next + page.ocl = next return nil } -// Next advances to the next page of values. If there was an error making -// the request the page does not advance and the error is returned. -// Deprecated: Use NextWithContext() instead. -func (page *OperationsListPage) Next() error { - return page.NextWithContext(context.Background()) +// Next advances to the next page of values. If there was an error making +// the request the page does not advance and the error is returned. +// Deprecated: Use NextWithContext() instead. +func (page *OfficeConsentListPage) Next() error { + return page.NextWithContext(context.Background()) +} + +// NotDone returns true if the page enumeration should be started or is not yet complete. +func (page OfficeConsentListPage) NotDone() bool { + return !page.ocl.IsEmpty() +} + +// Response returns the raw server response from the last page request. +func (page OfficeConsentListPage) Response() OfficeConsentList { + return page.ocl +} + +// Values returns the slice of values for the current page or nil if there are no values. +func (page OfficeConsentListPage) Values() []OfficeConsent { + if page.ocl.IsEmpty() { + return nil + } + return *page.ocl.Value +} + +// Creates a new instance of the OfficeConsentListPage type. +func NewOfficeConsentListPage(getNextPage func(context.Context, OfficeConsentList) (OfficeConsentList, error)) OfficeConsentListPage { + return OfficeConsentListPage{fn: getNextPage} +} + +// OfficeConsentProperties consent property bag. +type OfficeConsentProperties struct { + // TenantID - The tenantId of the Office365 with the consent. + TenantID *string `json:"tenantId,omitempty"` + // TenantName - READ-ONLY; The tenant name of the Office365 with the consent. + TenantName *string `json:"tenantName,omitempty"` +} + +// OfficeDataConnector represents office data connector. +type OfficeDataConnector struct { + // OfficeDataConnectorProperties - Office data connector properties. + *OfficeDataConnectorProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Etag - Etag of the data connector. + Etag *string `json:"etag,omitempty"` + // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity', 'KindAzureAdvancedThreatProtection', 'KindMicrosoftDefenderAdvancedThreatProtection' + Kind KindBasicDataConnector `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for OfficeDataConnector. +func (odc OfficeDataConnector) MarshalJSON() ([]byte, error) { + odc.Kind = KindOffice365 + objectMap := make(map[string]interface{}) + if odc.OfficeDataConnectorProperties != nil { + objectMap["properties"] = odc.OfficeDataConnectorProperties + } + if odc.Etag != nil { + objectMap["etag"] = odc.Etag + } + if odc.Kind != "" { + objectMap["kind"] = odc.Kind + } + return json.Marshal(objectMap) +} + +// AsOfficeDataConnector is the BasicDataConnector implementation for OfficeDataConnector. +func (odc OfficeDataConnector) AsOfficeDataConnector() (*OfficeDataConnector, bool) { + return &odc, true +} + +// AsTIDataConnector is the BasicDataConnector implementation for OfficeDataConnector. +func (odc OfficeDataConnector) AsTIDataConnector() (*TIDataConnector, bool) { + return nil, false +} + +// AsAwsCloudTrailDataConnector is the BasicDataConnector implementation for OfficeDataConnector. +func (odc OfficeDataConnector) AsAwsCloudTrailDataConnector() (*AwsCloudTrailDataConnector, bool) { + return nil, false +} + +// AsAADDataConnector is the BasicDataConnector implementation for OfficeDataConnector. +func (odc OfficeDataConnector) AsAADDataConnector() (*AADDataConnector, bool) { + return nil, false +} + +// AsASCDataConnector is the BasicDataConnector implementation for OfficeDataConnector. +func (odc OfficeDataConnector) AsASCDataConnector() (*ASCDataConnector, bool) { + return nil, false +} + +// AsMCASDataConnector is the BasicDataConnector implementation for OfficeDataConnector. +func (odc OfficeDataConnector) AsMCASDataConnector() (*MCASDataConnector, bool) { + return nil, false +} + +// AsAATPDataConnector is the BasicDataConnector implementation for OfficeDataConnector. +func (odc OfficeDataConnector) AsAATPDataConnector() (*AATPDataConnector, bool) { + return nil, false +} + +// AsMDATPDataConnector is the BasicDataConnector implementation for OfficeDataConnector. +func (odc OfficeDataConnector) AsMDATPDataConnector() (*MDATPDataConnector, bool) { + return nil, false +} + +// AsDataConnector is the BasicDataConnector implementation for OfficeDataConnector. +func (odc OfficeDataConnector) AsDataConnector() (*DataConnector, bool) { + return nil, false +} + +// AsBasicDataConnector is the BasicDataConnector implementation for OfficeDataConnector. +func (odc OfficeDataConnector) AsBasicDataConnector() (BasicDataConnector, bool) { + return &odc, true +} + +// UnmarshalJSON is the custom unmarshaler for OfficeDataConnector struct. +func (odc *OfficeDataConnector) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var officeDataConnectorProperties OfficeDataConnectorProperties + err = json.Unmarshal(*v, &officeDataConnectorProperties) + if err != nil { + return err + } + odc.OfficeDataConnectorProperties = &officeDataConnectorProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + odc.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + odc.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + odc.Name = &name + } + case "etag": + if v != nil { + var etag string + err = json.Unmarshal(*v, &etag) + if err != nil { + return err + } + odc.Etag = &etag + } + case "kind": + if v != nil { + var kind KindBasicDataConnector + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + odc.Kind = kind + } + } + } + + return nil +} + +// OfficeDataConnectorDataTypes the available data types for office data connector. +type OfficeDataConnectorDataTypes struct { + // SharePoint - SharePoint data type connection. + SharePoint *OfficeDataConnectorDataTypesSharePoint `json:"sharePoint,omitempty"` + // Exchange - Exchange data type connection. + Exchange *OfficeDataConnectorDataTypesExchange `json:"exchange,omitempty"` +} + +// OfficeDataConnectorDataTypesExchange exchange data type connection. +type OfficeDataConnectorDataTypesExchange struct { + // State - Describe whether this data type connection is enabled or not. Possible values include: 'Enabled', 'Disabled' + State DataTypeState `json:"state,omitempty"` +} + +// OfficeDataConnectorDataTypesSharePoint sharePoint data type connection. +type OfficeDataConnectorDataTypesSharePoint struct { + // State - Describe whether this data type connection is enabled or not. Possible values include: 'Enabled', 'Disabled' + State DataTypeState `json:"state,omitempty"` +} + +// OfficeDataConnectorProperties office data connector properties. +type OfficeDataConnectorProperties struct { + // DataTypes - The available data types for the connector. + DataTypes *OfficeDataConnectorDataTypes `json:"dataTypes,omitempty"` + // TenantID - The tenant id to connect to, and get the data from. + TenantID *string `json:"tenantId,omitempty"` +} + +// Operation operation provided by provider +type Operation struct { + // Name - Name of the operation + Name *string `json:"name,omitempty"` + // Display - Properties of the operation + Display *OperationDisplay `json:"display,omitempty"` +} + +// OperationDisplay properties of the operation +type OperationDisplay struct { + // Provider - Provider name + Provider *string `json:"provider,omitempty"` + // Resource - Resource name + Resource *string `json:"resource,omitempty"` + // Operation - Operation name + Operation *string `json:"operation,omitempty"` + // Description - Description of the operation + Description *string `json:"description,omitempty"` +} + +// OperationsList lists the operations available in the SecurityInsights RP. +type OperationsList struct { + autorest.Response `json:"-"` + // NextLink - URL to fetch the next set of operations. + NextLink *string `json:"nextLink,omitempty"` + // Value - Array of operations + Value *[]Operation `json:"value,omitempty"` +} + +// OperationsListIterator provides access to a complete listing of Operation values. +type OperationsListIterator struct { + i int + page OperationsListPage +} + +// NextWithContext advances to the next value. If there was an error making +// the request the iterator does not advance and the error is returned. +func (iter *OperationsListIterator) NextWithContext(ctx context.Context) (err error) { + if tracing.IsEnabled() { + ctx = tracing.StartSpan(ctx, fqdn+"/OperationsListIterator.NextWithContext") + defer func() { + sc := -1 + if iter.Response().Response.Response != nil { + sc = iter.Response().Response.Response.StatusCode + } + tracing.EndSpan(ctx, sc, err) + }() + } + iter.i++ + if iter.i < len(iter.page.Values()) { + return nil + } + err = iter.page.NextWithContext(ctx) + if err != nil { + iter.i-- + return err + } + iter.i = 0 + return nil +} + +// Next advances to the next value. If there was an error making +// the request the iterator does not advance and the error is returned. +// Deprecated: Use NextWithContext() instead. +func (iter *OperationsListIterator) Next() error { + return iter.NextWithContext(context.Background()) +} + +// NotDone returns true if the enumeration should be started or is not yet complete. +func (iter OperationsListIterator) NotDone() bool { + return iter.page.NotDone() && iter.i < len(iter.page.Values()) +} + +// Response returns the raw server response from the last page request. +func (iter OperationsListIterator) Response() OperationsList { + return iter.page.Response() +} + +// Value returns the current value or a zero-initialized value if the +// iterator has advanced beyond the end of the collection. +func (iter OperationsListIterator) Value() Operation { + if !iter.page.NotDone() { + return Operation{} + } + return iter.page.Values()[iter.i] +} + +// Creates a new instance of the OperationsListIterator type. +func NewOperationsListIterator(page OperationsListPage) OperationsListIterator { + return OperationsListIterator{page: page} +} + +// IsEmpty returns true if the ListResult contains no values. +func (ol OperationsList) IsEmpty() bool { + return ol.Value == nil || len(*ol.Value) == 0 +} + +// operationsListPreparer prepares a request to retrieve the next set of results. +// It returns nil if no more results exist. +func (ol OperationsList) operationsListPreparer(ctx context.Context) (*http.Request, error) { + if ol.NextLink == nil || len(to.String(ol.NextLink)) < 1 { + return nil, nil + } + return autorest.Prepare((&http.Request{}).WithContext(ctx), + autorest.AsJSON(), + autorest.AsGet(), + autorest.WithBaseURL(to.String(ol.NextLink))) +} + +// OperationsListPage contains a page of Operation values. +type OperationsListPage struct { + fn func(context.Context, OperationsList) (OperationsList, error) + ol OperationsList +} + +// NextWithContext advances to the next page of values. If there was an error making +// the request the page does not advance and the error is returned. +func (page *OperationsListPage) NextWithContext(ctx context.Context) (err error) { + if tracing.IsEnabled() { + ctx = tracing.StartSpan(ctx, fqdn+"/OperationsListPage.NextWithContext") + defer func() { + sc := -1 + if page.Response().Response.Response != nil { + sc = page.Response().Response.Response.StatusCode + } + tracing.EndSpan(ctx, sc, err) + }() + } + next, err := page.fn(ctx, page.ol) + if err != nil { + return err + } + page.ol = next + return nil +} + +// Next advances to the next page of values. If there was an error making +// the request the page does not advance and the error is returned. +// Deprecated: Use NextWithContext() instead. +func (page *OperationsListPage) Next() error { + return page.NextWithContext(context.Background()) +} + +// NotDone returns true if the page enumeration should be started or is not yet complete. +func (page OperationsListPage) NotDone() bool { + return !page.ol.IsEmpty() +} + +// Response returns the raw server response from the last page request. +func (page OperationsListPage) Response() OperationsList { + return page.ol +} + +// Values returns the slice of values for the current page or nil if there are no values. +func (page OperationsListPage) Values() []Operation { + if page.ol.IsEmpty() { + return nil + } + return *page.ol.Value +} + +// Creates a new instance of the OperationsListPage type. +func NewOperationsListPage(getNextPage func(context.Context, OperationsList) (OperationsList, error)) OperationsListPage { + return OperationsListPage{fn: getNextPage} +} + +// ProcessEntity represents a process entity. +type ProcessEntity struct { + // ProcessEntityProperties - Process entity properties + *ProcessEntityProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for ProcessEntity. +func (peVar ProcessEntity) MarshalJSON() ([]byte, error) { + peVar.Kind = KindProcess + objectMap := make(map[string]interface{}) + if peVar.ProcessEntityProperties != nil { + objectMap["properties"] = peVar.ProcessEntityProperties + } + if peVar.Kind != "" { + objectMap["kind"] = peVar.Kind + } + return json.Marshal(objectMap) +} + +// AsAccountEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsProcessEntity() (*ProcessEntity, bool) { + return &peVar, true +} + +// AsDNSEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + +// AsEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for ProcessEntity. +func (peVar ProcessEntity) AsBasicEntity() (BasicEntity, bool) { + return &peVar, true +} + +// UnmarshalJSON is the custom unmarshaler for ProcessEntity struct. +func (peVar *ProcessEntity) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var processEntityProperties ProcessEntityProperties + err = json.Unmarshal(*v, &processEntityProperties) + if err != nil { + return err + } + peVar.ProcessEntityProperties = &processEntityProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + peVar.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + peVar.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + peVar.Name = &name + } + case "kind": + if v != nil { + var kind KindBasicEntity + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + peVar.Kind = kind + } + } + } + + return nil +} + +// ProcessEntityProperties process entity property bag. +type ProcessEntityProperties struct { + // ProcessID - READ-ONLY; The process ID + ProcessID *string `json:"processId,omitempty"` + // CommandLine - READ-ONLY; The command line used to create the process + CommandLine *string `json:"commandLine,omitempty"` + // ElevationToken - The elevation token associated with the process. Possible values include: 'Default', 'Full', 'Limited' + ElevationToken ElevationToken `json:"elevationToken,omitempty"` + // CreationTimeUtc - READ-ONLY; The time when the process started to run + CreationTimeUtc *date.Time `json:"creationTimeUtc,omitempty"` + // ImageFileEntityID - READ-ONLY; Image file entity id + ImageFileEntityID *string `json:"imageFileEntityId,omitempty"` + // AccountEntityID - READ-ONLY; The account entity id running the processes. + AccountEntityID *string `json:"accountEntityId,omitempty"` + // ParentProcessEntityID - READ-ONLY; The parent process entity id. + ParentProcessEntityID *string `json:"parentProcessEntityId,omitempty"` + // HostEntityID - READ-ONLY; The host entity id on which the process was running + HostEntityID *string `json:"hostEntityId,omitempty"` + // HostLogonSessionEntityID - READ-ONLY; The session entity id in which the process was running + HostLogonSessionEntityID *string `json:"hostLogonSessionEntityId,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for ProcessEntityProperties. +func (pep ProcessEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + if pep.ElevationToken != "" { + objectMap["elevationToken"] = pep.ElevationToken + } + return json.Marshal(objectMap) +} + +// RegistryKeyEntity represents a registry key entity. +type RegistryKeyEntity struct { + // RegistryKeyEntityProperties - RegistryKey entity properties + *RegistryKeyEntityProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for RegistryKeyEntity. +func (rke RegistryKeyEntity) MarshalJSON() ([]byte, error) { + rke.Kind = KindRegistryKey + objectMap := make(map[string]interface{}) + if rke.RegistryKeyEntityProperties != nil { + objectMap["properties"] = rke.RegistryKeyEntityProperties + } + if rke.Kind != "" { + objectMap["kind"] = rke.Kind + } + return json.Marshal(objectMap) +} + +// AsAccountEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return &rke, true +} + +// AsRegistryValueEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + +// AsEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for RegistryKeyEntity. +func (rke RegistryKeyEntity) AsBasicEntity() (BasicEntity, bool) { + return &rke, true +} + +// UnmarshalJSON is the custom unmarshaler for RegistryKeyEntity struct. +func (rke *RegistryKeyEntity) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var registryKeyEntityProperties RegistryKeyEntityProperties + err = json.Unmarshal(*v, ®istryKeyEntityProperties) + if err != nil { + return err + } + rke.RegistryKeyEntityProperties = ®istryKeyEntityProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + rke.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + rke.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + rke.Name = &name + } + case "kind": + if v != nil { + var kind KindBasicEntity + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + rke.Kind = kind + } + } + } + + return nil +} + +// RegistryKeyEntityProperties registryKey entity property bag. +type RegistryKeyEntityProperties struct { + // Hive - READ-ONLY; the hive that holds the registry key. Possible values include: 'HKEYLOCALMACHINE', 'HKEYCLASSESROOT', 'HKEYCURRENTCONFIG', 'HKEYUSERS', 'HKEYCURRENTUSERLOCALSETTINGS', 'HKEYPERFORMANCEDATA', 'HKEYPERFORMANCENLSTEXT', 'HKEYPERFORMANCETEXT', 'HKEYA', 'HKEYCURRENTUSER' + Hive RegistryHive `json:"hive,omitempty"` + // Key - READ-ONLY; The registry key path. + Key *string `json:"key,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for RegistryKeyEntityProperties. +func (rkep RegistryKeyEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) +} + +// RegistryValueEntity represents a registry value entity. +type RegistryValueEntity struct { + // RegistryValueEntityProperties - RegistryKey entity properties + *RegistryValueEntityProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for RegistryValueEntity. +func (rve RegistryValueEntity) MarshalJSON() ([]byte, error) { + rve.Kind = KindRegistryValue + objectMap := make(map[string]interface{}) + if rve.RegistryValueEntityProperties != nil { + objectMap["properties"] = rve.RegistryValueEntityProperties + } + if rve.Kind != "" { + objectMap["kind"] = rve.Kind + } + return json.Marshal(objectMap) +} + +// AsAccountEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return &rve, true +} + +// AsURLEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + +// AsEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for RegistryValueEntity. +func (rve RegistryValueEntity) AsBasicEntity() (BasicEntity, bool) { + return &rve, true +} + +// UnmarshalJSON is the custom unmarshaler for RegistryValueEntity struct. +func (rve *RegistryValueEntity) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var registryValueEntityProperties RegistryValueEntityProperties + err = json.Unmarshal(*v, ®istryValueEntityProperties) + if err != nil { + return err + } + rve.RegistryValueEntityProperties = ®istryValueEntityProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + rve.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + rve.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + rve.Name = &name + } + case "kind": + if v != nil { + var kind KindBasicEntity + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + rve.Kind = kind + } + } + } + + return nil +} + +// RegistryValueEntityProperties registryValue entity property bag. +type RegistryValueEntityProperties struct { + // ValueName - READ-ONLY; The registry value name. + ValueName *string `json:"valueName,omitempty"` + // ValueData - READ-ONLY; String formatted representation of the value data. + ValueData *string `json:"valueData,omitempty"` + // ValueType - READ-ONLY; Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry. Possible values include: 'RegistryValueKindNone', 'RegistryValueKindUnknown', 'RegistryValueKindString', 'RegistryValueKindExpandString', 'RegistryValueKindBinary', 'RegistryValueKindDWord', 'RegistryValueKindMultiString', 'RegistryValueKindQWord' + ValueType RegistryValueKind `json:"valueType,omitempty"` + // KeyEntityID - READ-ONLY; The registry key entity id. + KeyEntityID *string `json:"keyEntityId,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for RegistryValueEntityProperties. +func (rvep RegistryValueEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) +} + +// Resource an azure resource object +type Resource struct { + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` +} + +// ScheduledAlertRule represents scheduled alert rule. +type ScheduledAlertRule struct { + // ScheduledAlertRuleProperties - Scheduled alert rule properties + *ScheduledAlertRuleProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Etag - Etag of the alert rule. + Etag *string `json:"etag,omitempty"` + // Kind - Possible values include: 'KindAlertRule', 'KindScheduled' + Kind Kind `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for ScheduledAlertRule. +func (sar ScheduledAlertRule) MarshalJSON() ([]byte, error) { + sar.Kind = KindScheduled + objectMap := make(map[string]interface{}) + if sar.ScheduledAlertRuleProperties != nil { + objectMap["properties"] = sar.ScheduledAlertRuleProperties + } + if sar.Etag != nil { + objectMap["etag"] = sar.Etag + } + if sar.Kind != "" { + objectMap["kind"] = sar.Kind + } + return json.Marshal(objectMap) +} + +// AsScheduledAlertRule is the BasicAlertRule implementation for ScheduledAlertRule. +func (sar ScheduledAlertRule) AsScheduledAlertRule() (*ScheduledAlertRule, bool) { + return &sar, true +} + +// AsAlertRule is the BasicAlertRule implementation for ScheduledAlertRule. +func (sar ScheduledAlertRule) AsAlertRule() (*AlertRule, bool) { + return nil, false +} + +// AsBasicAlertRule is the BasicAlertRule implementation for ScheduledAlertRule. +func (sar ScheduledAlertRule) AsBasicAlertRule() (BasicAlertRule, bool) { + return &sar, true +} + +// UnmarshalJSON is the custom unmarshaler for ScheduledAlertRule struct. +func (sar *ScheduledAlertRule) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var scheduledAlertRuleProperties ScheduledAlertRuleProperties + err = json.Unmarshal(*v, &scheduledAlertRuleProperties) + if err != nil { + return err + } + sar.ScheduledAlertRuleProperties = &scheduledAlertRuleProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + sar.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + sar.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + sar.Name = &name + } + case "etag": + if v != nil { + var etag string + err = json.Unmarshal(*v, &etag) + if err != nil { + return err + } + sar.Etag = &etag + } + case "kind": + if v != nil { + var kind Kind + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + sar.Kind = kind + } + } + } + + return nil +} + +// ScheduledAlertRuleProperties alert rule property bag. +type ScheduledAlertRuleProperties struct { + // DisplayName - The display name for alerts created by this alert rule. + DisplayName *string `json:"displayName,omitempty"` + // Description - The description of the alert rule. + Description *string `json:"description,omitempty"` + // Severity - The severity for alerts created by this alert rule. Possible values include: 'High', 'Medium', 'Low', 'Informational' + Severity AlertSeverity `json:"severity,omitempty"` + // Enabled - Determines whether this alert rule is enabled or disabled. + Enabled *bool `json:"enabled,omitempty"` + // Query - The query that creates alerts for this rule. + Query *string `json:"query,omitempty"` + // QueryFrequency - The frequency (in ISO 8601 duration format) for this alert rule to run. + QueryFrequency *string `json:"queryFrequency,omitempty"` + // QueryPeriod - The period (in ISO 8601 duration format) that this alert rule looks at. + QueryPeriod *string `json:"queryPeriod,omitempty"` + // TriggerOperator - The operation against the threshold that triggers alert rule. Possible values include: 'GreaterThan', 'LessThan', 'Equal', 'NotEqual' + TriggerOperator TriggerOperator `json:"triggerOperator,omitempty"` + // TriggerThreshold - The threshold triggers this alert rule. + TriggerThreshold *int32 `json:"triggerThreshold,omitempty"` + // SuppressionEnabled - Determines whether the suppression for this alert rule is enabled or disabled. + SuppressionEnabled *bool `json:"suppressionEnabled,omitempty"` + // SuppressionDuration - The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. + SuppressionDuration *string `json:"suppressionDuration,omitempty"` + // LastModifiedUtc - READ-ONLY; The last time that this alert has been modified. + LastModifiedUtc *string `json:"lastModifiedUtc,omitempty"` +} + +// SecurityAlert represents a security alert entity. +type SecurityAlert struct { + // SecurityAlertProperties - SecurityAlert entity properties + *SecurityAlertProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for SecurityAlert. +func (sa SecurityAlert) MarshalJSON() ([]byte, error) { + sa.Kind = KindSecurityAlert + objectMap := make(map[string]interface{}) + if sa.SecurityAlertProperties != nil { + objectMap["properties"] = sa.SecurityAlertProperties + } + if sa.Kind != "" { + objectMap["kind"] = sa.Kind + } + return json.Marshal(objectMap) +} + +// AsAccountEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsSecurityAlert() (*SecurityAlert, bool) { + return &sa, true +} + +// AsFileHashEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsURLEntity() (*URLEntity, bool) { + return nil, false +} + +// AsEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for SecurityAlert. +func (sa SecurityAlert) AsBasicEntity() (BasicEntity, bool) { + return &sa, true +} + +// UnmarshalJSON is the custom unmarshaler for SecurityAlert struct. +func (sa *SecurityAlert) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var securityAlertProperties SecurityAlertProperties + err = json.Unmarshal(*v, &securityAlertProperties) + if err != nil { + return err + } + sa.SecurityAlertProperties = &securityAlertProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + sa.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + sa.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + sa.Name = &name + } + case "kind": + if v != nil { + var kind KindBasicEntity + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + sa.Kind = kind + } + } + } + + return nil +} + +// SecurityAlertProperties securityAlert entity property bag. +type SecurityAlertProperties struct { + // SystemAlertID - READ-ONLY; Holds the product identifier of the alert for the product. + SystemAlertID *string `json:"systemAlertId,omitempty"` + // ConfidenceReasons - READ-ONLY; The confidence reasons + ConfidenceReasons *[]SecurityAlertPropertiesConfidenceReasonsItem `json:"confidenceReasons,omitempty"` + // ConfidenceScoreStatus - READ-ONLY; The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final. Possible values include: 'NotApplicable', 'InProcess', 'NotFinal', 'Final' + ConfidenceScoreStatus ConfidenceScoreStatus `json:"confidenceScoreStatus,omitempty"` + // Intent - READ-ONLY; Holds the alert intent stage(s) mapping for this alert. Possible values include: 'KillChainIntentUnknown', 'KillChainIntentProbing', 'KillChainIntentExploitation', 'KillChainIntentPersistence', 'KillChainIntentPrivilegeEscalation', 'KillChainIntentDefenseEvasion', 'KillChainIntentCredentialAccess', 'KillChainIntentDiscovery', 'KillChainIntentLateralMovement', 'KillChainIntentExecution', 'KillChainIntentCollection', 'KillChainIntentExfiltration', 'KillChainIntentCommandAndControl', 'KillChainIntentImpact' + Intent KillChainIntent `json:"intent,omitempty"` + // ConfidenceScore - READ-ONLY; The confidence score of the alert. + ConfidenceScore *float64 `json:"confidenceScore,omitempty"` + // AlertDisplayName - READ-ONLY; The display name of the alert. + AlertDisplayName *string `json:"alertDisplayName,omitempty"` + // Description - READ-ONLY; Alert description. + Description *string `json:"description,omitempty"` + // RemediationSteps - READ-ONLY; Manual action items to take to remediate the alert. + RemediationSteps *[]string `json:"remediationSteps,omitempty"` + // ConfidenceLevel - READ-ONLY; The confidence level of this alert. Possible values include: 'ConfidenceLevelUnknown', 'ConfidenceLevelLow', 'ConfidenceLevelHigh' + ConfidenceLevel ConfidenceLevel `json:"confidenceLevel,omitempty"` + // Severity - The severity of the alert. Possible values include: 'High', 'Medium', 'Low', 'Informational' + Severity AlertSeverity `json:"severity,omitempty"` + // VendorName - READ-ONLY; The name of the vendor that raise the alert. + VendorName *string `json:"vendorName,omitempty"` + // ProductName - READ-ONLY; The name of the product which published this alert. + ProductName *string `json:"productName,omitempty"` + // ProductComponentName - READ-ONLY; The name of a component inside the product which generated the alert. + ProductComponentName *string `json:"productComponentName,omitempty"` + // AlertType - READ-ONLY; The type name of the alert. + AlertType *string `json:"alertType,omitempty"` + // ProductVersion - READ-ONLY; The version of the product generating the alert. + ProductVersion *string `json:"productVersion,omitempty"` + // ProcessingEndTime - READ-ONLY; The time the alert was made available for consumption. + ProcessingEndTime *date.Time `json:"processingEndTime,omitempty"` + // Status - READ-ONLY; The lifecycle status of the alert. Possible values include: 'AlertStatusUnknown', 'AlertStatusNew', 'AlertStatusResolved', 'AlertStatusDismissed', 'AlertStatusInProgress' + Status AlertStatus `json:"status,omitempty"` + // EndTimeUtc - READ-ONLY; The impact end time of the alert (the time of the last event contributing to the alert). + EndTimeUtc *date.Time `json:"endTimeUtc,omitempty"` + // StartTimeUtc - READ-ONLY; The impact start time of the alert (the time of the first event contributing to the alert). + StartTimeUtc *date.Time `json:"startTimeUtc,omitempty"` + // TimeGenerated - READ-ONLY; The time the alert was generated. + TimeGenerated *date.Time `json:"timeGenerated,omitempty"` + // CompromisedEntity - READ-ONLY; Display name of the main entity being reported on. + CompromisedEntity *string `json:"compromisedEntity,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for SecurityAlertProperties. +func (sap SecurityAlertProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + if sap.Severity != "" { + objectMap["severity"] = sap.Severity + } + return json.Marshal(objectMap) +} + +// SecurityAlertPropertiesConfidenceReasonsItem confidence reason item +type SecurityAlertPropertiesConfidenceReasonsItem struct { + // ReasonType - READ-ONLY; The type (category) of the reason + ReasonType *string `json:"reasonType,omitempty"` + // Reason - READ-ONLY; The reason's description + Reason *string `json:"reason,omitempty"` +} + +// SecurityGroupEntity represents a security group entity. +type SecurityGroupEntity struct { + // SecurityGroupEntityProperties - SecurityGroup entity properties + *SecurityGroupEntityProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for SecurityGroupEntity. +func (sge SecurityGroupEntity) MarshalJSON() ([]byte, error) { + sge.Kind = KindSecurityGroup + objectMap := make(map[string]interface{}) + if sge.SecurityGroupEntityProperties != nil { + objectMap["properties"] = sge.SecurityGroupEntityProperties + } + if sge.Kind != "" { + objectMap["kind"] = sge.Kind + } + return json.Marshal(objectMap) +} + +// AsAccountEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false } -// NotDone returns true if the page enumeration should be started or is not yet complete. -func (page OperationsListPage) NotDone() bool { - return !page.ol.IsEmpty() +// AsSecurityGroupEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return &sge, true } -// Response returns the raw server response from the last page request. -func (page OperationsListPage) Response() OperationsList { - return page.ol +// AsAzureResourceEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false } -// Values returns the slice of values for the current page or nil if there are no values. -func (page OperationsListPage) Values() []Operation { - if page.ol.IsEmpty() { - return nil - } - return *page.ol.Value +// AsCloudApplicationEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false } -// Creates a new instance of the OperationsListPage type. -func NewOperationsListPage(getNextPage func(context.Context, OperationsList) (OperationsList, error)) OperationsListPage { - return OperationsListPage{fn: getNextPage} +// AsProcessEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false } -// Resource an azure resource object -type Resource struct { - // ID - READ-ONLY; Azure resource Id - ID *string `json:"id,omitempty"` - // Type - READ-ONLY; Azure resource type - Type *string `json:"type,omitempty"` - // Name - READ-ONLY; Azure resource name - Name *string `json:"name,omitempty"` +// AsDNSEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false } -// ScheduledAlertRule represents scheduled alert rule. -type ScheduledAlertRule struct { - // ScheduledAlertRuleProperties - Scheduled alert rule properties - *ScheduledAlertRuleProperties `json:"properties,omitempty"` - // ID - READ-ONLY; Azure resource Id - ID *string `json:"id,omitempty"` - // Type - READ-ONLY; Azure resource type - Type *string `json:"type,omitempty"` - // Name - READ-ONLY; Azure resource name - Name *string `json:"name,omitempty"` - // Etag - Etag of the alert rule. - Etag *string `json:"etag,omitempty"` - // Kind - Possible values include: 'KindAlertRule', 'KindScheduled' - Kind Kind `json:"kind,omitempty"` +// AsIPEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false } -// MarshalJSON is the custom marshaler for ScheduledAlertRule. -func (sar ScheduledAlertRule) MarshalJSON() ([]byte, error) { - sar.Kind = KindScheduled - objectMap := make(map[string]interface{}) - if sar.ScheduledAlertRuleProperties != nil { - objectMap["properties"] = sar.ScheduledAlertRuleProperties - } - if sar.Etag != nil { - objectMap["etag"] = sar.Etag - } - if sar.Kind != "" { - objectMap["kind"] = sar.Kind - } - return json.Marshal(objectMap) +// AsRegistryKeyEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false } -// AsScheduledAlertRule is the BasicAlertRule implementation for ScheduledAlertRule. -func (sar ScheduledAlertRule) AsScheduledAlertRule() (*ScheduledAlertRule, bool) { - return &sar, true +// AsRegistryValueEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false } -// AsAlertRule is the BasicAlertRule implementation for ScheduledAlertRule. -func (sar ScheduledAlertRule) AsAlertRule() (*AlertRule, bool) { +// AsURLEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsURLEntity() (*URLEntity, bool) { return nil, false } -// AsBasicAlertRule is the BasicAlertRule implementation for ScheduledAlertRule. -func (sar ScheduledAlertRule) AsBasicAlertRule() (BasicAlertRule, bool) { - return &sar, true +// AsEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsEntity() (*Entity, bool) { + return nil, false } -// UnmarshalJSON is the custom unmarshaler for ScheduledAlertRule struct. -func (sar *ScheduledAlertRule) UnmarshalJSON(body []byte) error { +// AsBasicEntity is the BasicEntity implementation for SecurityGroupEntity. +func (sge SecurityGroupEntity) AsBasicEntity() (BasicEntity, bool) { + return &sge, true +} + +// UnmarshalJSON is the custom unmarshaler for SecurityGroupEntity struct. +func (sge *SecurityGroupEntity) UnmarshalJSON(body []byte) error { var m map[string]*json.RawMessage err := json.Unmarshal(body, &m) if err != nil { @@ -4218,12 +7587,12 @@ func (sar *ScheduledAlertRule) UnmarshalJSON(body []byte) error { switch k { case "properties": if v != nil { - var scheduledAlertRuleProperties ScheduledAlertRuleProperties - err = json.Unmarshal(*v, &scheduledAlertRuleProperties) + var securityGroupEntityProperties SecurityGroupEntityProperties + err = json.Unmarshal(*v, &securityGroupEntityProperties) if err != nil { return err } - sar.ScheduledAlertRuleProperties = &scheduledAlertRuleProperties + sge.SecurityGroupEntityProperties = &securityGroupEntityProperties } case "id": if v != nil { @@ -4232,7 +7601,7 @@ func (sar *ScheduledAlertRule) UnmarshalJSON(body []byte) error { if err != nil { return err } - sar.ID = &ID + sge.ID = &ID } case "type": if v != nil { @@ -4241,7 +7610,7 @@ func (sar *ScheduledAlertRule) UnmarshalJSON(body []byte) error { if err != nil { return err } - sar.Type = &typeVar + sge.Type = &typeVar } case "name": if v != nil { @@ -4250,25 +7619,16 @@ func (sar *ScheduledAlertRule) UnmarshalJSON(body []byte) error { if err != nil { return err } - sar.Name = &name - } - case "etag": - if v != nil { - var etag string - err = json.Unmarshal(*v, &etag) - if err != nil { - return err - } - sar.Etag = &etag + sge.Name = &name } case "kind": if v != nil { - var kind Kind + var kind KindBasicEntity err = json.Unmarshal(*v, &kind) if err != nil { return err } - sar.Kind = kind + sge.Kind = kind } } } @@ -4276,32 +7636,24 @@ func (sar *ScheduledAlertRule) UnmarshalJSON(body []byte) error { return nil } -// ScheduledAlertRuleProperties alert rule property bag. -type ScheduledAlertRuleProperties struct { - // DisplayName - The display name for alerts created by this alert rule. - DisplayName *string `json:"displayName,omitempty"` - // Description - The description of the alert rule. - Description *string `json:"description,omitempty"` - // Severity - The severity for alerts created by this alert rule. Possible values include: 'High', 'Medium', 'Low', 'Informational' - Severity AlertSeverity `json:"severity,omitempty"` - // Enabled - Determines whether this alert rule is enabled or disabled. - Enabled *bool `json:"enabled,omitempty"` - // Query - The query that creates alerts for this rule. - Query *string `json:"query,omitempty"` - // QueryFrequency - The frequency (in ISO 8601 duration format) for this alert rule to run. - QueryFrequency *string `json:"queryFrequency,omitempty"` - // QueryPeriod - The period (in ISO 8601 duration format) that this alert rule looks at. - QueryPeriod *string `json:"queryPeriod,omitempty"` - // TriggerOperator - The operation against the threshold that triggers alert rule. Possible values include: 'GreaterThan', 'LessThan', 'Equal', 'NotEqual' - TriggerOperator TriggerOperator `json:"triggerOperator,omitempty"` - // TriggerThreshold - The threshold triggers this alert rule. - TriggerThreshold *int32 `json:"triggerThreshold,omitempty"` - // SuppressionEnabled - Determines whether the suppression for this alert rule is enabled or disabled. - SuppressionEnabled *bool `json:"suppressionEnabled,omitempty"` - // SuppressionDuration - The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. - SuppressionDuration *string `json:"suppressionDuration,omitempty"` - // LastModifiedUtc - READ-ONLY; The last time that this alert has been modified. - LastModifiedUtc *string `json:"lastModifiedUtc,omitempty"` +// SecurityGroupEntityProperties securityGroup entity property bag. +type SecurityGroupEntityProperties struct { + // DistinguishedName - READ-ONLY; The group distinguished name + DistinguishedName *string `json:"distinguishedName,omitempty"` + // Sid - READ-ONLY; The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group + Sid *string `json:"sid,omitempty"` + // ObjectGUID - READ-ONLY; A single-value attribute that is the unique identifier for the object, assigned by active directory. + ObjectGUID *uuid.UUID `json:"objectGuid,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for SecurityGroupEntityProperties. +func (sgep SecurityGroupEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) } // BasicSettings the Setting. @@ -4423,6 +7775,22 @@ func (sm *SettingsModel) UnmarshalJSON(body []byte) error { return nil } +// ThreatIntelligence threatIntelligence property bag. +type ThreatIntelligence struct { + // ProviderName - READ-ONLY; Name of the provider from whom this Threat Intelligence information was received + ProviderName *string `json:"providerName,omitempty"` + // ThreatType - READ-ONLY; Threat type (e.g. "Botnet") + ThreatType *string `json:"threatType,omitempty"` + // ThreatName - READ-ONLY; Threat name (e.g. "Jedobot malware") + ThreatName *string `json:"threatName,omitempty"` + // Confidence - READ-ONLY; Confidence (must be between 0 and 1) + Confidence *float64 `json:"confidence,omitempty"` + // ReportLink - READ-ONLY; Report link + ReportLink *string `json:"reportLink,omitempty"` + // ThreatDescription - READ-ONLY; Threat description (free text) + ThreatDescription *string `json:"threatDescription,omitempty"` +} + // TIDataConnector represents threat intelligence data connector. type TIDataConnector struct { // TIDataConnectorProperties - TI (Threat Intelligence) data connector properties. @@ -4435,7 +7803,7 @@ type TIDataConnector struct { Name *string `json:"name,omitempty"` // Etag - Etag of the data connector. Etag *string `json:"etag,omitempty"` - // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity' + // Kind - Possible values include: 'KindDataConnector', 'KindOffice365', 'KindThreatIntelligence', 'KindAmazonWebServicesCloudTrail', 'KindAzureActiveDirectory', 'KindAzureSecurityCenter', 'KindMicrosoftCloudAppSecurity', 'KindAzureAdvancedThreatProtection', 'KindMicrosoftDefenderAdvancedThreatProtection' Kind KindBasicDataConnector `json:"kind,omitempty"` } @@ -4485,6 +7853,16 @@ func (tdc TIDataConnector) AsMCASDataConnector() (*MCASDataConnector, bool) { return nil, false } +// AsAATPDataConnector is the BasicDataConnector implementation for TIDataConnector. +func (tdc TIDataConnector) AsAATPDataConnector() (*AATPDataConnector, bool) { + return nil, false +} + +// AsMDATPDataConnector is the BasicDataConnector implementation for TIDataConnector. +func (tdc TIDataConnector) AsMDATPDataConnector() (*MDATPDataConnector, bool) { + return nil, false +} + // AsDataConnector is the BasicDataConnector implementation for TIDataConnector. func (tdc TIDataConnector) AsDataConnector() (*DataConnector, bool) { return nil, false @@ -4842,6 +8220,194 @@ type UebaSettingsProperties struct { AtpLicenseStatus LicenseStatus `json:"atpLicenseStatus,omitempty"` } +// URLEntity represents a url entity. +type URLEntity struct { + // URLEntityProperties - Url entity properties + *URLEntityProperties `json:"properties,omitempty"` + // ID - READ-ONLY; Azure resource Id + ID *string `json:"id,omitempty"` + // Type - READ-ONLY; Azure resource type + Type *string `json:"type,omitempty"` + // Name - READ-ONLY; Azure resource name + Name *string `json:"name,omitempty"` + // Kind - Possible values include: 'KindEntity', 'KindAccount', 'KindHost', 'KindFile', 'KindSecurityAlert', 'KindFileHash', 'KindMalware', 'KindSecurityGroup', 'KindAzureResource', 'KindCloudApplication', 'KindProcess', 'KindDNSResolution', 'KindIP', 'KindRegistryKey', 'KindRegistryValue', 'KindURL' + Kind KindBasicEntity `json:"kind,omitempty"` +} + +// MarshalJSON is the custom marshaler for URLEntity. +func (ue URLEntity) MarshalJSON() ([]byte, error) { + ue.Kind = KindURL + objectMap := make(map[string]interface{}) + if ue.URLEntityProperties != nil { + objectMap["properties"] = ue.URLEntityProperties + } + if ue.Kind != "" { + objectMap["kind"] = ue.Kind + } + return json.Marshal(objectMap) +} + +// AsAccountEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsAccountEntity() (*AccountEntity, bool) { + return nil, false +} + +// AsHostEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsHostEntity() (*HostEntity, bool) { + return nil, false +} + +// AsFileEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsFileEntity() (*FileEntity, bool) { + return nil, false +} + +// AsSecurityAlert is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsSecurityAlert() (*SecurityAlert, bool) { + return nil, false +} + +// AsFileHashEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsFileHashEntity() (*FileHashEntity, bool) { + return nil, false +} + +// AsMalwareEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsMalwareEntity() (*MalwareEntity, bool) { + return nil, false +} + +// AsSecurityGroupEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsSecurityGroupEntity() (*SecurityGroupEntity, bool) { + return nil, false +} + +// AsAzureResourceEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsAzureResourceEntity() (*AzureResourceEntity, bool) { + return nil, false +} + +// AsCloudApplicationEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsCloudApplicationEntity() (*CloudApplicationEntity, bool) { + return nil, false +} + +// AsProcessEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsProcessEntity() (*ProcessEntity, bool) { + return nil, false +} + +// AsDNSEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsDNSEntity() (*DNSEntity, bool) { + return nil, false +} + +// AsIPEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsIPEntity() (*IPEntity, bool) { + return nil, false +} + +// AsRegistryKeyEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsRegistryKeyEntity() (*RegistryKeyEntity, bool) { + return nil, false +} + +// AsRegistryValueEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsRegistryValueEntity() (*RegistryValueEntity, bool) { + return nil, false +} + +// AsURLEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsURLEntity() (*URLEntity, bool) { + return &ue, true +} + +// AsEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsEntity() (*Entity, bool) { + return nil, false +} + +// AsBasicEntity is the BasicEntity implementation for URLEntity. +func (ue URLEntity) AsBasicEntity() (BasicEntity, bool) { + return &ue, true +} + +// UnmarshalJSON is the custom unmarshaler for URLEntity struct. +func (ue *URLEntity) UnmarshalJSON(body []byte) error { + var m map[string]*json.RawMessage + err := json.Unmarshal(body, &m) + if err != nil { + return err + } + for k, v := range m { + switch k { + case "properties": + if v != nil { + var URLEntityProperties URLEntityProperties + err = json.Unmarshal(*v, &URLEntityProperties) + if err != nil { + return err + } + ue.URLEntityProperties = &URLEntityProperties + } + case "id": + if v != nil { + var ID string + err = json.Unmarshal(*v, &ID) + if err != nil { + return err + } + ue.ID = &ID + } + case "type": + if v != nil { + var typeVar string + err = json.Unmarshal(*v, &typeVar) + if err != nil { + return err + } + ue.Type = &typeVar + } + case "name": + if v != nil { + var name string + err = json.Unmarshal(*v, &name) + if err != nil { + return err + } + ue.Name = &name + } + case "kind": + if v != nil { + var kind KindBasicEntity + err = json.Unmarshal(*v, &kind) + if err != nil { + return err + } + ue.Kind = kind + } + } + } + + return nil +} + +// URLEntityProperties url entity property bag. +type URLEntityProperties struct { + // URL - READ-ONLY; A full URL the entity points to + URL *string `json:"url,omitempty"` + // FriendlyName - READ-ONLY; The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. + FriendlyName *string `json:"friendlyName,omitempty"` + // AdditionalData - READ-ONLY; A bag of custom fields that should be part of the entity and will be presented to the user. + AdditionalData map[string]interface{} `json:"additionalData"` +} + +// MarshalJSON is the custom marshaler for URLEntityProperties. +func (uep URLEntityProperties) MarshalJSON() ([]byte, error) { + objectMap := make(map[string]interface{}) + return json.Marshal(objectMap) +} + // UserInfo user information that made some action type UserInfo struct { // ObjectID - The object id of the user. diff --git a/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/securityinsightapi/interfaces.go b/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/securityinsightapi/interfaces.go index 80cadcd82ce4..df4305769a17 100644 --- a/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/securityinsightapi/interfaces.go +++ b/services/preview/securityinsight/mgmt/2017-08-01-preview/securityinsight/securityinsightapi/interfaces.go @@ -82,6 +82,7 @@ var _ DataConnectorsClientAPI = (*securityinsight.DataConnectorsClient)(nil) // EntitiesClientAPI contains the set of methods on the EntitiesClient type. type EntitiesClientAPI interface { + Expand(ctx context.Context, resourceGroupName string, operationalInsightsResourceProvider string, workspaceName string, entityID string, parameters securityinsight.EntityExpandParameters) (result securityinsight.EntityExpandResponse, err error) Get(ctx context.Context, resourceGroupName string, operationalInsightsResourceProvider string, workspaceName string, entityID string) (result securityinsight.EntityModel, err error) List(ctx context.Context, resourceGroupName string, operationalInsightsResourceProvider string, workspaceName string) (result securityinsight.EntityListPage, err error) }