Skip to content

Commit

Permalink
Add alerts and recommendations resources (Azure#14599)
Browse files Browse the repository at this point in the history 
* add new resources

* Add resources to markdown

* Modify routes

* Add systemData

* Add systemData to defenderSettings

* Add missing parameter

* Add more systemData

* Fix example

* Add new API version

* Remove redundant change

* update markdown

* Add operations to new API version

* Update list filters

* update description

* update examples

* Update examples

* Add missing properties

* Add missing properties

* Rename property

Co-authored-by: Orel Kayam <orkayam@microsoft.com>
  • Loading branch information
@orkayam
2 people authored and Andrew Sager committed Jun 24, 2021
1 parent 547e799 commit 156b600
Show file tree
Hide file tree
Showing 13 changed files with 1,583 additions and 0 deletions.
313 changes: 313 additions & 0 deletions ...ecurity/resource-manager/Microsoft.IoTSecurity/preview/2021-07-01-preview/alertTypes.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,313 @@
{
"swagger": "2.0",
"info": {
"title": "Azure Defender for IoT",
"description": "API spec for Microsoft.IoTSecurity (Azure Defender for IoT) resource provider",
"version": "2021-07-01-preview"
},
"host": "management.azure.com",
"schemes": [
"https"
],
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"security": [
{
"azure_auth": [
"user_impersonation"
]
}
],
"securityDefinitions": {
"azure_auth": {
"type": "oauth2",
"authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize",
"flow": "implicit",
"description": "Azure Active Directory OAuth2 Flow",
"scopes": {
"user_impersonation": "impersonate your user account"
}
}
},
"paths": {
"/subscriptions/{subscriptionId}/providers/Microsoft.IoTSecurity/alertTypes": {
"get": {
"x-ms-examples": {
"Get IoT Alert Types": {
"$ref": "./examples/AlertTypes/GetAlertTypeList.json"
}
},
"tags": [
"IoT Security Alert Types"
],
"description": "List IoT alert types",
"operationId": "AlertTypes_List",
"parameters": [
{
"$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter"
},
{
"$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter"
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/AlertTypeList"
}
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/ErrorResponse"
}
}
}
}
},
"/subscriptions/{subscriptionId}/providers/Microsoft.IoTSecurity/alertTypes/{alertTypeName}": {
"get": {
"x-ms-examples": {
"Get IoT Alert Type": {
"$ref": "./examples/AlertTypes/GetAlertType.json"
}
},
"tags": [
"IoT Security Alert Types"
],
"operationId": "AlertTypes_Get",
"description": "Get IoT alert type",
"parameters": [
{
"$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter"
},
{
"$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter"
},
{
"in": "path",
"name": "alertTypeName",
"required": true,
"type": "string",
"description": "Name of the alert type"
}
],
"responses": {
"200": {
"description": "IoT alert type",
"schema": {
"$ref": "#/definitions/AlertType"
}
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/ErrorResponse"
}
}
}
}
}
},
"definitions": {
"AlertTypeList": {
"type": "object",
"description": "List of alert types",
"properties": {
"value": {
"type": "array",
"description": "List data",
"items": {
"$ref": "#/definitions/AlertType"
}
}
}
},
"AlertType": {
"type": "object",
"description": "IoT alert type.",
"properties": {
"properties": {
"x-ms-client-flatten": true,
"description": "Alert type properties",
"$ref": "#/definitions/AlertTypeProperties"
},
"systemData": {
"readOnly": true,
"type": "object",
"description": "Azure Resource Manager metadata containing createdBy and modifiedBy information.",
"$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/systemData"
}
},
"allOf": [
{
"$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/ProxyResource"
}
]
},
"AlertTypeProperties": {
"type": "object",
"description": "IoT alert type information.",
"properties": {
"alertDisplayName": {
"readOnly": true,
"type": "string",
"example": "Privileged container detected",
"description": "The display name of the alert"
},
"severity": {
"readOnly": true,
"type": "string",
"example": "Medium",
"description": "The severity of the alert",
"enum": [
"Informational",
"Low",
"Medium",
"High"
],
"x-ms-enum": {
"name": "alertSeverity",
"modelAsString": true,
"values": [
{
"value": "Informational"
},
{
"value": "Low"
},
{
"value": "Medium"
},
{
"value": "High"
}
]
}
},
"description": {
"readOnly": true,
"type": "string",
"description": "Description of the suspected vulnerability and meaning.",
"example": "Machine logs indicate that a privileged Docker container is running. A privileged container has full access to host resources. If compromised, a malicious actor can use the privileged container to gain access to the host machine."
},
"providerName": {
"readOnly": true,
"type": "string",
"example": "IoTSecurity",
"description": "The name of the alert provider or internal partner"
},
"productName": {
"readOnly": true,
"type": "string",
"example": "Azure Security Center for IoT",
"description": "The name of the product which published this alert"
},
"productComponentName": {
"readOnly": true,
"type": "string",
"example": "IoT Hub",
"description": "The name of a component inside the product which generated the alert"
},
"vendorName": {
"readOnly": true,
"type": "string",
"example": "Microsoft",
"description": "The name of the vendor that raise the alert"
},
"intent": {
"readOnly": true,
"type": "string",
"example": "Exploitation,Execution",
"description": "Kill chain related intent behind the alert. Could contain multiple enum values (separated by commas)",
"enum": [
"Unknown",
"PreAttack",
"InitialAccess",
"Persistence",
"PrivilegeEscalation",
"DefenseEvasion",
"CredentialAccess",
"Discovery",
"LateralMovement",
"Execution",
"Collection",
"Exfiltration",
"CommandAndControl",
"Impact",
"Probing",
"Exploitation"
],
"x-ms-enum": {
"name": "alertIntent",
"modelAsString": true,
"values": [
{
"value": "Unknown"
},
{
"value": "PreAttack"
},
{
"value": "InitialAccess"
},
{
"value": "Persistence"
},
{
"value": "PrivilegeEscalation"
},
{
"value": "DefenseEvasion"
},
{
"value": "CredentialAccess"
},
{
"value": "Discovery"
},
{
"value": "LateralMovement"
},
{
"value": "Execution"
},
{
"value": "Collection"
},
{
"value": "Exfiltration"
},
{
"value": "CommandAndControl"
},
{
"value": "Impact"
},
{
"value": "Probing"
},
{
"value": "Exploitation"
}
]
}
},
"remediationSteps": {
"readOnly": true,
"description": "Manual action items to take to remediate the alert",
"type": "array",
"items": {
"type": "string",
"example": "If the container doesn't need to run in privileged mode, remove the privileges from the container."
}
}
}
}
}
}
Loading

0 comments on commit 156b600

Please sign in to comment.