From 13cf714bcd3664d258a3818f46c1a1848ed49163 Mon Sep 17 00:00:00 2001 From: hassanchawiche <66896195+hassanchawiche@users.noreply.github.com> Date: Sun, 4 Jul 2021 22:03:47 -0700 Subject: [PATCH] Added Watchlists Stable Version 2021-04-01 (#14843) * Copied Watchlists version 2021-03-01-preview as is to new directory structure * Added Watchlist stable version 2021-04-01 --- .../stable/2021-04-01/Watchlists.json | 781 ++++++++++++++++++ .../examples/watchlists/CreateWatchlist.json | 86 ++ .../CreateWatchlistAndWatchlistItems.json | 89 ++ .../watchlists/CreateWatchlistItem.json | 92 +++ .../examples/watchlists/DeleteWatchlist.json | 14 + .../watchlists/DeleteWatchlistItem.json | 15 + .../watchlists/GetWatchlistByAlias.json | 49 ++ .../watchlists/GetWatchlistItemById.json | 47 ++ .../watchlists/GetWatchlistItems.json | 50 ++ .../examples/watchlists/GetWatchlists.json | 52 ++ .../resource-manager/readme.md | 5 + 11 files changed, 1280 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/Watchlists.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlist.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlistAndWatchlistItems.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlistItem.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/DeleteWatchlist.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/DeleteWatchlistItem.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistByAlias.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistItemById.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistItems.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlists.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/Watchlists.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/Watchlists.json new file mode 100644 index 000000000000..656845335557 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/Watchlists.json @@ -0,0 +1,781 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2021-04-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists": { + "get": { + "x-ms-examples": { + "Get all watchlists.": { + "$ref": "./examples/watchlists/GetWatchlists.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Get all watchlists, without watchlist items.", + "operationId": "Watchlists_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}": { + "get": { + "x-ms-examples": { + "Get a watchlist.": { + "$ref": "./examples/watchlists/GetWatchlistByAlias.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Get a watchlist, without its watchlist items.", + "operationId": "Watchlists_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a watchlist.": { + "$ref": "./examples/watchlists/DeleteWatchlist.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Delete a watchlist.", + "operationId": "Watchlists_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Create or update a watchlist.": { + "$ref": "./examples/watchlists/CreateWatchlist.json" + }, + "Create or update a watchlist and bulk creates watchlist items.": { + "$ref": "./examples/watchlists/CreateWatchlistAndWatchlistItems.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Create or update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint with rawContent and contentType properties.", + "operationId": "Watchlists_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/Watchlist" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems": { + "get": { + "x-ms-examples": { + "Get all watchlist Items.": { + "$ref": "./examples/watchlists/GetWatchlistItems.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Get all watchlist Items.", + "operationId": "WatchlistItems_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItemList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}": { + "get": { + "x-ms-examples": { + "Get a watchlist item.": { + "$ref": "./examples/watchlists/GetWatchlistItemById.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Get a watchlist item.", + "operationId": "WatchlistItems_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/WatchlistItemId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a watchlist item.": { + "$ref": "./examples/watchlists/DeleteWatchlistItem.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Delete a watchlist item.", + "operationId": "WatchlistItems_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/WatchlistItemId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Create or update a watchlist item.": { + "$ref": "./examples/watchlists/CreateWatchlistItem.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Create or update a watchlist item.", + "operationId": "WatchlistItems_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/WatchlistItemId" + }, + { + "$ref": "#/parameters/WatchlistItem" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "WatchlistList": { + "description": "List all the watchlists.", + "type": "object", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of watchlists.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of watchlist.", + "items": { + "$ref": "#/definitions/Watchlist" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Watchlist": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Watchlist in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/WatchlistProperties", + "description": "Watchlist properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "WatchlistProperties": { + "description": "Describes watchlist properties", + "properties": { + "watchlistId": { + "description": "The id (a Guid) of the watchlist", + "type": "string" + }, + "displayName": { + "description": "The display name of the watchlist", + "type": "string" + }, + "provider": { + "description": "The provider of the watchlist", + "type": "string" + }, + "source": { + "description": "The source of the watchlist", + "enum": [ + "Local file", + "Remote storage" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "source" + } + }, + "created": { + "description": "The time the watchlist was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The last time the watchlist was updated", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist", + "type": "object" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist", + "type": "object" + }, + "description": { + "description": "A description of the watchlist", + "type": "string" + }, + "watchlistType": { + "description": "The type of the watchlist", + "type": "string" + }, + "watchlistAlias": { + "description": "The alias of the watchlist", + "type": "string" + }, + "isDeleted": { + "description": "A flag that indicates if the watchlist is deleted or not", + "type": "boolean" + }, + "labels": { + "description": "List of labels relevant to this watchlist", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + }, + "defaultDuration": { + "description": "The default duration of a watchlist (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "tenantId": { + "description": "The tenantId where the watchlist belongs to", + "type": "string" + }, + "numberOfLinesToSkip": { + "description": "The number of lines in a csv content to skip before the header", + "type": "integer", + "format": "int32" + }, + "rawContent": { + "description": "The raw content that represents to watchlist items to create. Example : This line will be skipped\nheader1,header2\nvalue1,value2", + "type": "string" + }, + "itemsSearchKey": { + "description": "The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.", + "type": "string" + }, + "contentType": { + "description": "The content type of the raw content. For now, only text/csv is valid", + "type": "string" + }, + "uploadStatus": { + "description": "The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted", + "type": "string" + } + }, + "required": [ + "displayName", + "source", + "provider", + "itemsSearchKey" + ], + "type": "object" + }, + "WatchlistItemList": { + "description": "List all the watchlist items.", + "type": "object", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of watchlist items.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of watchlist items.", + "items": { + "$ref": "#/definitions/WatchlistItem" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "WatchlistItem": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Watchlist Item in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/WatchlistItemProperties", + "description": "Watchlist Item properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "WatchlistItemProperties": { + "description": "Describes watchlist item properties", + "properties": { + "watchlistItemType": { + "description": "The type of the watchlist item", + "type": "string" + }, + "watchlistItemId": { + "description": "The id (a Guid) of the watchlist item", + "type": "string" + }, + "tenantId": { + "description": "The tenantId to which the watchlist item belongs to", + "type": "string" + }, + "isDeleted": { + "description": "A flag that indicates if the watchlist item is deleted or not", + "type": "boolean" + }, + "created": { + "description": "The time the watchlist item was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The last time the watchlist item was updated", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist item", + "type": "object" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist item", + "type": "object" + }, + "itemsKeyValue": { + "description": "key-value pairs for a watchlist item", + "type": "object" + }, + "entityMapping": { + "description": "key-value pairs for a watchlist item entity mapping", + "type": "object" + } + }, + "required": [ + "itemsKeyValue" + ], + "type": "object" + }, + "UserInfo": { + "description": "User information that made some action", + "properties": { + "email": { + "description": "The email of the user.", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "The name of the user.", + "readOnly": true, + "type": "string" + }, + "objectId": { + "description": "The object id of the user.", + "format": "uuid", + "type": "string", + "x-nullable": true + } + }, + "type": "object" + }, + "Label": { + "description": "Label that will be used to tag and filter on.", + "type": "string" + }, + "CloudError": { + "x-ms-external": true, + "properties": { + "error": { + "$ref": "../../../../../common-types/resource-management/v1/types.json#/definitions/ErrorResponse", + "description": "The error object of the CloudError response" + } + }, + "description": "An error response for a resource management request." + } + }, + "parameters": { + "WatchlistAlias": { + "description": "The watchlist alias", + "in": "path", + "name": "watchlistAlias", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Watchlist": { + "description": "The watchlist", + "in": "body", + "name": "watchlist", + "required": true, + "schema": { + "$ref": "#/definitions/Watchlist" + }, + "x-ms-parameter-location": "method" + }, + "WatchlistItem": { + "description": "The watchlist item", + "in": "body", + "name": "watchlistItem", + "required": true, + "schema": { + "$ref": "#/definitions/WatchlistItem" + }, + "x-ms-parameter-location": "method" + }, + "WatchlistItemId": { + "description": "The watchlist item id (GUID)", + "in": "path", + "name": "watchlistItemId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataSkipToken": { + "description": "Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + "in": "query", + "name": "$skipToken", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "SubscriptionId": { + "description": "Azure subscription ID", + "in": "path", + "name": "subscriptionId", + "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", + "required": true, + "type": "string" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlist.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlist.json new file mode 100644 index 000000000000..bd00602cfce2 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlist.json @@ -0,0 +1,86 @@ +{ + "parameters": { + "api-version": "2021-04-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset", + "watchlist": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "High Value Assets Watchlist", + "source": "Local file", + "provider": "Microsoft", + "description": "Watchlist from CSV content", + "itemsSearchKey": "header1" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/Watchlists", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/Watchlists", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlistAndWatchlistItems.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlistAndWatchlistItems.json new file mode 100644 index 000000000000..1c7b3a22bb7f --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlistAndWatchlistItems.json @@ -0,0 +1,89 @@ +{ + "parameters": { + "api-version": "2021-04-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset", + "watchlist": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "displayName": "High Value Assets Watchlist", + "source": "Local file", + "provider": "Microsoft", + "description": "Watchlist from CSV content", + "numberOfLinesToSkip": 1, + "rawContent": "This line will be skipped\nheader1,header2\nvalue1,value2", + "itemsSearchKey": "header1", + "contentType": "text/csv" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/Watchlists", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/Watchlists", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlistItem.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlistItem.json new file mode 100644 index 000000000000..08e7a272577c --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/CreateWatchlistItem.json @@ -0,0 +1,92 @@ +{ + "parameters": { + "api-version": "2021-04-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset", + "watchlistItemId": "82ba292c-dc97-4dfc-969d-d4dd9e666842", + "watchlistItem": { + "etag": "0300bf09-0000-0000-0000-5c37296e0000", + "properties": { + "itemsKeyValue": { + "Gateway subnet": "10.0.255.224/27", + "Web Tier": "10.0.1.0/24", + "Business tier": "10.0.2.0/24", + "Data tier": "10.0.2.0/24", + "Private DMZ in": "10.0.0.0/27", + "Public DMZ out": "10.0.0.96/27" + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Watchlists/highValueAsset/WatchlistItems/82ba292c-dc97-4dfc-969d-d4dd9e666842", + "etag": "0300bf09-0000-0000-0000-5c37296e0000", + "type": "Microsoft.SecurityInsights/Watchlists/WatchlistItems", + "properties": { + "watchlistItemType": "watchlist-item", + "watchlistItemId": "82ba292c-dc97-4dfc-969d-d4dd9e666842", + "tenantId": "4008512e-1d30-48b2-9ee2-d3612ed9d3ea", + "isDeleted": false, + "created": "2020-11-15T04:58:56.0748363+00:00", + "updated": "2020-11-16T16:05:20+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "itemsKeyValue": { + "Gateway subnet": "10.0.255.224/27", + "Web Tier": "10.0.1.0/24", + "Business tier": "10.0.2.0/24", + "Data tier": "10.0.2.0/24", + "Private DMZ in": "10.0.0.0/27", + "Public DMZ out": "10.0.0.96/27" + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Watchlists/highValueAsset/WatchlistItems/82ba292c-dc97-4dfc-969d-d4dd9e666842", + "etag": "0300bf09-0000-0000-0000-5c37296e0000", + "type": "Microsoft.SecurityInsights/Watchlists/WatchlistItems", + "properties": { + "watchlistItemType": "watchlist-item", + "watchlistItemId": "82ba292c-dc97-4dfc-969d-d4dd9e666842", + "tenantId": "4008512e-1d30-48b2-9ee2-d3612ed9d3ea", + "isDeleted": false, + "created": "2020-11-15T04:58:56.0748363+00:00", + "updated": "2020-11-16T16:05:20+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "itemsKeyValue": { + "Gateway subnet": "10.0.255.224/27", + "Web Tier": "10.0.1.0/24", + "Business tier": "10.0.2.0/24", + "Data tier": "10.0.2.0/24", + "Private DMZ in": "10.0.0.0/27", + "Public DMZ out": "10.0.0.96/27" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/DeleteWatchlist.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/DeleteWatchlist.json new file mode 100644 index 000000000000..cb1c4805bd24 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/DeleteWatchlist.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2021-04-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/DeleteWatchlistItem.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/DeleteWatchlistItem.json new file mode 100644 index 000000000000..942c3c148a00 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/DeleteWatchlistItem.json @@ -0,0 +1,15 @@ +{ + "parameters": { + "api-version": "2021-04-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset", + "watchlistItemId": "4008512e-1d30-48b2-9ee2-d3612ed9d3ea" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistByAlias.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistByAlias.json new file mode 100644 index 000000000000..ae9dbcae9d2e --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistByAlias.json @@ -0,0 +1,49 @@ +{ + "parameters": { + "api-version": "2021-04-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "type": "Microsoft.SecurityInsights/Watchlists", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "labels": [ + "Tag1", + "Tag2" + ], + "defaultDuration": "P1279DT12H30M5S", + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistItemById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistItemById.json new file mode 100644 index 000000000000..4f5422c7b560 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistItemById.json @@ -0,0 +1,47 @@ +{ + "parameters": { + "api-version": "2021-04-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "watchlistAlias": "highValueAsset", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistItemId": "3f8901fe-63d9-4875-9ad5-9fb3b8105797" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Watchlists/highValueAsset/WatchlistItems/fd37d325-7090-47fe-851a-5b5a00c3f576", + "name": "fd37d325-7090-47fe-851a-5b5a00c3f576", + "etag": "\"f2089bfa-0000-0d00-0000-601c58b42021\"", + "type": "Microsoft.SecurityInsights/Watchlists/WatchlistItems", + "properties": { + "watchlistItemType": "watchlist-item", + "watchlistItemId": "fd37d325-7090-47fe-851a-5b5a00c3f576", + "tenantId": "3f8901fe-63d9-4875-9ad5-9fb3b8105797", + "isDeleted": false, + "created": "2021-02-04T12:27:32.3783333-08:00", + "updated": "2021-02-04T12:27:32.3783333-08:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "itemsKeyValue": { + "Header-1": "v1_1", + "Header-2": "v1_2", + "Header-3": "v1_3", + "Header-4": "v1_4", + "Header-5": "v1_5" + }, + "entityMapping": {} + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistItems.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistItems.json new file mode 100644 index 000000000000..e7e87f1de447 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlistItems.json @@ -0,0 +1,50 @@ +{ + "parameters": { + "api-version": "2021-04-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Watchlists/highValueAsset/WatchlistItems/fd37d325-7090-47fe-851a-5b5a00c3f576", + "name": "fd37d325-7090-47fe-851a-5b5a00c3f576", + "etag": "\"f2089bfa-0000-0d00-0000-601c58b42021\"", + "type": "Microsoft.SecurityInsights/Watchlists/WatchlistItems", + "properties": { + "watchlistItemType": "watchlist-item", + "watchlistItemId": "fd37d325-7090-47fe-851a-5b5a00c3f576", + "tenantId": "3f8901fe-63d9-4875-9ad5-9fb3b8105797", + "isDeleted": false, + "created": "2021-02-04T12:27:32.3783333-08:00", + "updated": "2021-02-04T12:27:32.3783333-08:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "itemsKeyValue": { + "Header-1": "v1_1", + "Header-2": "v1_2", + "Header-3": "v1_3", + "Header-4": "v1_4", + "Header-5": "v1_5" + }, + "entityMapping": {} + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlists.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlists.json new file mode 100644 index 000000000000..ae148175f31d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/watchlists/GetWatchlists.json @@ -0,0 +1,52 @@ +{ + "parameters": { + "api-version": "2021-04-01", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "type": "Microsoft.SecurityInsights/Watchlists", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "watchlistId": "76d5a51f-ba1f-4038-9d22-59fda38dc017", + "displayName": "High Value Assets Watchlist", + "provider": "Microsoft", + "source": "Local file", + "created": "2020-09-28T00:26:54.7746089+00:00", + "updated": "2020-09-28T00:26:57+00:00", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "description": "Watchlist from CSV content", + "watchlistType": "watchlist", + "watchlistAlias": "highValueAsset", + "itemsSearchKey": "header1", + "isDeleted": false, + "labels": [ + "Tag1", + "Tag2" + ], + "defaultDuration": "P1279DT12H30M5S", + "tenantId": "f686d426-8d16-42db-81b7-ab578e110ccd" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 057fd5b8b202..ba1b880288fe 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -38,11 +38,16 @@ These settings apply only when `--tag=package-2021-04-01-only` is specified on t input-file: - Microsoft.SecurityInsights/stable/2021-04-01/Incidents.json - Microsoft.SecurityInsights/stable/2021-04-01/operations.json +- Microsoft.SecurityInsights/stable/2021-04-01/Watchlists.json directive: - suppress: R4017 from: Microsoft.SecurityInsights/stable/2021-04-01/Incidents.json where: $.definitions.Incidents reason: The Incident does not support list by subscription. It's not a top-level resource. To get the Incident, we should have a subscription as well as a resource group and Log Analytics workspace. + - suppress: R4017 + from: Microsoft.SecurityInsights/stable/2021-04-01/Watchlists.json + where: $.definitions.Watchlist + reason: The Watchlist does not support list by subscription. It's not a top-level resource. To get the Watchlist, we should have a subscription as well as a resource group and Log Analytics workspace. ``` ---