From b471a74a5d2a553cff72334864701608402e4058 Mon Sep 17 00:00:00 2001 From: moranraz <59017169+moranraz@users.noreply.github.com> Date: Wed, 7 Jul 2021 06:17:17 +0300 Subject: [PATCH] Extract more resources to their own files (#15091) * extract more resources to their own files * fix comments * add aggregations to readme * fixes * fixes * aggregations * . * userInfo * aggregations --- .../2019-01-01-preview/Aggregations.json | 97 + .../2019-01-01-preview/AutomationRules.json | 221 +- .../preview/2019-01-01-preview/Bookmarks.json | 698 + .../preview/2019-01-01-preview/Cases.json | 1186 ++ .../2019-01-01-preview/Enrichment.json | 375 + .../preview/2019-01-01-preview/Entities.json | 1381 ++ .../2019-01-01-preview/OfficeConsents.json | 242 + .../2019-01-01-preview/SecurityInsights.json | 15481 ++++++---------- .../ThreatIntelligence.json | 1129 ++ .../resource-manager/readme.md | 9 +- 10 files changed, 10457 insertions(+), 10362 deletions(-) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Aggregations.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Bookmarks.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Cases.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Enrichment.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Entities.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/OfficeConsents.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/ThreatIntelligence.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Aggregations.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Aggregations.json new file mode 100644 index 000000000000..8a9169fe9391 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Aggregations.json @@ -0,0 +1,97 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/aggregations/{aggregationsName}": { + "get": { + "x-ms-examples": { + "Get aggregative data for all cases under the defined workspace, between the time range if specified.": { + "$ref": "./examples/aggregations/GetCasesAggregations.json" + } + }, + "tags": [ + "Aggregations" + ], + "description": "Get aggregative result for the given resources under the defined workspace", + "operationId": "CasesAggregations_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AggregationsName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "SecurityInsights.json#/definitions/Aggregations" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "AggregationsName": { + "description": "The aggregation name. Supports - Cases", + "in": "path", + "name": "aggregationsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": {} +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json index aaff726062c7..d791361dca51 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json @@ -371,13 +371,13 @@ "type": "string" }, "createdBy": { - "$ref": "#/definitions/ClientInfo", + "$ref": "SecurityInsights.json#/definitions/ClientInfo", "description": "Describes the client that created the automation rule", "readOnly": true, "type": "object" }, "lastModifiedBy": { - "$ref": "#/definitions/ClientInfo", + "$ref": "SecurityInsights.json#/definitions/ClientInfo", "description": "Describes the client that last updated the automation rule", "readOnly": true, "type": "object" @@ -453,7 +453,7 @@ "description": "The configuration of the modify properties automation rule action", "properties": { "classification": { - "$ref": "#/definitions/IncidentClassification", + "$ref": "SecurityInsights.json#/definitions/IncidentClassification", "description": "The reason the incident was closed" }, "classificationComment": { @@ -461,27 +461,27 @@ "type": "string" }, "classificationReason": { - "$ref": "#/definitions/IncidentClassificationReason", + "$ref": "SecurityInsights.json#/definitions/IncidentClassificationReason", "description": "The classification reason to close the incident with" }, "labels": { "description": "List of labels to add to the incident", "items": { - "$ref": "#/definitions/IncidentLabel" + "$ref": "SecurityInsights.json#/definitions/IncidentLabel" }, "type": "array" }, "owner": { - "$ref": "#/definitions/IncidentOwnerInfo", + "$ref": "SecurityInsights.json#/definitions/IncidentOwnerInfo", "description": "Describes a user that the incident is assigned to", "type": "object" }, "severity": { - "$ref": "#/definitions/IncidentSeverity", + "$ref": "SecurityInsights.json#/definitions/IncidentSeverity", "description": "The severity of the incident" }, "status": { - "$ref": "#/definitions/IncidentStatus", + "$ref": "SecurityInsights.json#/definitions/IncidentStatus", "description": "The status of the incident" } }, @@ -913,211 +913,6 @@ "triggersWhen" ], "type": "object" - }, - "ClientInfo": { - "description": "Information on the client (user or application) that made some action", - "properties": { - "email": { - "description": "The email of the client.", - "type": "string" - }, - "name": { - "description": "The name of the client.", - "type": "string" - }, - "objectId": { - "description": "The object id of the client.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the client.", - "type": "string" - } - }, - "type": "object" - }, - "IncidentClassification": { - "description": "The reason the incident was closed", - "enum": [ - "Undetermined", - "TruePositive", - "BenignPositive", - "FalsePositive" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassification", - "values": [ - { - "description": "Incident classification was undetermined", - "value": "Undetermined" - }, - { - "description": "Incident was true positive", - "value": "TruePositive" - }, - { - "description": "Incident was benign positive", - "value": "BenignPositive" - }, - { - "description": "Incident was false positive", - "value": "FalsePositive" - } - ] - } - }, - "IncidentClassificationReason": { - "description": "The classification reason the incident was closed with", - "enum": [ - "SuspiciousActivity", - "SuspiciousButExpected", - "IncorrectAlertLogic", - "InaccurateData" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassificationReason", - "values": [ - { - "description": "Classification reason was suspicious activity", - "value": "SuspiciousActivity" - }, - { - "description": "Classification reason was suspicious but expected", - "value": "SuspiciousButExpected" - }, - { - "description": "Classification reason was incorrect alert logic", - "value": "IncorrectAlertLogic" - }, - { - "description": "Classification reason was inaccurate data", - "value": "InaccurateData" - } - ] - } - }, - "IncidentLabel": { - "description": "Represents an incident label", - "properties": { - "labelName": { - "description": "The name of the label", - "type": "string" - }, - "labelType": { - "description": "The type of the label", - "enum": [ - "User", - "System" - ], - "type": "string", - "readOnly": true, - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentLabelType", - "values": [ - { - "description": "Label manually created by a user", - "value": "User" - }, - { - "description": "Label automatically created by the system", - "value": "System" - } - ] - } - } - }, - "required": [ - "labelName" - ], - "type": "object" - }, - "IncidentOwnerInfo": { - "description": "Information on the user an incident is assigned to", - "properties": { - "email": { - "description": "The email of the user the incident is assigned to.", - "type": "string" - }, - "assignedTo": { - "description": "The name of the user the incident is assigned to.", - "type": "string" - }, - "objectId": { - "description": "The object id of the user the incident is assigned to.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the user the incident is assigned to.", - "type": "string" - } - }, - "type": "object" - }, - "IncidentSeverity": { - "description": "The severity of the incident", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "IncidentStatus": { - "description": "The status of the incident", - "enum": [ - "New", - "Active", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentStatus", - "values": [ - { - "description": "An active incident which isn't being handled currently", - "value": "New" - }, - { - "description": "An active incident which is being handled", - "value": "Active" - }, - { - "description": "A non-active incident", - "value": "Closed" - } - ] - } } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Bookmarks.json new file mode 100644 index 000000000000..beed814dd448 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Bookmarks.json @@ -0,0 +1,698 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { + "get": { + "x-ms-examples": { + "Get all bookmarks.": { + "$ref": "./examples/bookmarks/GetBookmarks.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Gets all bookmarks.", + "operationId": "Bookmarks_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/BookmarkList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}": { + "get": { + "x-ms-examples": { + "Get a bookmark.": { + "$ref": "./examples/bookmarks/GetBookmarkById.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Gets a bookmark.", + "operationId": "Bookmarks_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a bookmark.": { + "$ref": "./examples/bookmarks/CreateBookmark.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Creates or updates the bookmark.", + "operationId": "Bookmarks_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/Bookmark" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a bookmark.": { + "$ref": "./examples/bookmarks/DeleteBookmark.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Delete the bookmark.", + "operationId": "Bookmarks_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations": { + "get": { + "x-ms-examples": { + "Get all bookmark relations.": { + "$ref": "./examples/bookmarks/relations/GetAllBookmarkRelations.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Gets all bookmark relations.", + "operationId": "BookmarkRelations_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataFilter" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataOrderBy" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataTop" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "SecurityInsights.json#/definitions/RelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-odata": "SecurityInsights.json#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/expand": { + "post": { + "x-ms-examples": { + "Expand an bookmark": { + "$ref": "./examples/bookmarks/expand/PostExpandBookmark.json" + } + }, + "description": "Expand an bookmark", + "operationId": "Bookmark_Expand", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/BookmarkExpandRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/BookmarkExpandResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "tags": [ + "Bookmark" + ] + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get a bookmark relation.": { + "$ref": "./examples/bookmarks/relations/GetBookmarkRelationByName.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Gets a bookmark relation.", + "operationId": "BookmarkRelations_GetRelation", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "SecurityInsights.json#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "SecurityInsights.json#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a bookmark relation.": { + "$ref": "./examples/bookmarks/relations/CreateBookmarkRelation.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Creates the bookmark relation.", + "operationId": "BookmarkRelations_CreateOrUpdateRelation", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "SecurityInsights.json#/parameters/RelationName" + }, + { + "$ref": "SecurityInsights.json#/parameters/Relation" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "SecurityInsights.json#/definitions/Relation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "SecurityInsights.json#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete the bookmark relation.": { + "$ref": "./examples/bookmarks/relations/DeleteBookmarkRelation.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Delete the bookmark relation.", + "operationId": "BookmarkRelations_DeleteRelation", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "SecurityInsights.json#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "Bookmark": { + "description": "The bookmark", + "in": "body", + "name": "bookmark", + "required": true, + "schema": { + "$ref": "#/definitions/Bookmark" + }, + "x-ms-parameter-location": "method" + }, + "BookmarkExpandRequestBody": { + "description": "The parameters required to execute an expand operation on the given bookmark.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/BookmarkExpandParameters" + }, + "x-ms-parameter-location": "method" + }, + "BookmarkId": { + "description": "Bookmark ID", + "in": "path", + "name": "bookmarkId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "Bookmark": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a bookmark in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/BookmarkProperties", + "description": "Bookmark properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "BookmarkExpandResponse": { + "description": "The entity expansion result operation response.", + "properties": { + "metaData": { + "$ref": "SecurityInsights.json#/definitions/ExpansionResultsMetadata", + "description": "The metadata from the expansion operation results." + }, + "value": { + "description": "The expansion result values.", + "properties": { + "entities": { + "description": "Array of the expansion result entities.", + "items": { + "$ref": "SecurityInsights.json#/definitions/Entity" + }, + "type": "array" + }, + "edges": { + "description": "Array of expansion result connected entities", + "items": { + "$ref": "SecurityInsights.json#/definitions/ConnectedEntity" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "BookmarkExpandParameters": { + "description": "The parameters required to execute an expand operation on the given bookmark.", + "properties": { + "endTime": { + "description": "The end date filter, so the only expansion results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "expansionId": { + "description": "The Id of the expansion to perform.", + "format": "uuid", + "type": "string" + }, + "startTime": { + "description": "The start date filter, so the only expansion results returned are after this date.", + "format": "date-time", + "type": "string" + } + } + }, + "BookmarkList": { + "description": "List all the bookmarks.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of cases.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of bookmarks.", + "items": { + "$ref": "#/definitions/Bookmark" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "BookmarkProperties": { + "description": "Describes bookmark properties", + "properties": { + "created": { + "description": "The time the bookmark was created", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "SecurityInsights.json#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "displayName": { + "description": "The display name of the bookmark", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "SecurityInsights.json#/definitions/Label" + }, + "type": "array" + }, + "notes": { + "description": "The notes of the bookmark", + "type": "string" + }, + "query": { + "description": "The query of the bookmark.", + "type": "string" + }, + "queryResult": { + "description": "The query result of the bookmark.", + "type": "string" + }, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "SecurityInsights.json#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "eventTime": { + "description": "The bookmark event time", + "format": "date-time", + "type": "string" + }, + "queryStartTime": { + "description": "The start time for the query", + "format": "date-time", + "type": "string" + }, + "queryEndTime": { + "description": "The end time for the query", + "format": "date-time", + "type": "string" + }, + "incidentInfo": { + "$ref": "SecurityInsights.json#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" + } + }, + "required": [ + "displayName", + "query" + ], + "type": "object" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Cases.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Cases.json new file mode 100644 index 000000000000..9fc37ddb3210 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Cases.json @@ -0,0 +1,1186 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases": { + "get": { + "x-ms-examples": { + "Get all cases.": { + "$ref": "./examples/cases/GetCases.json" + } + }, + "tags": [ + "Cases" + ], + "description": "Gets all cases.", + "deprecated": true, + "operationId": "Cases_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataFilter" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataOrderBy" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataTop" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}": { + "get": { + "x-ms-examples": { + "Get a case.": { + "$ref": "./examples/cases/GetCaseById.json" + } + }, + "tags": [ + "Cases" + ], + "description": "Gets a case.", + "deprecated": true, + "operationId": "Cases_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Case" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a case.": { + "$ref": "./examples/cases/CreateCase.json" + } + }, + "tags": [ + "Cases" + ], + "description": "Creates or updates the case.", + "deprecated": true, + "operationId": "Cases_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/Case" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Case" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Case" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a case.": { + "$ref": "./examples/cases/DeleteCase.json" + } + }, + "tags": [ + "Cases" + ], + "description": "Delete the case.", + "deprecated": true, + "operationId": "Cases_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/comments": { + "get": { + "x-ms-examples": { + "Get all case comments.": { + "$ref": "./examples/cases/comments/GetAllCaseComments.json" + } + }, + "tags": [ + "CaseComments" + ], + "description": "Gets all case comments.", + "deprecated": true, + "operationId": "Comments_ListByCase", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataFilter" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataOrderBy" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataTop" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseCommentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-odata": "#/definitions/CaseComment", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/comments/{caseCommentId}": { + "get": { + "x-ms-examples": { + "Get a case comment.": { + "$ref": "./examples/cases/comments/GetCaseCommentById.json" + } + }, + "tags": [ + "CaseComments" + ], + "description": "Gets a case comment.", + "deprecated": true, + "operationId": "Cases_GetComment", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/CaseCommentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a case comment.": { + "$ref": "./examples/cases/comments/CreateCaseComment.json" + } + }, + "tags": [ + "CaseComments" + ], + "description": "Creates the case comment.", + "deprecated": true, + "operationId": "CaseComments_CreateComment", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/CaseCommentId" + }, + { + "$ref": "#/parameters/CaseComment" + } + ], + "responses": { + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/CaseComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations": { + "get": { + "x-ms-examples": { + "Get all case relations.": { + "$ref": "./examples/cases/relations/GetAllCaseRelations.json" + } + }, + "tags": [ + "CaseRelations" + ], + "description": "Gets all case relations.", + "deprecated": true, + "operationId": "CaseRelations_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataFilter" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataOrderBy" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataTop" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseRelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-odata": "#/definitions/CaseRelation", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get a case relation.": { + "$ref": "./examples/cases/relations/GetCaseRelationByName.json" + } + }, + "tags": [ + "CaseRelations" + ], + "description": "Gets a case relation.", + "deprecated": true, + "operationId": "CaseRelations_GetRelation", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "SecurityInsights.json#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseRelation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a case relation.": { + "$ref": "./examples/cases/relations/CreateCaseRelation.json" + } + }, + "tags": [ + "CaseRelations" + ], + "description": "Creates or updates the case relation.", + "deprecated": true, + "operationId": "CaseRelations_CreateOrUpdateRelation", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "SecurityInsights.json#/parameters/RelationName" + }, + { + "$ref": "#/parameters/RelationInputModel" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseRelation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/CaseRelation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete the case relation.": { + "$ref": "./examples/cases/relations/DeleteCaseRelation.json" + } + }, + "tags": [ + "CaseRelations" + ], + "description": "Delete the case relation.", + "deprecated": true, + "operationId": "CaseRelations_DeleteRelation", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "SecurityInsights.json#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "Case": { + "description": "The case", + "in": "body", + "name": "case", + "required": true, + "schema": { + "$ref": "#/definitions/Case" + }, + "x-ms-parameter-location": "method" + }, + "CaseComment": { + "description": "The case comment", + "in": "body", + "name": "caseComment", + "required": true, + "schema": { + "$ref": "#/definitions/CaseComment" + }, + "x-ms-parameter-location": "method" + }, + "CaseCommentId": { + "description": "Case comment ID", + "in": "path", + "name": "caseCommentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "CaseId": { + "description": "Case ID", + "in": "path", + "name": "caseId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "RelationInputModel": { + "name": "relationInputModel", + "in": "body", + "description": "The relation input model", + "required": true, + "schema": { + "$ref": "#/definitions/RelationsModelInput" + }, + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "Case": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a case in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/CaseProperties", + "description": "Case properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "CaseComment": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/Resource" + } + ], + "description": "Represents a case comment", + "properties": { + "properties": { + "$ref": "#/definitions/CaseCommentProperties", + "description": "Case comment properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "CaseCommentList": { + "description": "List of case comments.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of comments.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of comments.", + "items": { + "$ref": "#/definitions/CaseComment" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "CaseCommentProperties": { + "description": "Case comment property bag.", + "properties": { + "createdTimeUtc": { + "description": "The time the comment was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "message": { + "description": "The comment message", + "type": "string" + }, + "userInfo": { + "$ref": "SecurityInsights.json#/definitions/UserInfo", + "description": "Describes the user that created the comment", + "readOnly": true, + "type": "object" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "CaseList": { + "description": "List all the cases.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of cases.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of cases.", + "items": { + "$ref": "#/definitions/Case" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "CaseProperties": { + "description": "Describes case properties", + "properties": { + "caseNumber": { + "description": "a sequential number", + "readOnly": true, + "type": "integer" + }, + "closeReason": { + "description": "The reason the case was closed", + "enum": [ + "Resolved", + "Dismissed", + "TruePositive", + "FalsePositive", + "Other" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CloseReason", + "values": [ + { + "description": "Case was resolved", + "value": "Resolved" + }, + { + "description": "Case was dismissed", + "value": "Dismissed" + }, + { + "description": "Case was true positive", + "value": "TruePositive" + }, + { + "description": "Case was false positive", + "value": "FalsePositive" + }, + { + "description": "Case was closed for another reason", + "value": "Other" + } + ] + } + }, + "closedReasonText": { + "description": "the case close reason details", + "type": "string" + }, + "createdTimeUtc": { + "description": "The time the case was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the case", + "type": "string" + }, + "endTimeUtc": { + "description": "The end time of the case", + "format": "date-time", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this case", + "items": { + "$ref": "SecurityInsights.json#/definitions/Label" + }, + "type": "array" + }, + "lastComment": { + "description": "the last comment in the case", + "readOnly": true, + "type": "string" + }, + "lastUpdatedTimeUtc": { + "description": "The last time the case was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "metrics": { + "description": "Dictionary of metrics, for example the number of alerts in the case", + "type": "object", + "additionalProperties": { + "type": "integer", + "format": "int32" + }, + "readOnly": true + }, + "owner": { + "$ref": "SecurityInsights.json#/definitions/UserInfo", + "description": "Describes a user that the case is assigned to", + "type": "object" + }, + "relatedAlertIds": { + "description": "List of related alert identifiers", + "items": { + "description": "related alert id", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "relatedAlertProductNames": { + "description": "List of related alert product names", + "items": { + "description": "related alert product name", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "tactics": { + "description": "The tactics associated with case", + "items": { + "$ref": "SecurityInsights.json#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + }, + "severity": { + "description": "The severity of the case", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "startTimeUtc": { + "description": "The start time of the case", + "format": "date-time", + "type": "string" + }, + "status": { + "description": "The status of the case", + "enum": [ + "Draft", + "New", + "InProgress", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseStatus", + "values": [ + { + "description": "Case that wasn't promoted yet to active", + "value": "Draft" + }, + { + "description": "An active case which isn't handled currently", + "value": "New" + }, + { + "description": "An active case which is handled", + "value": "InProgress" + }, + { + "description": "A non active case", + "value": "Closed" + } + ] + } + }, + "title": { + "description": "The title of the case", + "type": "string" + }, + "totalComments": { + "description": "the number of total comments in the case", + "readOnly": true, + "type": "integer" + } + }, + "required": [ + "title", + "severity", + "status" + ], + "type": "object" + }, + "CaseRelationList": { + "description": "List of case relations.", + "properties": { + "nextLink": { + "readOnly": true, + "description": "URL to fetch the next set of relations.", + "type": "string" + }, + "value": { + "description": "Array of relations.", + "type": "array", + "items": { + "$ref": "#/definitions/CaseRelation" + } + } + }, + "required": [ + "value" + ] + }, + "CaseRelation": { + "type": "object", + "description": "Represents a case relation", + "allOf": [ + { + "$ref": "#/definitions/RelationBase" + } + ], + "properties": { + "properties": { + "x-ms-client-flatten": true, + "description": "Case relation properties", + "$ref": "#/definitions/CaseRelationProperties" + } + } + }, + "CaseRelationProperties": { + "type": "object", + "description": "Case relation properties", + "properties": { + "relationName": { + "type": "string", + "description": "Name of relation" + }, + "bookmarkId": { + "type": "string", + "description": "The case related bookmark id" + }, + "caseIdentifier": { + "type": "string", + "description": "The case identifier" + }, + "bookmarkName": { + "type": "string", + "description": "The case related bookmark name" + } + }, + "required": [ + "relationName", + "caseIdentifier", + "bookmarkId" + ] + }, + "RelationsModelInput": { + "type": "object", + "description": "Relation input model", + "allOf": [ + { + "$ref": "#/definitions/RelationBase" + } + ], + "properties": { + "properties": { + "x-ms-client-flatten": true, + "description": "Relation input properties", + "$ref": "#/definitions/RelationsModelInputProperties" + } + } + }, + "RelationsModelInputProperties": { + "type": "object", + "description": "Relation input properties", + "properties": { + "relationName": { + "type": "string", + "description": "Name of relation" + }, + "sourceRelationNode": { + "type": "object", + "description": "Relation source node", + "$ref": "#/definitions/RelationNode" + }, + "targetRelationNode": { + "type": "object", + "description": "Relation target node", + "$ref": "#/definitions/RelationNode" + } + } + }, + "RelationBase": { + "type": "object", + "description": "Represents a relation", + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/Resource" + }, + { + "type": "object", + "properties": { + "kind": { + "type": "string", + "description": "The type of relation node", + "readOnly": true, + "enum": [ + "CasesToBookmarks" + ], + "x-ms-enum": { + "name": "RelationTypes", + "modelAsString": true, + "values": [ + { + "value": "CasesToBookmarks", + "description": "Relations between cases and bookmarks" + } + ] + } + }, + "etag": { + "type": "string", + "description": "ETag for relation" + } + } + } + ] + }, + "RelationNode": { + "type": "object", + "description": "Relation node", + "properties": { + "relationNodeId": { + "type": "string", + "description": "Relation Node Id" + }, + "relationNodeKind": { + "type": "string", + "description": "The type of relation node", + "readOnly": true, + "enum": [ + "Case", + "Bookmark" + ], + "x-ms-enum": { + "name": "RelationNodeKind", + "modelAsString": true, + "values": [ + { + "value": "Case", + "description": "Case node part of the relation" + }, + { + "value": "Bookmark", + "description": "Bookmark node part of the relation" + } + ] + } + }, + "etag": { + "type": "string", + "description": "Etag for relation node" + }, + "relationAdditionalProperties": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "Additional set of properties" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Enrichment.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Enrichment.json new file mode 100644 index 000000000000..356658a0ed41 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Enrichment.json @@ -0,0 +1,375 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/": { + "get": { + "x-ms-examples": { + "Get geodata for a single IP address": { + "$ref": "./examples/enrichment/GetGeodataByIp.json" + } + }, + "tags": [ + "Enrichment" + ], + "description": "Get geodata for a single IP address", + "operationId": "IPGeodata_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/EnrichmentIpAddress" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EnrichmentIpGeodata" + } + }, + "default": { + "description": "Error response describing why the operation failed to enrich this ip.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/domain/whois/": { + "get": { + "x-ms-examples": { + "Get whois information for a single domain name": { + "$ref": "./examples/enrichment/GetWhoisByDomainName.json" + } + }, + "tags": [ + "Enrichment" + ], + "description": "Get whois information for a single domain name", + "operationId": "DomainWhois_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/EnrichmentDomain" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EnrichmentDomainWhois" + } + }, + "default": { + "description": "Error response describing why the operation failed to enrich this domain.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "EnrichmentIpAddress": { + "description": "IP address (v4 or v6) to be enriched", + "in": "query", + "name": "ipAddress", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EnrichmentDomain": { + "description": "Domain name to be enriched", + "in": "query", + "name": "domain", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "EnrichmentDomainWhois": { + "description": "Whois information for a given domain and associated metadata", + "properties": { + "domain": { + "description": "The domain for this whois record", + "type": "string" + }, + "server": { + "description": "The hostname of this registrar's whois server", + "type": "string" + }, + "created": { + "description": "The timestamp at which this record was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The timestamp at which this record was last updated", + "format": "date-time", + "type": "string" + }, + "expires": { + "description": "The timestamp at which this record will expire", + "format": "date-time", + "type": "string" + }, + "parsedWhois": { + "description": "The whois record for a given domain", + "$ref": "#/definitions/EnrichmentDomainWhoisDetails" + } + } + }, + "EnrichmentDomainWhoisDetails": { + "description": "The whois record for a given domain", + "properties": { + "registrar": { + "description": "The registrar associated with this domain", + "$ref": "#/definitions/EnrichmentDomainWhoisRegistrarDetails" + }, + "contacts": { + "description": "The set of contacts associated with this domain", + "$ref": "#/definitions/EnrichmentDomainWhoisContacts" + }, + "nameServers": { + "description": "A list of name servers associated with this domain", + "type": "array", + "items": { + "type": "string" + } + }, + "statuses": { + "description": "The set of status flags for this whois record", + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "EnrichmentDomainWhoisRegistrarDetails": { + "description": "The registrar associated with this domain", + "properties": { + "name": { + "description": "The name of this registrar", + "type": "string" + }, + "abuseContactEmail": { + "description": "This registrar's abuse contact email", + "type": "string" + }, + "abuseContactPhone": { + "description": "This registrar's abuse contact phone number", + "type": "string" + }, + "ianaId": { + "description": "This registrar's Internet Assigned Numbers Authority id", + "type": "string" + }, + "url": { + "description": "This registrar's URL", + "type": "string" + }, + "whoisServer": { + "description": "The hostname of this registrar's whois server", + "type": "string" + } + } + }, + "EnrichmentDomainWhoisContacts": { + "description": "The set of contacts associated with this domain", + "properties": { + "admin": { + "description": "The admin contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + }, + "billing": { + "description": "The billing contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + }, + "registrant": { + "description": "The registrant contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + }, + "tech": { + "description": "The technical contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + } + } + }, + "EnrichmentDomainWhoisContact": { + "description": "An individual contact associated with this domain", + "properties": { + "name": { + "description": "The name of this contact", + "type": "string" + }, + "org": { + "description": "The organization for this contact", + "type": "string" + }, + "street": { + "description": "A list describing the street address for this contact", + "type": "array", + "items": { + "type": "string" + } + }, + "city": { + "description": "The city for this contact", + "type": "string" + }, + "state": { + "description": "The state for this contact", + "type": "string" + }, + "postal": { + "description": "The postal code for this contact", + "type": "string" + }, + "country": { + "description": "The country for this contact", + "type": "string" + }, + "phone": { + "description": "The phone number for this contact", + "type": "string" + }, + "fax": { + "description": "The fax number for this contact", + "type": "string" + }, + "email": { + "description": "The email address for this contact", + "type": "string" + } + } + }, + "EnrichmentIpGeodata": { + "description": "Geodata information for a given IP address", + "properties": { + "asn": { + "description": "The autonomous system number associated with this IP address", + "type": "string" + }, + "carrier": { + "description": "The name of the carrier for this IP address", + "type": "string" + }, + "city": { + "description": "The city this IP address is located in", + "type": "string" + }, + "cityCf": { + "description": "A numeric rating of confidence that the value in the 'city' field is correct, on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "continent": { + "description": "The continent this IP address is located on", + "type": "string" + }, + "country": { + "description": "The county this IP address is located in", + "type": "string" + }, + "countryCf": { + "description": "A numeric rating of confidence that the value in the 'country' field is correct on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "ipAddr": { + "description": "The dotted-decimal or colon-separated string representation of the IP address", + "type": "string" + }, + "ipRoutingType": { + "description": "A description of the connection type of this IP address", + "type": "string" + }, + "latitude": { + "description": "The latitude of this IP address", + "type": "string" + }, + "longitude": { + "description": "The longitude of this IP address", + "type": "string" + }, + "organization": { + "description": "The name of the organization for this IP address", + "type": "string" + }, + "organizationType": { + "description": "The type of the organization for this IP address", + "type": "string" + }, + "region": { + "description": "The geographic region this IP address is located in", + "type": "string" + }, + "state": { + "description": "The state this IP address is located in", + "type": "string" + }, + "stateCf": { + "description": "A numeric rating of confidence that the value in the 'state' field is correct on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "stateCode": { + "description": "The abbreviated name for the state this IP address is located in", + "type": "string" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Entities.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Entities.json new file mode 100644 index 000000000000..32a16a5d78e9 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/Entities.json @@ -0,0 +1,1381 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities": { + "get": { + "x-ms-examples": { + "Get all entities.": { + "$ref": "./examples/entities/GetEntities.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Gets all entities.", + "operationId": "Entities_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}": { + "get": { + "x-ms-examples": { + "Get an account entity.": { + "$ref": "./examples/entities/GetAccountEntityById.json" + }, + "Get a host entity.": { + "$ref": "./examples/entities/GetHostEntityById.json" + }, + "Get a file entity.": { + "$ref": "./examples/entities/GetFileEntityById.json" + }, + "Get a security alert entity.": { + "$ref": "./examples/entities/GetSecurityAlertEntityById.json" + }, + "Get a file hash entity.": { + "$ref": "./examples/entities/GetFileHashEntityById.json" + }, + "Get a malware entity.": { + "$ref": "./examples/entities/GetMalwareEntityById.json" + }, + "Get a security group entity.": { + "$ref": "./examples/entities/GetSecurityGroupEntityById.json" + }, + "Get an azure resource entity.": { + "$ref": "./examples/entities/GetAzureResourceEntityById.json" + }, + "Get a cloud application entity.": { + "$ref": "./examples/entities/GetCloudApplicationEntityById.json" + }, + "Get a process entity.": { + "$ref": "./examples/entities/GetProcessEntityById.json" + }, + "Get a dns entity.": { + "$ref": "./examples/entities/GetDnsEntityById.json" + }, + "Get an ip entity.": { + "$ref": "./examples/entities/GetIpEntityById.json" + }, + "Get a registry key entity.": { + "$ref": "./examples/entities/GetRegistryKeyEntityById.json" + }, + "Get a registry value entity.": { + "$ref": "./examples/entities/GetRegistryValueEntityById.json" + }, + "Get a url entity.": { + "$ref": "./examples/entities/GetUrlEntityById.json" + }, + "Get an IoT device entity.": { + "$ref": "./examples/entities/GetIoTDeviceEntityById.json" + }, + "Get a mailCluster entity.": { + "$ref": "./examples/entities/GetMailClusterEntityById.json" + }, + "Get a mailbox entity.": { + "$ref": "./examples/entities/GetMailboxEntityById.json" + }, + "Get a mailMessage entity.": { + "$ref": "./examples/entities/GetMailMessageEntityById.json" + }, + "Get a submissionMail entity.": { + "$ref": "./examples/entities/GetSubmissionMailEntityById.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Gets an entity.", + "operationId": "Entities_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "SecurityInsights.json#/definitions/Entity" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/expand": { + "post": { + "x-ms-examples": { + "Expand an entity": { + "$ref": "./examples/entities/expand/PostExpandEntity.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Expands an entity.", + "operationId": "Entities_Expand", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityExpandRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityExpandResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getTimeline": { + "post": { + "x-ms-examples": { + "Entity timeline": { + "$ref": "./examples/entities/timeline/PostTimelineEntity.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Timeline for an entity.", + "operationId": "EntitiesGetTimeline_list", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityTimelineRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityTimelineResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/queries": { + "get": { + "x-ms-examples": { + "Get Entity Query": { + "$ref": "./examples/entities/GetQueries.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Get Insights and Activities for an entity.", + "operationId": "Entities_Queries", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityQueryKindParam" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/GetQueriesResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getInsights": { + "post": { + "x-ms-examples": { + "Entity Insight": { + "$ref": "./examples/entities/insights/PostGetInsights.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Execute Insights for an entity.", + "operationId": "Entities_GetInsights", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/GetInsightsEntityQueriesRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityGetInsightsResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations": { + "get": { + "x-ms-examples": { + "Get all relations of an entity.": { + "$ref": "./examples/entities/relations/GetAllEntityRelations.json" + } + }, + "tags": [ + "EntityRelations" + ], + "description": "Gets all relations of an entity.", + "operationId": "EntitiesRelations_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataFilter" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataOrderBy" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataTop" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "SecurityInsights.json#/definitions/RelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-odata": "SecurityInsights.json#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get an entity relation.": { + "$ref": "./examples/entities/relations/GetEntityRelationByName.json" + } + }, + "tags": [ + "EntityRelations" + ], + "description": "Gets an entity relation.", + "operationId": "EntityRelations_GetRelation", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "SecurityInsights.json#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "SecurityInsights.json#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "EntityExpandRequestBody": { + "description": "The parameters required to execute an expand operation on the given entity.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/EntityExpandParameters" + }, + "x-ms-parameter-location": "method" + }, + "EntityId": { + "description": "entity ID", + "in": "path", + "name": "entityId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityTimelineRequestBody": { + "description": "The parameters required to execute an timeline operation on the given entity.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/EntityTimelineParameters" + }, + "x-ms-parameter-location": "method" + }, + "EntityQueryKindParam": { + "description": "The Kind parameter for queries", + "in": "query", + "name": "kind", + "required": true, + "type": "string", + "enum": [ + "Insight" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "EntityItemQueryKind", + "values": [ + { + "description": "insight", + "value": "Insight" + } + ] + }, + "x-ms-parameter-location": "method" + }, + "GetInsightsEntityQueriesRequestBody": { + "description": "The parameters required to execute insights on the given entity.", + "name": "parameters", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/EntityGetInsightsParameters" + }, + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "ActivityTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents Activity timeline item.", + "properties": { + "queryId": { + "type": "string", + "description": "The activity query id." + }, + "bucketStartTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The grouping bucket start time." + }, + "bucketEndTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The grouping bucket end time." + }, + "firstActivityTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The time of the first activity in the grouping bucket." + }, + "lastActivityTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The time of the last activity in the grouping bucket." + }, + "content": { + "type": "string", + "description": "The activity timeline content." + }, + "title": { + "type": "string", + "description": "The activity timeline title." + } + }, + "required": [ + "queryId", + "bucketStartTimeUTC", + "bucketEndTimeUTC", + "firstActivityTimeUTC", + "lastActivityTimeUTC", + "content", + "title" + ], + "type": "object", + "x-ms-discriminator-value": "Activity" + }, + "BookmarkTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents bookmark timeline item.", + "properties": { + "azureResourceId": { + "type": "string", + "description": "The bookmark azure resource id." + }, + "displayName": { + "type": "string", + "description": "The bookmark display name." + }, + "notes": { + "type": "string", + "description": "The notes of the bookmark" + }, + "endTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The bookmark end time." + }, + "startTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The bookmark start time." + }, + "eventTime": { + "format": "date-time", + "type": "string", + "description": "The bookmark event time." + }, + "createdBy": { + "$ref": "SecurityInsights.json#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "SecurityInsights.json#/definitions/Label" + }, + "type": "array" + } + }, + "required": [ + "azureResourceId" + ], + "type": "object", + "x-ms-discriminator-value": "Bookmark" + }, + "EntityGetInsightsParameters": { + "description": "The parameters required to execute insights operation on the given entity.", + "type": "object", + "properties": { + "startTime": { + "description": "The start timeline date, so the results returned are after this date.", + "format": "date-time", + "type": "string" + }, + "endTime": { + "description": "The end timeline date, so the results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "addDefaultExtendedTimeRange": { + "description": "Indicates if query time range should be extended with default time range of the query. Default value is false", + "type": "boolean" + }, + "insightQueryIds": { + "description": "List of Insights Query Id. If empty, default value is all insights of this entity", + "type": "array", + "items": { + "description": "Insight Query Id (GUID)", + "format": "uuid", + "type": "string" + } + } + }, + "required": [ + "startTime", + "endTime" + ] + }, + "EntityGetInsightsResponse": { + "description": "The Get Insights result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/GetInsightsResultsMetadata", + "description": "The metadata from the get insights operation results." + }, + "value": { + "description": "The insights result values.", + "items": { + "$ref": "#/definitions/EntityInsightItem" + }, + "type": "array" + } + } + }, + "EntityEdges": { + "description": "The edge that connects the entity to the other entity.", + "properties": { + "targetEntityId": { + "description": "The target entity Id.", + "type": "string" + }, + "additionalData": { + "additionalProperties": { + "type": "object" + }, + "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "type": "object" + } + }, + "type": "object" + }, + "EntityExpandParameters": { + "description": "The parameters required to execute an expand operation on the given entity.", + "properties": { + "endTime": { + "description": "The end date filter, so the only expansion results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "expansionId": { + "description": "The Id of the expansion to perform.", + "format": "uuid", + "type": "string" + }, + "startTime": { + "description": "The start date filter, so the only expansion results returned are after this date.", + "format": "date-time", + "type": "string" + } + } + }, + "EntityExpandResponse": { + "description": "The entity expansion result operation response.", + "properties": { + "metaData": { + "$ref": "SecurityInsights.json#/definitions/ExpansionResultsMetadata", + "description": "The metadata from the expansion operation results." + }, + "value": { + "description": "The expansion result values.", + "properties": { + "entities": { + "description": "Array of the expansion result entities.", + "items": { + "$ref": "SecurityInsights.json#/definitions/Entity" + }, + "type": "array" + }, + "edges": { + "description": "Array of edges that connects the entity to the list of entities.", + "items": { + "$ref": "#/definitions/EntityEdges" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "EntityInsightItem": { + "description": "Entity insight Item.", + "type": "object", + "properties": { + "queryId": { + "type": "string", + "description": "The query id of the insight" + }, + "queryTimeInterval": { + "type": "object", + "description": "The Time interval that the query actually executed on.", + "properties": { + "startTime": { + "format": "date-time", + "type": "string", + "description": "Insight query start time" + }, + "endTime": { + "format": "date-time", + "type": "string", + "description": "Insight query end time" + } + } + }, + "tableQueryResults": { + "$ref": "#/definitions/InsightsTableResult", + "description": "Query results for table insights query." + }, + "chartQueryResults": { + "type": "array", + "description": "Query results for table insights query.", + "items": { + "$ref": "#/definitions/InsightsTableResult", + "description": "Query results for table insights query." + } + } + } + }, + "EntityList": { + "description": "List of all the entities.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of entities.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of entities.", + "items": { + "$ref": "SecurityInsights.json#/definitions/Entity" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "EntityTimelineItem": { + "description": "Entity timeline Item.", + "discriminator": "kind", + "type": "object", + "properties": { + "kind": { + "$ref": "#/definitions/EntityTimelineKind", + "description": "The entity query kind type." + } + }, + "required": [ + "kind" + ] + }, + "EntityTimelineResponse": { + "description": "The entity timeline result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/TimelineResultsMetadata", + "description": "The metadata from the timeline operation results." + }, + "value": { + "description": "The timeline result values.", + "items": { + "$ref": "#/definitions/EntityTimelineItem" + }, + "type": "array" + } + } + }, + "EntityTimelineKind": { + "description": "The entity query kind", + "enum": [ + "Activity", + "Bookmark", + "SecurityAlert" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityTimelineKind", + "values": [ + { + "description": "activity", + "value": "Activity" + }, + { + "description": "bookmarks", + "value": "Bookmark" + }, + { + "description": "security alerts", + "value": "SecurityAlert" + } + ] + } + }, + "EntityTimelineParameters": { + "description": "The parameters required to execute s timeline operation on the given entity.", + "properties": { + "kinds": { + "description": "Array of timeline Item kinds.", + "items": { + "$ref": "#/definitions/EntityTimelineKind" + }, + "type": "array" + }, + "startTime": { + "description": "The start timeline date, so the results returned are after this date.", + "format": "date-time", + "type": "string" + }, + "endTime": { + "description": "The end timeline date, so the results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "numberOfBucket": { + "description": "The number of bucket for timeline queries aggregation.", + "type": "integer", + "format": "int32" + } + }, + "required": [ + "startTime", + "endTime" + ] + }, + "EntityQueryItem": { + "description": "An abstract Query item for entity", + "type": "object", + "discriminator": "kind", + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/EntityQueryKind" + } + ], + "properties": { + "id": { + "description": "Query Template ARM ID", + "type": "string", + "readOnly": true + }, + "name": { + "description": "Query Template ARM Name", + "type": "string" + }, + "type": { + "description": "ARM Type", + "type": "string" + } + }, + "required": [ + "kind" + ] + }, + "EntityQueryItemProperties": { + "description": "An properties abstract Query item for entity", + "type": "object", + "properties": { + "dataTypes": { + "description": "Data types for template", + "type": "array", + "items": { + "properties": { + "dataType": { + "description": "Data type name", + "type": "string" + } + } + } + }, + "inputEntityType": { + "description": "The type of the entity", + "$ref": "SecurityInsights.json#/definitions/EntityInnerType" + }, + "requiredInputFieldsSets": { + "description": "Data types for template", + "type": "array", + "items": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "entitiesFilter": { + "description": "The query applied only to entities matching to all filters", + "type": "object" + } + } + }, + "InsightsTableResult": { + "type": "object", + "description": "Query results for table insights query.", + "properties": { + "columns": { + "type": "array", + "description": "Columns Metadata of the table", + "items": { + "properties": { + "type": { + "type": "string", + "description": "the type of the colum" + }, + "name": { + "type": "string", + "description": "the name of the colum" + } + } + } + }, + "rows": { + "type": "array", + "description": "Rows data of the table", + "items": { + "type": "array", + "description": "Single row of data", + "items": { + "type": "string", + "description": "Cell in the table" + } + } + } + } + }, + "InsightQueryItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityQueryItem" + } + ], + "description": "Represents Insight Query.", + "properties": { + "properties": { + "description": "Properties bag for InsightQueryItem", + "$ref": "#/definitions/InsightQueryItemProperties" + } + }, + "type": "object", + "x-ms-discriminator-value": "Insight" + }, + "InsightQueryItemProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityQueryItemProperties" + } + ], + "description": "Represents Insight Query.", + "properties": { + "displayName": { + "type": "string", + "description": "The insight display name." + }, + "description": { + "type": "string", + "description": "The insight description." + }, + "baseQuery": { + "type": "string", + "description": "The base query of the insight." + }, + "tableQuery": { + "type": "object", + "description": "The insight table query.", + "properties": { + "columnsDefinitions": { + "type": "array", + "description": "List of insight column definitions.", + "items": { + "properties": { + "header": { + "type": "string", + "description": "Insight column header." + }, + "outputType": { + "type": "string", + "description": "Insights Column type.", + "enum": [ + "Number", + "String", + "Date", + "Entity" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "outputType" + } + }, + "supportDeepLink": { + "type": "boolean", + "description": "Is query supports deep-link." + } + } + } + }, + "queriesDefinitions": { + "type": "array", + "description": "List of insight queries definitions.", + "items": { + "properties": { + "filter": { + "type": "string", + "description": "Insight column header." + }, + "summarize": { + "type": "string", + "description": "Insight column header." + }, + "project": { + "type": "string", + "description": "Insight column header." + }, + "linkColumnsDefinitions": { + "type": "array", + "description": "Insight column header.", + "items": { + "properties": { + "projectedName": { + "type": "string", + "description": "Insight Link Definition Projected Name." + }, + "Query": { + "type": "string", + "description": "Insight Link Definition Query." + } + } + } + } + } + } + } + } + }, + "chartQuery": { + "type": "object", + "description": "The insight chart query." + }, + "additionalQuery": { + "type": "object", + "description": "The activity query definitions.", + "properties": { + "query": { + "type": "string", + "description": "The insight query." + }, + "text": { + "type": "string", + "description": "The insight text." + } + } + }, + "defaultTimeRange": { + "type": "object", + "description": "The insight chart query.", + "properties": { + "beforeRange": { + "type": "string", + "description": "The padding for the start time of the query." + }, + "afterRange": { + "type": "string", + "description": "The padding for the end time of the query." + } + } + }, + "referenceTimeRange": { + "type": "object", + "description": "The insight chart query.", + "properties": { + "beforeRange": { + "type": "string", + "description": "Additional query time for looking back." + } + } + } + }, + "type": "object", + "x-ms-discriminator-value": "Insight" + }, + "GetInsightsResultsMetadata": { + "description": "Get Insights result metadata.", + "properties": { + "totalCount": { + "description": "the total items found for the insights request", + "type": "integer", + "format": "int32" + }, + "errors": { + "description": "information about the failed queries", + "items": { + "$ref": "#/definitions/GetInsightsError" + }, + "type": "array" + } + }, + "required": [ + "totalCount" + ], + "type": "object" + }, + "GetInsightsError": { + "description": "GetInsights Query Errors.", + "properties": { + "kind": { + "description": "the query kind", + "type": "string", + "enum": [ + "Insight" + ] + }, + "queryId": { + "description": "the query id", + "type": "string" + }, + "errorMessage": { + "description": "the error message", + "type": "string" + } + }, + "required": [ + "kind", + "errorMessage" + ], + "type": "object" + }, + "GetQueriesResponse": { + "description": "Retrieve queries for entity result operation response.", + "properties": { + "value": { + "description": "The query result values.", + "items": { + "$ref": "#/definitions/EntityQueryItem" + }, + "type": "array" + } + } + }, + "SecurityAlertTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents security alert timeline item.", + "properties": { + "azureResourceId": { + "type": "string", + "description": "The alert azure resource id." + }, + "productName": { + "type": "string", + "description": "The alert product name." + }, + "description": { + "type": "string", + "description": "The alert description." + }, + "displayName": { + "type": "string", + "description": "The alert name." + }, + "severity": { + "$ref": "SecurityInsights.json#/definitions/AlertSeverity", + "description": "The alert severity." + }, + "endTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The alert end time." + }, + "startTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The alert start time." + }, + "timeGenerated": { + "format": "date-time", + "type": "string", + "description": "The alert generated time." + }, + "alertType": { + "type": "string", + "description": "The name of the alert type." + } + }, + "required": [ + "azureResourceId", + "displayName", + "severity", + "endTimeUtc", + "startTimeUtc", + "timeGenerated", + "alertType" + ], + "type": "object", + "x-ms-discriminator-value": "SecurityAlert" + }, + "TimelineError": { + "description": "Timeline Query Errors.", + "properties": { + "kind": { + "description": "the query kind", + "$ref": "#/definitions/EntityTimelineKind" + }, + "queryId": { + "description": "the query id", + "type": "string" + }, + "errorMessage": { + "description": "the error message", + "type": "string" + } + }, + "required": [ + "kind", + "errorMessage" + ], + "type": "object" + }, + "TimelineResultsMetadata": { + "description": "Expansion result metadata.", + "properties": { + "totalCount": { + "description": "the total items found for the timeline request", + "type": "integer", + "format": "int32" + }, + "aggregations": { + "description": "timeline aggregation per kind", + "items": { + "$ref": "#/definitions/TimelineAggregation" + }, + "type": "array" + }, + "errors": { + "description": "information about the failure queries", + "items": { + "$ref": "#/definitions/TimelineError" + }, + "type": "array" + } + }, + "required": [ + "totalCount", + "aggregations" + ], + "type": "object" + }, + "TimelineAggregation": { + "description": "timeline aggregation information per kind", + "properties": { + "count": { + "description": "the total items found for a kind", + "type": "integer", + "format": "int32" + }, + "kind": { + "description": "the query kind", + "$ref": "#/definitions/EntityTimelineKind" + } + }, + "required": [ + "kind", + "count" + ], + "type": "object" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/OfficeConsents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/OfficeConsents.json new file mode 100644 index 000000000000..6b215cd58827 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/OfficeConsents.json @@ -0,0 +1,242 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents": { + "get": { + "x-ms-examples": { + "Get all office consents.": { + "$ref": "./examples/officeConsents/GetOfficeConsents.json" + } + }, + "tags": [ + "Office Consents" + ], + "description": "Gets all office365 consents.", + "operationId": "OfficeConsents_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/OfficeConsentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents/{consentId}": { + "get": { + "x-ms-examples": { + "Get an office consent.": { + "$ref": "./examples/officeConsents/GetOfficeConsentsById.json" + } + }, + "tags": [ + "Office Consents" + ], + "description": "Gets an office365 consent.", + "operationId": "OfficeConsents_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ConsentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/OfficeConsent" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an office consent.": { + "$ref": "./examples/officeConsents/DeleteOfficeConsents.json" + } + }, + "tags": [ + "Office Consents" + ], + "description": "Delete the office365 consent.", + "operationId": "OfficeConsents_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ConsentId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "ConsentId": { + "description": "consent ID", + "in": "path", + "name": "consentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "OfficeConsent": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/Resource" + } + ], + "description": "Consent for Office365 tenant that already made.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeConsentProperties", + "description": "Office consent properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "OfficeConsentList": { + "description": "List of all the office365 consents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of office consents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of the consents.", + "items": { + "$ref": "#/definitions/OfficeConsent" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "OfficeConsentProperties": { + "description": "Consent property bag.", + "properties": { + "tenantId": { + "description": "The tenantId of the Office365 with the consent.", + "type": "string" + }, + "consentId": { + "description": "Help to easily cascade among the data layers.", + "type": "string" + } + }, + "type": "object" + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 2870b982fb0f..8a4e58460b43 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -573,19 +573,18 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { "get": { "x-ms-examples": { - "Get all cases.": { - "$ref": "./examples/cases/GetCases.json" + "Get all data connectors.": { + "$ref": "./examples/dataConnectors/GetDataConnectors.json" } }, "tags": [ - "Cases" + "Data Connectors" ], - "description": "Gets all cases.", - "deprecated": true, - "operationId": "Cases_List", + "description": "Gets all data connectors.", + "operationId": "DataConnectors_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -601,25 +600,13 @@ }, { "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/CaseList" + "$ref": "#/definitions/DataConnectorList" } }, "default": { @@ -634,19 +621,54 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { "get": { "x-ms-examples": { - "Get a case.": { - "$ref": "./examples/cases/GetCaseById.json" + "Get an Office365 data connector.": { + "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" + }, + "Get a TI data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" + }, + "Get a TI Taxii data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceTaxiiById.json" + }, + "Get a MCAS data connector.": { + "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" + }, + "Get a ASC data connector.": { + "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" + }, + "Get an AAD data connector.": { + "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" + }, + "Get an AwsCloudTrail data connector.": { + "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" + }, + "Get an AATP data connector.": { + "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" + }, + "Get a MDATP data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" + }, + "Get a Office ATP data connector": { + "$ref": "./examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json" + }, + "Get a Dynamics365 data connector": { + "$ref": "./examples/dataConnectors/GetDynamics365DataConnectorById.json" + }, + "Get a MicrosoftThreatProtection data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftThreatProtectionById.json" + }, + "Get a MicrosoftThreatIntelligence data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json" } }, "tags": [ - "Cases" + "Data Connectors" ], - "description": "Gets a case.", - "deprecated": true, - "operationId": "Cases_Get", + "description": "Gets a data connector.", + "operationId": "DataConnectors_Get", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -664,14 +686,14 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/CaseId" + "$ref": "#/parameters/DataConnectorId" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/Case" + "$ref": "#/definitions/DataConnector" } }, "default": { @@ -684,16 +706,24 @@ }, "put": { "x-ms-examples": { - "Creates or updates a case.": { - "$ref": "./examples/cases/CreateCase.json" + "Creates or updates an Office365 data connector.": { + "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" + }, + "Creates or updates a Threat Intelligence Taxii data connector.": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json" + }, + "Creates or updates an Threat Intelligence Platform data connector.": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" + }, + "Creates or updates a Dynamics365 data connector.": { + "$ref": "./examples/dataConnectors/CreateDynamics365DataConnetor.json" } }, "tags": [ - "Cases" + "Data Connectors" ], - "description": "Creates or updates the case.", - "deprecated": true, - "operationId": "Cases_CreateOrUpdate", + "description": "Creates or updates the data connector.", + "operationId": "DataConnectors_CreateOrUpdate", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -711,23 +741,23 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/CaseId" + "$ref": "#/parameters/DataConnectorId" }, { - "$ref": "#/parameters/Case" + "$ref": "#/parameters/DataConnector" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/Case" + "$ref": "#/definitions/DataConnector" } }, "201": { "description": "Created", "schema": { - "$ref": "#/definitions/Case" + "$ref": "#/definitions/DataConnector" } }, "default": { @@ -740,16 +770,15 @@ }, "delete": { "x-ms-examples": { - "Delete a case.": { - "$ref": "./examples/cases/DeleteCase.json" + "Delete an Office365 data connector.": { + "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" } }, "tags": [ - "Cases" + "Data Connectors" ], - "description": "Delete the case.", - "deprecated": true, - "operationId": "Cases_Delete", + "description": "Delete the data connector.", + "operationId": "DataConnectors_Delete", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -767,7 +796,7 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/CaseId" + "$ref": "#/parameters/DataConnectorId" } ], "responses": { @@ -786,19 +815,51 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/comments": { - "get": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements": { + "post": { "x-ms-examples": { - "Get all case comments.": { - "$ref": "./examples/cases/comments/GetAllCaseComments.json" + "Check requirements for TI.": { + "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligence.json" + }, + "Check requirements for TI Taxii.": { + "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json" + }, + "Check requirements for AAD.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json" + }, + "Check requirements for AAD - no license.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json" + }, + "Check requirements for AAD - no authorization.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json" + }, + "Check requirements for ASC.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json" + }, + "Check requirements for Mcas.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json" + }, + "Check requirements for Mdatp.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMdatp.json" + }, + "Check requirements for OfficeATP.": { + "$ref": "./examples/dataConnectors/CheckRequirementsOfficeATP.json" + }, + "Check requirements for Dynamics365.": { + "$ref": "./examples/dataConnectors/CheckRequirementsDynamics365.json" + }, + "Check requirements for MicrosoftThreatProtection.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json" + }, + "Check requirements for MicrosoftThreatIntelligence.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json" } }, "tags": [ - "CaseComments" + "Check Data Connector Requirements" ], - "description": "Gets all case comments.", - "deprecated": true, - "operationId": "Comments_ListByCase", + "description": "Get requirements state for a data connector type.", + "operationId": "DataConnectorsCheckRequirements_Post", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -809,33 +870,21 @@ { "$ref": "#/parameters/ResourceGroupName" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, { "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "#/parameters/ODataSkipToken" + "$ref": "#/parameters/DataConnectorsCheckRequirementsBody" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/CaseCommentList" + "$ref": "#/definitions/DataConnectorRequirementsState" } }, "default": { @@ -844,26 +893,21 @@ "$ref": "#/definitions/CloudError" } } - }, - "x-ms-odata": "#/definitions/CaseComment", - "x-ms-pageable": { - "nextLinkName": "nextLink" } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/comments/{caseCommentId}": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings": { "get": { "x-ms-examples": { - "Get a case comment.": { - "$ref": "./examples/cases/comments/GetCaseCommentById.json" + "Get EyesOn settings.": { + "$ref": "./examples/settings/GetAllSettings.json" } }, "tags": [ - "CaseComments" + "Settings" ], - "description": "Gets a case comment.", - "deprecated": true, - "operationId": "Cases_GetComment", + "description": "List of all the settings", + "operationId": "ProductSettings_GetAll", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -879,19 +923,13 @@ }, { "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/CaseCommentId" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/CaseComment" + "$ref": "#/definitions/SettingList" } }, "default": { @@ -901,19 +939,20 @@ } } } - }, - "put": { + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}": { + "get": { "x-ms-examples": { - "Creates or updates a case comment.": { - "$ref": "./examples/cases/comments/CreateCaseComment.json" + "Get EyesOn settings.": { + "$ref": "./examples/settings/GetEyesOnSetting.json" } }, "tags": [ - "CaseComments" + "Settings" ], - "description": "Creates the case comment.", - "deprecated": true, - "operationId": "CaseComments_CreateComment", + "description": "Gets a setting.", + "operationId": "ProductSettings_Get", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -931,20 +970,14 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/CaseCommentId" - }, - { - "$ref": "#/parameters/CaseComment" + "$ref": "#/parameters/SettingsName" } ], "responses": { - "201": { - "description": "Created", + "200": { + "description": "OK", "schema": { - "$ref": "#/definitions/CaseComment" + "$ref": "#/definitions/Settings" } }, "default": { @@ -954,20 +987,18 @@ } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { - "get": { + }, + "delete": { "x-ms-examples": { - "Get all bookmarks.": { - "$ref": "./examples/bookmarks/GetBookmarks.json" + "Delete EyesOn settings.": { + "$ref": "./examples/settings/DeleteEyesOnSetting.json" } }, "tags": [ - "Bookmarks" + "Settings" ], - "description": "Gets all bookmarks.", - "operationId": "Bookmarks_List", + "description": "Delete setting of the product.", + "operationId": "ProductSettings_Delete", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -983,14 +1014,17 @@ }, { "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsName" } ], "responses": { "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/BookmarkList" - } + "description": "OK" + }, + "204": { + "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", @@ -998,24 +1032,19 @@ "$ref": "#/definitions/CloudError" } } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}": { - "get": { + }, + "put": { "x-ms-examples": { - "Get a bookmark.": { - "$ref": "./examples/bookmarks/GetBookmarkById.json" + "Update EyesOn settings.": { + "$ref": "./examples/settings/UpdateEyesOnSetting.json" } }, "tags": [ - "Bookmarks" + "Settings" ], - "description": "Gets a bookmark.", - "operationId": "Bookmarks_Get", + "description": "Updates setting.", + "operationId": "ProductSettings_Update", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1033,14 +1062,17 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/BookmarkId" + "$ref": "#/parameters/SettingsName" + }, + { + "$ref": "#/parameters/Settings" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/Bookmark" + "$ref": "#/definitions/Settings" } }, "default": { @@ -1050,18 +1082,20 @@ } } } - }, - "put": { + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries": { + "get": { "x-ms-examples": { - "Creates or updates a bookmark.": { - "$ref": "./examples/bookmarks/CreateBookmark.json" + "Get all entity queries.": { + "$ref": "./examples/entityQueries/GetEntityQueries.json" } }, "tags": [ - "Bookmarks" + "EntityQueries" ], - "description": "Creates or updates the bookmark.", - "operationId": "Bookmarks_CreateOrUpdate", + "description": "Gets all entity queries.", + "operationId": "EntityQueries_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1077,25 +1111,13 @@ }, { "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/Bookmark" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/Bookmark" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Bookmark" + "$ref": "#/definitions/EntityQueryList" } }, "default": { @@ -1104,19 +1126,24 @@ "$ref": "#/definitions/CloudError" } } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" } - }, - "delete": { + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}": { + "get": { "x-ms-examples": { - "Delete a bookmark.": { - "$ref": "./examples/bookmarks/DeleteBookmark.json" + "Get an entity query.": { + "$ref": "./examples/entityQueries/GetExpansionEntityQueryById.json" } }, "tags": [ - "Bookmarks" + "EntityQueries" ], - "description": "Delete the bookmark.", - "operationId": "Bookmarks_Delete", + "description": "Gets an entity query.", + "operationId": "EntityQueries_Get", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1134,15 +1161,15 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/BookmarkId" + "$ref": "#/parameters/EntityQueryId" } ], "responses": { "200": { - "description": "OK" - }, - "204": { - "description": "No Content" + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityQuery" + } }, "default": { "description": "Error response describing why the operation failed.", @@ -1153,19 +1180,18 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { "get": { "x-ms-examples": { - "Get all case relations.": { - "$ref": "./examples/cases/relations/GetAllCaseRelations.json" + "Get all incidents.": { + "$ref": "./examples/incidents/GetIncidents.json" } }, "tags": [ - "CaseRelations" + "Incidents" ], - "description": "Gets all case relations.", - "deprecated": true, - "operationId": "CaseRelations_List", + "description": "Gets all incidents.", + "operationId": "Incidents_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1182,9 +1208,6 @@ { "$ref": "#/parameters/WorkspaceName" }, - { - "$ref": "#/parameters/CaseId" - }, { "$ref": "#/parameters/ODataFilter" }, @@ -1202,7 +1225,7 @@ "200": { "description": "OK", "schema": { - "$ref": "#/definitions/CaseRelationList" + "$ref": "#/definitions/IncidentList" } }, "default": { @@ -1212,25 +1235,23 @@ } } }, - "x-ms-odata": "#/definitions/CaseRelation", "x-ms-pageable": { "nextLinkName": "nextLink" } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations/{relationName}": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { "get": { "x-ms-examples": { - "Get a case relation.": { - "$ref": "./examples/cases/relations/GetCaseRelationByName.json" + "Get an incident.": { + "$ref": "./examples/incidents/GetIncidentById.json" } }, "tags": [ - "CaseRelations" + "Incidents" ], - "description": "Gets a case relation.", - "deprecated": true, - "operationId": "CaseRelations_GetRelation", + "description": "Gets an incident.", + "operationId": "Incidents_Get", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1248,17 +1269,14 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/RelationName" + "$ref": "#/parameters/IncidentId" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/CaseRelation" + "$ref": "#/definitions/Incident" } }, "default": { @@ -1271,16 +1289,15 @@ }, "put": { "x-ms-examples": { - "Creates or updates a case relation.": { - "$ref": "./examples/cases/relations/CreateCaseRelation.json" + "Creates or updates an incident.": { + "$ref": "./examples/incidents/CreateIncident.json" } }, "tags": [ - "CaseRelations" + "Incidents" ], - "description": "Creates or updates the case relation.", - "deprecated": true, - "operationId": "CaseRelations_CreateOrUpdateRelation", + "description": "Creates or updates the incident.", + "operationId": "Incidents_CreateOrUpdate", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1298,26 +1315,23 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/RelationName" + "$ref": "#/parameters/IncidentId" }, { - "$ref": "#/parameters/RelationInputModel" + "$ref": "#/parameters/Incident" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/CaseRelation" + "$ref": "#/definitions/Incident" } }, "201": { "description": "Created", "schema": { - "$ref": "#/definitions/CaseRelation" + "$ref": "#/definitions/Incident" } }, "default": { @@ -1330,16 +1344,15 @@ }, "delete": { "x-ms-examples": { - "Delete the case relation.": { - "$ref": "./examples/cases/relations/DeleteCaseRelation.json" + "Delete an incident.": { + "$ref": "./examples/incidents/DeleteIncident.json" } }, "tags": [ - "CaseRelations" + "Incidents" ], - "description": "Delete the case relation.", - "deprecated": true, - "operationId": "CaseRelations_DeleteRelation", + "description": "Delete the incident.", + "operationId": "Incidents_Delete", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1357,10 +1370,7 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/RelationName" + "$ref": "#/parameters/IncidentId" } ], "responses": { @@ -1379,18 +1389,18 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations": { - "get": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts": { + "post": { "x-ms-examples": { - "Get all bookmark relations.": { - "$ref": "./examples/bookmarks/relations/GetAllBookmarkRelations.json" + "Get all incident alerts.": { + "$ref": "./examples/incidents/GetAllIncidentAlerts.json" } }, "tags": [ - "BookmarkRelations" + "IncidentAlerts" ], - "description": "Gets all bookmark relations.", - "operationId": "BookmarkRelations_List", + "description": "Gets all incident alerts.", + "operationId": "Incidents_ListOfAlerts", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1408,26 +1418,62 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/BookmarkId" + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentAlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks": { + "post": { + "x-ms-examples": { + "Get all incident bookmarks.": { + "$ref": "./examples/incidents/GetAllIncidentBookmarks.json" + } + }, + "tags": [ + "IncidentBookmarks" + ], + "description": "Gets all incident bookmarks.", + "operationId": "Incidents_ListOfBookmarks", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/ODataFilter" + "$ref": "#/parameters/SubscriptionId" }, { - "$ref": "#/parameters/ODataOrderBy" + "$ref": "#/parameters/ResourceGroupName" }, { - "$ref": "#/parameters/ODataTop" + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "#/parameters/ODataSkipToken" + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/RelationList" + "$ref": "#/definitions/IncidentBookmarkList" } }, "default": { @@ -1436,22 +1482,21 @@ "$ref": "#/definitions/CloudError" } } - }, - "x-ms-odata": "#/definitions/Relation", - "x-ms-pageable": { - "nextLinkName": "nextLink" } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/expand": { - "post": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { + "get": { "x-ms-examples": { - "Expand an bookmark": { - "$ref": "./examples/bookmarks/expand/PostExpandBookmark.json" + "Get all incident comments.": { + "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" } }, - "description": "Expand an bookmark", - "operationId": "Bookmark_Expand", + "tags": [ + "IncidentComments" + ], + "description": "Gets all incident comments.", + "operationId": "IncidentComments_ListByIncident", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1469,17 +1514,26 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/BookmarkId" + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" }, { - "$ref": "#/parameters/BookmarkExpandRequestBody" + "$ref": "#/parameters/ODataSkipToken" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/BookmarkExpandResponse" + "$ref": "#/definitions/IncidentCommentList" } }, "default": { @@ -1489,23 +1543,24 @@ } } }, - "tags": [ - "Bookmark" - ] + "x-ms-odata": "#/definitions/IncidentComment", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { "get": { "x-ms-examples": { - "Get a bookmark relation.": { - "$ref": "./examples/bookmarks/relations/GetBookmarkRelationByName.json" + "Get an incident comment.": { + "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" } }, "tags": [ - "BookmarkRelations" + "IncidentComments" ], - "description": "Gets a bookmark relation.", - "operationId": "BookmarkRelations_GetRelation", + "description": "Gets an incident comment.", + "operationId": "IncidentComments_GetComment", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1523,17 +1578,17 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/BookmarkId" + "$ref": "#/parameters/IncidentId" }, { - "$ref": "#/parameters/RelationName" + "$ref": "#/parameters/IncidentCommentId" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/Relation" + "$ref": "#/definitions/IncidentComment" } }, "default": { @@ -1546,15 +1601,15 @@ }, "put": { "x-ms-examples": { - "Creates or updates a bookmark relation.": { - "$ref": "./examples/bookmarks/relations/CreateBookmarkRelation.json" + "Creates or updates an incident comment.": { + "$ref": "./examples/incidents/comments/CreateIncidentComment.json" } }, "tags": [ - "BookmarkRelations" + "IncidentComments" ], - "description": "Creates the bookmark relation.", - "operationId": "BookmarkRelations_CreateOrUpdateRelation", + "description": "Creates or updates the incident comment.", + "operationId": "IncidentComments_CreateComment", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1572,26 +1627,26 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/BookmarkId" + "$ref": "#/parameters/IncidentId" }, { - "$ref": "#/parameters/RelationName" + "$ref": "#/parameters/IncidentCommentId" }, { - "$ref": "#/parameters/Relation" + "$ref": "#/parameters/IncidentComment" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/Relation" + "$ref": "#/definitions/IncidentComment" } }, "201": { "description": "Created", "schema": { - "$ref": "#/definitions/Relation" + "$ref": "#/definitions/IncidentComment" } }, "default": { @@ -1604,15 +1659,15 @@ }, "delete": { "x-ms-examples": { - "Delete the bookmark relation.": { - "$ref": "./examples/bookmarks/relations/DeleteBookmarkRelation.json" + "Delete the incident comment.": { + "$ref": "./examples/incidents/comments/DeleteIncidentComment.json" } }, "tags": [ - "BookmarkRelations" + "IncidentComments" ], - "description": "Delete the bookmark relation.", - "operationId": "BookmarkRelations_DeleteRelation", + "description": "Delete the incident comment.", + "operationId": "IncidentComments_DeleteComment", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1630,10 +1685,10 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/BookmarkId" + "$ref": "#/parameters/IncidentId" }, { - "$ref": "#/parameters/RelationName" + "$ref": "#/parameters/IncidentCommentId" } ], "responses": { @@ -1652,18 +1707,18 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/": { - "get": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities": { + "post": { "x-ms-examples": { - "Get geodata for a single IP address": { - "$ref": "./examples/enrichment/GetGeodataByIp.json" + "Gets all incident related entities": { + "$ref": "./examples/incidents/entities/GetAllIncidentEntities.json" } }, "tags": [ - "Enrichment" + "IncidentEntities" ], - "description": "Get geodata for a single IP address", - "operationId": "IPGeodata_Get", + "description": "Gets all incident related entities.", + "operationId": "Incidents_ListOfEntities", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1675,18 +1730,24 @@ "$ref": "#/parameters/ResourceGroupName" }, { - "$ref": "#/parameters/EnrichmentIpAddress" + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/EnrichmentIpGeodata" + "$ref": "#/definitions/IncidentEntitiesResponse" } }, "default": { - "description": "Error response describing why the operation failed to enrich this ip.", + "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } @@ -1694,18 +1755,18 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/domain/whois/": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations": { "get": { "x-ms-examples": { - "Get whois information for a single domain name": { - "$ref": "./examples/enrichment/GetWhoisByDomainName.json" + "Get all incident relations.": { + "$ref": "./examples/incidents/relations/GetAllIncidentRelations.json" } }, "tags": [ - "Enrichment" + "IncidentRelations" ], - "description": "Get whois information for a single domain name", - "operationId": "DomainWhois_Get", + "description": "Gets all incident relations.", + "operationId": "IncidentRelations_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1717,37 +1778,59 @@ "$ref": "#/parameters/ResourceGroupName" }, { - "$ref": "#/parameters/EnrichmentDomain" + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/EnrichmentDomainWhois" + "$ref": "#/definitions/RelationList" } }, "default": { - "description": "Error response describing why the operation failed to enrich this domain.", + "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } + }, + "x-ms-odata": "#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}": { "get": { "x-ms-examples": { - "Get all data connectors.": { - "$ref": "./examples/dataConnectors/GetDataConnectors.json" + "Get an incident relation.": { + "$ref": "./examples/incidents/relations/GetIncidentRelationByName.json" } }, "tags": [ - "Data Connectors" + "IncidentRelations" ], - "description": "Gets all data connectors.", - "operationId": "DataConnectors_List", + "description": "Gets an incident relation.", + "operationId": "IncidentRelations_GetRelation", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1763,13 +1846,19 @@ }, { "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/RelationName" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/DataConnectorList" + "$ref": "#/definitions/Relation" } }, "default": { @@ -1778,60 +1867,19 @@ "$ref": "#/definitions/CloudError" } } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { - "get": { + }, + "put": { "x-ms-examples": { - "Get an Office365 data connector.": { - "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" - }, - "Get a TI data connector.": { - "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" - }, - "Get a TI Taxii data connector.": { - "$ref": "./examples/dataConnectors/GetThreatIntelligenceTaxiiById.json" - }, - "Get a MCAS data connector.": { - "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" - }, - "Get a ASC data connector.": { - "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" - }, - "Get an AAD data connector.": { - "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" - }, - "Get an AwsCloudTrail data connector.": { - "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" - }, - "Get an AATP data connector.": { - "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" - }, - "Get a MDATP data connector": { - "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" - }, - "Get a Office ATP data connector": { - "$ref": "./examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json" - }, - "Get a Dynamics365 data connector": { - "$ref": "./examples/dataConnectors/GetDynamics365DataConnectorById.json" - }, - "Get a MicrosoftThreatProtection data connector": { - "$ref": "./examples/dataConnectors/GetMicrosoftThreatProtectionById.json" - }, - "Get a MicrosoftThreatIntelligence data connector": { - "$ref": "./examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json" + "Creates or updates an incident relation.": { + "$ref": "./examples/incidents/relations/CreateIncidentRelation.json" } }, "tags": [ - "Data Connectors" + "IncidentRelations" ], - "description": "Gets a data connector.", - "operationId": "DataConnectors_Get", + "description": "Creates or updates the incident relation.", + "operationId": "IncidentRelations_CreateOrUpdateRelation", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1849,78 +1897,26 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/DataConnectorId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/DataConnector" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates or updates an Office365 data connector.": { - "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" - }, - "Creates or updates a Threat Intelligence Taxii data connector.": { - "$ref": "./examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json" - }, - "Creates or updates an Threat Intelligence Platform data connector.": { - "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" - }, - "Creates or updates a Dynamics365 data connector.": { - "$ref": "./examples/dataConnectors/CreateDynamics365DataConnetor.json" - } - }, - "tags": [ - "Data Connectors" - ], - "description": "Creates or updates the data connector.", - "operationId": "DataConnectors_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + "$ref": "#/parameters/IncidentId" }, { - "$ref": "#/parameters/DataConnectorId" + "$ref": "#/parameters/RelationName" }, { - "$ref": "#/parameters/DataConnector" + "$ref": "#/parameters/Relation" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/DataConnector" + "$ref": "#/definitions/Relation" } }, "201": { "description": "Created", "schema": { - "$ref": "#/definitions/DataConnector" + "$ref": "#/definitions/Relation" } }, "default": { @@ -1933,15 +1929,15 @@ }, "delete": { "x-ms-examples": { - "Delete an Office365 data connector.": { - "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" + "Delete the incident relation.": { + "$ref": "./examples/incidents/relations/DeleteIncidentRelation.json" } }, "tags": [ - "Data Connectors" + "IncidentRelations" ], - "description": "Delete the data connector.", - "operationId": "DataConnectors_Delete", + "description": "Delete the incident relation.", + "operationId": "IncidentRelations_DeleteRelation", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -1959,7 +1955,10 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/DataConnectorId" + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/RelationName" } ], "responses": { @@ -1978,51 +1977,18 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements": { - "post": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists": { + "get": { "x-ms-examples": { - "Check requirements for TI.": { - "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligence.json" - }, - "Check requirements for TI Taxii.": { - "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json" - }, - "Check requirements for AAD.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json" - }, - "Check requirements for AAD - no license.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json" - }, - "Check requirements for AAD - no authorization.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json" - }, - "Check requirements for ASC.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json" - }, - "Check requirements for Mcas.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json" - }, - "Check requirements for Mdatp.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMdatp.json" - }, - "Check requirements for OfficeATP.": { - "$ref": "./examples/dataConnectors/CheckRequirementsOfficeATP.json" - }, - "Check requirements for Dynamics365.": { - "$ref": "./examples/dataConnectors/CheckRequirementsDynamics365.json" - }, - "Check requirements for MicrosoftThreatProtection.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json" - }, - "Check requirements for MicrosoftThreatIntelligence.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json" + "Get all watchlists.": { + "$ref": "./examples/watchlists/GetWatchlists.json" } }, "tags": [ - "Check Data Connector Requirements" + "Watchlists" ], - "description": "Get requirements state for a data connector type.", - "operationId": "DataConnectorsCheckRequirements_Post", + "description": "Gets all watchlists, without watchlist items.", + "operationId": "Watchlists_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -2033,21 +1999,18 @@ { "$ref": "#/parameters/ResourceGroupName" }, - { - "$ref": "#/parameters/WorkspaceName" - }, { "$ref": "#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "#/parameters/DataConnectorsCheckRequirementsBody" + "$ref": "#/parameters/WorkspaceName" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/DataConnectorRequirementsState" + "$ref": "#/definitions/WatchlistList" } }, "default": { @@ -2056,21 +2019,24 @@ "$ref": "#/definitions/CloudError" } } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}": { "get": { "x-ms-examples": { - "Get all entities.": { - "$ref": "./examples/entities/GetEntities.json" + "Get a watchlist.": { + "$ref": "./examples/watchlists/GetWatchlistByAlias.json" } }, "tags": [ - "Entities" + "Watchlists" ], - "description": "Gets all entities.", - "operationId": "Entities_List", + "description": "Gets a watchlist, without its watchlist items.", + "operationId": "Watchlists_Get", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -2086,13 +2052,16 @@ }, { "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/EntityList" + "$ref": "#/definitions/Watchlist" } }, "default": { @@ -2101,81 +2070,19 @@ "$ref": "#/definitions/CloudError" } } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}": { - "get": { + }, + "delete": { "x-ms-examples": { - "Get an account entity.": { - "$ref": "./examples/entities/GetAccountEntityById.json" - }, - "Get a host entity.": { - "$ref": "./examples/entities/GetHostEntityById.json" - }, - "Get a file entity.": { - "$ref": "./examples/entities/GetFileEntityById.json" - }, - "Get a security alert entity.": { - "$ref": "./examples/entities/GetSecurityAlertEntityById.json" - }, - "Get a file hash entity.": { - "$ref": "./examples/entities/GetFileHashEntityById.json" - }, - "Get a malware entity.": { - "$ref": "./examples/entities/GetMalwareEntityById.json" - }, - "Get a security group entity.": { - "$ref": "./examples/entities/GetSecurityGroupEntityById.json" - }, - "Get an azure resource entity.": { - "$ref": "./examples/entities/GetAzureResourceEntityById.json" - }, - "Get a cloud application entity.": { - "$ref": "./examples/entities/GetCloudApplicationEntityById.json" - }, - "Get a process entity.": { - "$ref": "./examples/entities/GetProcessEntityById.json" - }, - "Get a dns entity.": { - "$ref": "./examples/entities/GetDnsEntityById.json" - }, - "Get an ip entity.": { - "$ref": "./examples/entities/GetIpEntityById.json" - }, - "Get a registry key entity.": { - "$ref": "./examples/entities/GetRegistryKeyEntityById.json" - }, - "Get a registry value entity.": { - "$ref": "./examples/entities/GetRegistryValueEntityById.json" - }, - "Get a url entity.": { - "$ref": "./examples/entities/GetUrlEntityById.json" - }, - "Get an IoT device entity.": { - "$ref": "./examples/entities/GetIoTDeviceEntityById.json" - }, - "Get a mailCluster entity.": { - "$ref": "./examples/entities/GetMailClusterEntityById.json" - }, - "Get a mailbox entity.": { - "$ref": "./examples/entities/GetMailboxEntityById.json" - }, - "Get a mailMessage entity.": { - "$ref": "./examples/entities/GetMailMessageEntityById.json" - }, - "Get a submissionMail entity.": { - "$ref": "./examples/entities/GetSubmissionMailEntityById.json" + "Delete a watchlist.": { + "$ref": "./examples/watchlists/DeleteWatchlist.json" } }, "tags": [ - "Entities" + "Watchlists" ], - "description": "Gets an entity.", - "operationId": "Entities_Get", + "description": "Delete a watchlist.", + "operationId": "Watchlists_Delete", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -2193,15 +2100,15 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/EntityId" + "$ref": "#/parameters/WatchlistAlias" } ], "responses": { "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Entity" - } + "description": "OK" + }, + "204": { + "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", @@ -2210,20 +2117,18 @@ } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/expand": { - "post": { + }, + "put": { "x-ms-examples": { - "Expand an entity": { - "$ref": "./examples/entities/expand/PostExpandEntity.json" + "Creates a watchlist.": { + "$ref": "./examples/watchlists/CreateWatchlist.json" } }, "tags": [ - "Entities" + "Watchlists" ], - "description": "Expands an entity.", - "operationId": "Entities_Expand", + "description": "Creates a watchlist and its watchlist items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint twice : the first call will create an empty Watchlist, and the second one will create its Items.", + "operationId": "Watchlists_Create", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -2241,17 +2146,23 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/EntityId" + "$ref": "#/parameters/WatchlistAlias" }, { - "$ref": "#/parameters/EntityExpandRequestBody" + "$ref": "#/parameters/Watchlist" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/EntityExpandResponse" + "$ref": "#/definitions/Watchlist" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Watchlist" } }, "default": { @@ -2263,18 +2174,18 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getTimeline": { - "post": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems": { + "get": { "x-ms-examples": { - "Entity timeline": { - "$ref": "./examples/entities/timeline/PostTimelineEntity.json" + "Get all watchlist Items.": { + "$ref": "./examples/watchlists/GetWatchlistItems.json" } }, "tags": [ - "Entities" + "WatchlistItems" ], - "description": "Timeline for an entity.", - "operationId": "EntitiesGetTimeline_list", + "description": "Gets all watchlist Items.", + "operationId": "WatchlistItems_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -2292,17 +2203,14 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/EntityId" - }, - { - "$ref": "#/parameters/EntityTimelineRequestBody" + "$ref": "#/parameters/WatchlistAlias" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/EntityTimelineResponse" + "$ref": "#/definitions/WatchlistItemList" } }, "default": { @@ -2311,22 +2219,25 @@ "$ref": "#/definitions/CloudError" } } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/queries": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}": { "get": { "x-ms-examples": { - "Get Entity Query": { - "$ref": "./examples/entities/GetQueries.json" + "Get a watchlist item.": { + "$ref": "./examples/watchlists/GetWatchlistItemById.json" } }, "tags": [ - "Entities" + "WatchlistItems" ], - "description": "Get Insights and Activities for an entity.", - "operationId": "Entities_Queries", - "parameters": [ + "description": "Gets a watchlist, without its watchlist items.", + "operationId": "WatchlistItems_Get", + "parameters": [ { "$ref": "#/parameters/ApiVersion" }, @@ -2343,17 +2254,17 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/EntityId" + "$ref": "#/parameters/WatchlistAlias" }, { - "$ref": "#/parameters/EntityQueryKindParam" + "$ref": "#/parameters/WatchlistItemId" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/GetQueriesResponse" + "$ref": "#/definitions/WatchlistItem" } }, "default": { @@ -2363,20 +2274,18 @@ } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getInsights": { - "post": { + }, + "delete": { "x-ms-examples": { - "Entity Insight": { - "$ref": "./examples/entities/insights/PostGetInsights.json" + "Delete a watchlist Item.": { + "$ref": "./examples/watchlists/DeleteWatchlistItem.json" } }, "tags": [ - "Entities" + "WatchlistItems" ], - "description": "Execute Insights for an entity.", - "operationId": "Entities_GetInsights", + "description": "Delete a watchlist item.", + "operationId": "WatchlistItems_Delete", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -2394,18 +2303,18 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/EntityId" + "$ref": "#/parameters/WatchlistAlias" }, { - "$ref": "#/parameters/GetInsightsEntityQueriesRequestBody" + "$ref": "#/parameters/WatchlistItemId" } ], "responses": { "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityGetInsightsResponse" - } + "description": "OK" + }, + "204": { + "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", @@ -2414,20 +2323,18 @@ } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations": { - "get": { + }, + "put": { "x-ms-examples": { - "Get all relations of an entity.": { - "$ref": "./examples/entities/relations/GetAllEntityRelations.json" + "Creates or updates a watchlist item.": { + "$ref": "./examples/watchlists/CreateWatchlistItem.json" } }, "tags": [ - "EntityRelations" + "WatchlistItems" ], - "description": "Gets all relations of an entity.", - "operationId": "EntitiesRelations_List", + "description": "Creates or updates a watchlist item.", + "operationId": "WatchlistItems_CreateOrUpdate", "parameters": [ { "$ref": "#/parameters/ApiVersion" @@ -2445,81 +2352,26 @@ "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/EntityId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" + "$ref": "#/parameters/WatchlistAlias" }, { - "$ref": "#/parameters/ODataTop" + "$ref": "#/parameters/WatchlistItemId" }, { - "$ref": "#/parameters/ODataSkipToken" + "$ref": "#/parameters/WatchlistItem" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/RelationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "$ref": "#/definitions/WatchlistItem" } - } - }, - "x-ms-odata": "#/definitions/Relation", - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations/{relationName}": { - "get": { - "x-ms-examples": { - "Get an entity relation.": { - "$ref": "./examples/entities/relations/GetEntityRelationByName.json" - } - }, - "tags": [ - "EntityRelations" - ], - "description": "Gets an entity relation.", - "operationId": "EntityRelations_GetRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" - }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK", + "201": { + "description": "Created", "schema": { - "$ref": "#/definitions/Relation" + "$ref": "#/definitions/WatchlistItem" } }, "default": { @@ -2530,7581 +2382,2228 @@ } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents": { - "get": { - "x-ms-examples": { - "Get all office consents.": { - "$ref": "./examples/officeConsents/GetOfficeConsents.json" - } - }, - "tags": [ - "Office Consents" - ], - "description": "Gets all office365 consents.", - "operationId": "OfficeConsents_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/OfficeConsentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + } + }, + "definitions": { + "Aggregations": { + "allOf": [ + { + "$ref": "#/definitions/Resource" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/definitions/AggregationsKind" } - } + ], + "description": "The aggregation.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents/{consentId}": { - "get": { - "x-ms-examples": { - "Get an office consent.": { - "$ref": "./examples/officeConsents/GetOfficeConsentsById.json" - } - }, - "tags": [ - "Office Consents" - ], - "description": "Gets an office365 consent.", - "operationId": "OfficeConsents_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ConsentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/OfficeConsent" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "AggregationsKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the setting", + "enum": [ + "CasesAggregation" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AggregationsKind" } } }, - "delete": { - "x-ms-examples": { - "Delete an office consent.": { - "$ref": "./examples/officeConsents/DeleteOfficeConsents.json" - } - }, - "tags": [ - "Office Consents" - ], - "description": "Delete the office365 consent.", - "operationId": "OfficeConsents_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ConsentId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } + "required": [ + "kind" + ], + "type": "object" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings": { - "get": { - "x-ms-examples": { - "Get EyesOn settings.": { - "$ref": "./examples/settings/GetAllSettings.json" - } - }, - "tags": [ - "Settings" - ], - "description": "List of all the settings", - "operationId": "ProductSettings_GetAll", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/SettingList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "MLBehaviorAnalyticsAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" } - } + ], + "description": "Represents MLBehaviorAnalytics alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/MLBehaviorAnalyticsAlertRuleProperties", + "description": "MLBehaviorAnalytics alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MLBehaviorAnalytics" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}": { - "get": { - "x-ms-examples": { - "Get EyesOn settings.": { - "$ref": "./examples/settings/GetEyesOnSetting.json" - } + "MLBehaviorAnalyticsAlertRuleProperties": { + "description": "MLBehaviorAnalytics alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" }, - "tags": [ - "Settings" - ], - "description": "Gets a setting.", - "operationId": "ProductSettings_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" }, - { - "$ref": "#/parameters/SettingsName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Settings" + "readOnly": true, + "type": "array" + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "MLBehaviorAnalyticsAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MLBehaviorAnalytics alert rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + ], + "description": "MLBehaviorAnalytics alert rule template properties.", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "tactics": { + "description": "The tactics of the alert rule template.", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" } - } + }, + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true } }, - "delete": { - "x-ms-examples": { - "Delete EyesOn settings.": { - "$ref": "./examples/settings/DeleteEyesOnSetting.json" - } - }, - "tags": [ - "Settings" - ], - "description": "Delete setting of the product.", - "operationId": "ProductSettings_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/SettingsName" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "type": "object", + "x-ms-discriminator-value": "MLBehaviorAnalytics" + }, + "AADDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AAD (Azure Active Directory) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AADDataConnectorProperties", + "description": "AAD (Azure Active Directory) data connector properties.", + "x-ms-client-flatten": true } }, - "put": { - "x-ms-examples": { - "Update EyesOn settings.": { - "$ref": "./examples/settings/UpdateEyesOnSetting.json" - } + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" }, - "tags": [ - "Settings" - ], - "description": "Updates setting.", - "operationId": "ProductSettings_Update", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/SettingsName" - }, - { - "$ref": "#/parameters/Settings" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Settings" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" } - } + ], + "description": "AAD (Azure Active Directory) data connector properties.", + "type": "object" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/aggregations/{aggregationsName}": { - "get": { - "x-ms-examples": { - "Get aggregative data for all cases under the defined workspace, between the time range if specified.": { - "$ref": "./examples/aggregations/GetCasesAggregations.json" - } - }, - "tags": [ - "Aggregations" - ], - "description": "Get aggregative result for the given resources under the defined workspace", - "operationId": "CasesAggregations_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/AggregationsName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Aggregations" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "AADCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" } - } + ], + "description": "Represents AAD (Azure Active Directory) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/AADCheckRequirementsProperties", + "description": "AAD (Azure Active Directory) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries": { - "get": { - "x-ms-examples": { - "Get all entity queries.": { - "$ref": "./examples/entityQueries/GetEntityQueries.json" - } - }, - "tags": [ - "EntityQueries" - ], - "description": "Gets all entity queries.", - "operationId": "EntityQueries_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityQueryList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + "AADCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" } - } + ], + "description": "AAD (Azure Active Directory) requirements check properties.", + "type": "object" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}": { - "get": { - "x-ms-examples": { - "Get an entity query.": { - "$ref": "./examples/entityQueries/GetExpansionEntityQueryById.json" - } - }, - "tags": [ - "EntityQueries" - ], - "description": "Gets an entity query.", - "operationId": "EntityQueries_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityQueryId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityQuery" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "AATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" } - } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPDataConnectorProperties", + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { - "get": { - "x-ms-examples": { - "Get all incidents.": { - "$ref": "./examples/incidents/GetIncidents.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Gets all incidents.", - "operationId": "Incidents_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "AATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" } - } + ], + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "type": "object" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { - "get": { - "x-ms-examples": { - "Get an incident.": { - "$ref": "./examples/incidents/GetIncidentById.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Gets an incident.", - "operationId": "Incidents_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "AATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPCheckRequirementsProperties", + "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true } }, - "put": { - "x-ms-examples": { - "Creates or updates an incident.": { - "$ref": "./examples/incidents/CreateIncident.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Creates or updates the incident.", - "operationId": "Incidents_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/Incident" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Incident" + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + }, + "AATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "MSTIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Microsoft Threat Intelligence data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MSTIDataConnectorProperties", + "description": "Microsoft Threat Intelligence data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatIntelligence" + }, + "MSTIDataConnectorDataTypes": { + "description": "The available data types for Microsoft Threat Intelligence Platforms data connector.", + "properties": { + "bingSafetyPhishingURL": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Incident" + ], + "properties": { + "lookbackPeriod": { + "description": "lookback period", + "type": "string" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", + "type": "object", + "required": [ + "lookbackPeriod" + ] + }, + "microsoftEmergingThreatFeed": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - } + ], + "properties": { + "lookbackPeriod": { + "description": "lookback period", + "type": "string" + } + }, + "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", + "type": "object", + "required": [ + "lookbackPeriod" + ] } }, - "delete": { - "x-ms-examples": { - "Delete an incident.": { - "$ref": "./examples/incidents/DeleteIncident.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Delete the incident.", - "operationId": "Incidents_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "type": "object", + "required": [ + "bingSafetyPhishingURL", + "microsoftEmergingThreatFeed" + ] + }, + "MSTIDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" } - } + ], + "description": "Microsoft Threat Intelligence data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MSTIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts": { - "post": { - "x-ms-examples": { - "Get all incident alerts.": { - "$ref": "./examples/incidents/GetAllIncidentAlerts.json" - } - }, - "tags": [ - "IncidentAlerts" - ], - "description": "Gets all incident alerts.", - "operationId": "Incidents_ListOfAlerts", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentAlertList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "MSTICheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" } - } + ], + "description": "Represents Microsoft Threat Intelligence requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MSTICheckRequirementsProperties", + "description": "Microsoft Threat Intelligence requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatIntelligence" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks": { - "post": { - "x-ms-examples": { - "Get all incident bookmarks.": { - "$ref": "./examples/incidents/GetAllIncidentBookmarks.json" - } - }, - "tags": [ - "IncidentBookmarks" - ], - "description": "Gets all incident bookmarks.", - "operationId": "Incidents_ListOfBookmarks", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentBookmarkList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "MSTICheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" } - } + ], + "description": "Microsoft Threat Intelligence requirements check properties.", + "type": "object" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { - "get": { - "x-ms-examples": { - "Get all incident comments.": { - "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Gets all incident comments.", - "operationId": "IncidentComments_ListByIncident", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentCommentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-odata": "#/definitions/IncidentComment", - "x-ms-pageable": { - "nextLinkName": "nextLink" + "MTPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" } - } + ], + "description": "Represents MTP (Microsoft Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MTPDataConnectorProperties", + "description": "MTP (Microsoft Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatProtection" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { - "get": { - "x-ms-examples": { - "Get an incident comment.": { - "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Gets an incident comment.", - "operationId": "IncidentComments_GetComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "MTPDataConnectorDataTypes": { + "description": "The available data types for Microsoft Threat Protection Platforms data connector.", + "properties": { + "incidents": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - } + ], + "description": "Data type for Microsoft Threat Protection Platforms data connector.", + "type": "object" } }, - "put": { - "x-ms-examples": { - "Creates or updates an incident comment.": { - "$ref": "./examples/incidents/comments/CreateIncidentComment.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Creates or updates the incident comment.", - "operationId": "IncidentComments_CreateComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - }, - { - "$ref": "#/parameters/IncidentComment" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "type": "object", + "required": [ + "incidents" + ] + }, + "MTPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MTP (Microsoft Threat Protection) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MTPDataConnectorDataTypes", + "description": "The available data types for the connector." } }, - "delete": { - "x-ms-examples": { - "Delete the incident comment.": { - "$ref": "./examples/incidents/comments/DeleteIncidentComment.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Delete the incident comment.", - "operationId": "IncidentComments_DeleteComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "required": [ + "dataTypes" + ], + "type": "object" + }, + "MtpCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" } - } + ], + "description": "Represents MTP (Microsoft Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MTPCheckRequirementsProperties", + "description": "MTP (Microsoft Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatProtection" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities": { - "post": { - "x-ms-examples": { - "Gets all incident related entities": { - "$ref": "./examples/incidents/entities/GetAllIncidentEntities.json" - } - }, - "tags": [ - "IncidentEntities" - ], - "description": "Gets all incident related entities.", - "operationId": "Incidents_ListOfEntities", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentEntitiesResponse" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "MTPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" } - } + ], + "description": "MTP (Microsoft Threat Protection) requirements check properties.", + "type": "object" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations": { - "get": { - "x-ms-examples": { - "Get all incident relations.": { - "$ref": "./examples/incidents/relations/GetAllIncidentRelations.json" - } - }, - "tags": [ - "IncidentRelations" - ], - "description": "Gets all incident relations.", - "operationId": "IncidentRelations_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/RelationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-odata": "#/definitions/Relation", - "x-ms-pageable": { - "nextLinkName": "nextLink" + "ASCDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" } - } + ], + "description": "Represents ASC (Azure Security Center) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/ASCDataConnectorProperties", + "description": "ASC (Azure Security Center) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}": { - "get": { - "x-ms-examples": { - "Get an incident relation.": { - "$ref": "./examples/incidents/relations/GetIncidentRelationByName.json" - } - }, - "tags": [ - "IncidentRelations" - ], - "description": "Gets an incident relation.", - "operationId": "IncidentRelations_GetRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "ASCDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "ASC (Azure Security Center) data connector properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" } }, - "put": { - "x-ms-examples": { - "Creates or updates an incident relation.": { - "$ref": "./examples/incidents/relations/CreateIncidentRelation.json" - } - }, - "tags": [ - "IncidentRelations" - ], - "description": "Creates or updates the incident relation.", - "operationId": "IncidentRelations_CreateOrUpdateRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/RelationName" - }, - { - "$ref": "#/parameters/Relation" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Relation" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "type": "object" + }, + "ASCCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents ASC (Azure Security Center) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/ASCCheckRequirementsProperties", + "description": "ASC (Azure Security Center) requirements check properties.", + "x-ms-client-flatten": true } }, - "delete": { - "x-ms-examples": { - "Delete the incident relation.": { - "$ref": "./examples/incidents/relations/DeleteIncidentRelation.json" - } - }, - "tags": [ - "IncidentRelations" - ], - "description": "Delete the incident relation.", - "operationId": "IncidentRelations_DeleteRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCCheckRequirementsProperties": { + "description": "ASC (Azure Security Center) requirements check properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" } - } + }, + "type": "object" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists": { - "get": { - "x-ms-examples": { - "Get all watchlists.": { - "$ref": "./examples/watchlists/GetWatchlists.json" - } - }, - "tags": [ - "Watchlists" - ], - "description": "Gets all watchlists, without watchlist items.", - "operationId": "Watchlists_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + "AccountEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" } - } + ], + "description": "Represents an account entity.", + "properties": { + "properties": { + "$ref": "#/definitions/AccountEntityProperties", + "description": "Account entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Account" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}": { - "get": { - "x-ms-examples": { - "Get a watchlist.": { - "$ref": "./examples/watchlists/GetWatchlistByAlias.json" - } - }, - "tags": [ - "Watchlists" - ], - "description": "Gets a watchlist, without its watchlist items.", - "operationId": "Watchlists_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Watchlist" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "AccountEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" } - }, - "delete": { - "x-ms-examples": { - "Delete a watchlist.": { - "$ref": "./examples/watchlists/DeleteWatchlist.json" - } + ], + "description": "Account entity property bag.", + "properties": { + "aadTenantId": { + "description": "The Azure Active Directory tenant id.", + "readOnly": true, + "type": "string" }, - "tags": [ - "Watchlists" - ], - "description": "Delete a watchlist.", - "operationId": "Watchlists_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates a watchlist.": { - "$ref": "./examples/watchlists/CreateWatchlist.json" - } + "aadUserId": { + "description": "The Azure Active Directory user id.", + "readOnly": true, + "type": "string" }, - "tags": [ - "Watchlists" - ], - "description": "Creates a watchlist and its watchlist items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint twice : the first call will create an empty Watchlist, and the second one will create its Items.", - "operationId": "Watchlists_Create", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - }, - { - "$ref": "#/parameters/Watchlist" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Watchlist" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Watchlist" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems": { - "get": { - "x-ms-examples": { - "Get all watchlist Items.": { - "$ref": "./examples/watchlists/GetWatchlistItems.json" - } + "accountName": { + "description": "The name of the account. This field should hold only the name without any domain added to it, i.e. administrator.", + "readOnly": true, + "type": "string" }, - "tags": [ - "WatchlistItems" - ], - "description": "Gets all watchlist Items.", - "operationId": "WatchlistItems_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistItemList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "displayName": { + "description": "The display name of the account.", + "readOnly": true, + "type": "string" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + "hostEntityId": { + "description": "The Host entity id that contains the account in case it is a local account (not domain joined)", + "readOnly": true, + "type": "string" + }, + "isDomainJoined": { + "description": "Determines whether this is a domain account.", + "readOnly": true, + "type": "boolean" + }, + "ntDomain": { + "description": "The NetBIOS domain name as it appears in the alert format – domain\\username. Examples: NT AUTHORITY.", + "readOnly": true, + "type": "string" + }, + "objectGuid": { + "description": "The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory.", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "puid": { + "description": "The Azure Active Directory Passport User ID.", + "readOnly": true, + "type": "string" + }, + "sid": { + "description": "The account security identifier, e.g. S-1-5-18.", + "readOnly": true, + "type": "string" + }, + "upnSuffix": { + "description": "The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com.", + "readOnly": true, + "type": "string" + }, + "dnsDomain": { + "description": "The fully qualified domain DNS name.", + "readOnly": true, + "type": "string" } - } + }, + "type": "object" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}": { - "get": { - "x-ms-examples": { - "Get a watchlist item.": { - "$ref": "./examples/watchlists/GetWatchlistItemById.json" - } - }, - "tags": [ - "WatchlistItems" - ], - "description": "Gets a watchlist, without its watchlist items.", - "operationId": "WatchlistItems_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - }, - { - "$ref": "#/parameters/WatchlistItemId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistItem" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "ActionRequest": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + } + ], + "description": "Action for alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ActionRequestProperties", + "description": "Action properties for put request", + "x-ms-client-flatten": true } }, - "delete": { - "x-ms-examples": { - "Delete a watchlist Item.": { - "$ref": "./examples/watchlists/DeleteWatchlistItem.json" - } + "type": "object" + }, + "ActionPropertiesBase": { + "description": "Action property bag base.", + "properties": { + "logicAppResourceId": { + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", + "type": "string" + } + }, + "required": [ + "logicAppResourceId" + ], + "type": "object" + }, + "ActionRequestProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "triggerUri": { + "description": "Logic App Callback URL for this specific workflow.", + "type": "string" + } + }, + "required": [ + "triggerUri" + ], + "type": "object" + }, + "ActionResponse": { + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ], + "description": "Action for alert rule.", + "properties": { + "etag": { + "description": "Etag of the action.", + "type": "string" }, - "tags": [ - "WatchlistItems" - ], - "description": "Delete a watchlist item.", - "operationId": "WatchlistItems_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - }, - { - "$ref": "#/parameters/WatchlistItemId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "properties": { + "$ref": "#/definitions/ActionResponseProperties", + "description": "Action properties for get request", + "x-ms-client-flatten": true } }, - "put": { - "x-ms-examples": { - "Creates or updates a watchlist item.": { - "$ref": "./examples/watchlists/CreateWatchlistItem.json" - } + "type": "object" + }, + "ActionResponseProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "workflowId": { + "description": "The name of the logic app's workflow.", + "type": "string" + } + }, + "type": "object" + }, + "ActionsList": { + "description": "List all the actions.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of actions.", + "readOnly": true, + "type": "string" }, - "tags": [ - "WatchlistItems" - ], - "description": "Creates or updates a watchlist item.", - "operationId": "WatchlistItems_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - }, - { - "$ref": "#/parameters/WatchlistItemId" - }, - { - "$ref": "#/parameters/WatchlistItem" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistItem" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/WatchlistItem" - } + "value": { + "description": "Array of actions.", + "items": { + "$ref": "#/definitions/ActionResponse" }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "type": "array" } - } + }, + "required": [ + "value" + ] }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator": { - "post": { - "x-ms-examples": { - "Create a new Threat Intelligence": { - "$ref": "./examples/threatintelligence/CreateThreatIntelligence.json" - } + "AlertRule": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Create a new threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_CreateIndicator", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceProperties" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "default": { - "description": "Error response describing why the operation failed to create indicators.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "#/definitions/AlertRuleKind" } - } + ], + "description": "Alert rule.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators": { - "get": { - "x-ms-examples": { - "Get all threat intelligence indicators": { - "$ref": "./examples/threatintelligence/GetThreatIntelligence.json" + "AlertRuleKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the alert rule", + "enum": [ + "Scheduled", + "MicrosoftSecurityIncidentCreation", + "Fusion", + "MLBehaviorAnalytics", + "ThreatIntelligence" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertRuleKind", + "values": [ + { + "value": "Scheduled" + }, + { + "value": "MicrosoftSecurityIncidentCreation" + }, + { + "value": "Fusion" + }, + { + "value": "MLBehaviorAnalytics" + }, + { + "value": "ThreatIntelligence" + } + ] } + } + }, + "required": [ + "kind" + ], + "type": "object" + }, + "AlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/Resource" }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Get all threat intelligence indicators.", - "operationId": "ThreatIntelligenceIndicators_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" + { + "$ref": "#/definitions/AlertRuleKind" + } + ], + "description": "Alert rule template.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "AlertRuleTemplateDataSource": { + "description": "alert rule template data sources", + "properties": { + "connectorId": { + "description": "The connector id that provides the following data types", + "type": "string" + }, + "dataTypes": { + "description": "The data types used by the alert rule template", + "items": { + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "type": "array" + } + }, + "type": "object" + }, + "AlertRuleTemplatePropertiesBase": { + "description": "Base alert rule template property bag.", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "type": "integer" + }, + "lastUpdatedDateUTC": { + "description": "The last time that this alert rule template has been updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data sources for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "type": "array" + }, + "status": { + "description": "The alert rule template status.", + "enum": [ + "Installed", + "Available", + "NotAvailable" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TemplateStatus", + "values": [ + { + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" + } + ] + } + } + }, + "type": "object" + }, + "AlertRuleTemplatesList": { + "description": "List all the alert rule templates.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rule templates.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rule templates.", + "items": { + "$ref": "#/definitions/AlertRuleTemplate" }, - { - "$ref": "#/parameters/WorkspaceName" + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertRuleTriggerOperator": { + "description": "The operation against the threshold that triggers alert rule.", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "TriggerOperator" + } + }, + "AlertRulesList": { + "description": "List all the alert rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rules.", + "items": { + "$ref": "#/definitions/AlertRule" }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ { - "$ref": "#/parameters/ODataFilter" + "description": "High severity", + "value": "High" }, { - "$ref": "#/parameters/ODataTop" + "description": "Medium severity", + "value": "Medium" }, { - "$ref": "#/parameters/ODataSkipToken" + "description": "Low severity", + "value": "Low" }, { - "$ref": "#/parameters/ODataOrderBy" + "description": "Informational severity", + "value": "Informational" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformationList" - } - }, - "default": { - "description": "Error response describing why the operation failed to get indicators.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } + ] } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}": { - "get": { - "x-ms-examples": { - "View a threat intelligence indicator by name": { - "$ref": "./examples/threatintelligence/GetThreatIntelligenceById.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "View a threat intelligence indicator by name.", - "operationId": "ThreatIntelligenceIndicator_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "default": { - "description": "Error response describing why the operation failed to view an indicator.", - "schema": { - "$ref": "#/definitions/CloudError" + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - } + ], + "description": "Alerts data type connection.", + "type": "object" } }, - "put": { - "x-ms-examples": { - "Update a threat Intelligence indicator": { - "$ref": "./examples/threatintelligence/UpdateThreatIntelligence.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Update a threat Intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_Create", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceProperties" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "default": { - "description": "Error response describing why the operation failed to update an indicator.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "type": "object", + "required": [ + "alerts" + ] + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + }, + "AwsCloudTrailDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Amazon Web Services CloudTrail data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", + "description": "Amazon Web Services CloudTrail data connector properties.", + "x-ms-client-flatten": true } }, - "delete": { - "x-ms-examples": { - "Delete a threat intelligence indicator": { - "$ref": "./examples/threatintelligence/DeleteThreatIntelligence.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Delete a threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceName" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed to delete an indicator.", - "schema": { - "$ref": "#/definitions/CloudError" + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AwsCloudTrailDataConnectorDataTypes": { + "description": "The available data types for Amazon Web Services CloudTrail data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - } + ], + "description": "Logs data type.", + "type": "object" } - } + }, + "type": "object", + "required": [ + "logs" + ] }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators": { - "post": { - "x-ms-examples": { - "Query threat intelligence indicators as per filtering criteria": { - "$ref": "./examples/threatintelligence/QueryThreatIntelligence.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Query threat intelligence indicators as per filtering criteria.", - "operationId": "ThreatIntelligenceIndicator_QueryIndicators", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceFilteringCriteria" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "AwsCloudTrailDataConnectorProperties": { + "description": "Amazon Web Services CloudTrail data connector properties.", + "properties": { + "awsRoleArn": { + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", + "type": "string" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + "dataTypes": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", + "description": "The available data types for the connector." } - } + }, + "required": [ + "dataTypes" + ], + "type": "object" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics": { - "get": { - "x-ms-examples": { - "Get threat intelligence indicators metrics.": { - "$ref": "./examples/threatintelligence/CollectThreatIntelligenceMetrics.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source).", - "operationId": "ThreatIntelligenceIndicatorMetrics_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceMetricsList" - } - }, - "default": { - "description": "Error response describing why the operation failed to get metrics.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags": { - "post": { - "x-ms-examples": { - "Append tags to a threat intelligence indicator": { - "$ref": "./examples/threatintelligence/AppendTagsThreatIntelligence.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Append tags to a threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_AppendTags", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceAppendTags" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "default": { - "description": "Error response describing why the operation failed to append tags.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "AwsCloudTrailCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" } - } + ], + "description": "Amazon Web Services CloudTrail requirements check request.", + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags": { - "post": { - "x-ms-examples": { - "Replace tags to a Threat Intelligence": { - "$ref": "./examples/threatintelligence/ReplaceTagsThreatIntelligence.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Replace tags added to a threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_ReplaceTags", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceReplaceTags" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "default": { - "description": "Error response describing why the operation failed to replace tags.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - } - }, - "definitions": { - "MLBehaviorAnalyticsAlertRule": { + "AzureResourceEntity": { "allOf": [ { - "$ref": "#/definitions/AlertRule" + "$ref": "#/definitions/Entity" } ], - "description": "Represents MLBehaviorAnalytics alert rule.", + "description": "Represents an azure resource entity.", "properties": { "properties": { - "$ref": "#/definitions/MLBehaviorAnalyticsAlertRuleProperties", - "description": "MLBehaviorAnalytics alert rule properties", + "$ref": "#/definitions/AzureResourceEntityProperties", + "description": "AzureResource entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "MLBehaviorAnalytics" + "x-ms-discriminator-value": "AzureResource" }, - "MLBehaviorAnalyticsAlertRuleProperties": { - "description": "MLBehaviorAnalytics alert rule base property bag.", + "AzureResourceEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "AzureResource entity property bag.", "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", + "resourceId": { + "description": "The azure resource id of the resource", "readOnly": true, "type": "string" }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert rule has been modified.", - "format": "date-time", + "subscriptionId": { + "description": "The subscription id of the resource", "readOnly": true, "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule.", - "readOnly": true - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" } }, - "required": [ - "alertRuleTemplateName", - "enabled" - ], "type": "object" }, - "MLBehaviorAnalyticsAlertRuleTemplate": { + "CasesAggregation": { "allOf": [ { - "$ref": "#/definitions/AlertRuleTemplate" + "$ref": "#/definitions/Aggregations" } ], - "description": "Represents MLBehaviorAnalytics alert rule template.", + "description": "Represents aggregations results for cases.", "properties": { "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - } - ], - "description": "MLBehaviorAnalytics alert rule template properties.", - "properties": { - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "tactics": { - "description": "The tactics of the alert rule template.", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "required": [ - "displayName", - "description", - "status", - "severity", - "alertRulesCreatedByTemplateCount" - ], + "$ref": "#/definitions/CasesAggregationProperties", + "description": "Properties of aggregations results of cases.", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "MLBehaviorAnalytics" + "x-ms-discriminator-value": "CasesAggregation" }, - "AADDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents AAD (Azure Active Directory) data connector.", + "CasesAggregationBySeverityProperties": { + "description": "Aggregative results of cases by severity property bag.", "properties": { - "properties": { - "$ref": "#/definitions/AADDataConnectorProperties", - "description": "AAD (Azure Active Directory) data connector properties.", - "x-ms-client-flatten": true + "totalCriticalSeverity": { + "description": "Total amount of open cases with severity Critical", + "readOnly": true, + "type": "integer" + }, + "totalHighSeverity": { + "description": "Total amount of open cases with severity High", + "readOnly": true, + "type": "integer" + }, + "totalInformationalSeverity": { + "description": "Total amount of open cases with severity Informational", + "readOnly": true, + "type": "integer" + }, + "totalLowSeverity": { + "description": "Total amount of open cases with severity Low", + "readOnly": true, + "type": "integer" + }, + "totalMediumSeverity": { + "description": "Total amount of open cases with severity medium", + "readOnly": true, + "type": "integer" } }, - "type": "object", - "x-ms-discriminator-value": "AzureActiveDirectory" + "type": "object" }, - "AADDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "CasesAggregationByStatusProperties": { + "description": "Aggregative results of cases by status property bag.", + "properties": { + "totalDismissedStatus": { + "description": "Total amount of closed cases with status Dismissed", + "readOnly": true, + "type": "integer" }, - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" + "totalInProgressStatus": { + "description": "Total amount of open cases with status InProgress", + "readOnly": true, + "type": "integer" + }, + "totalNewStatus": { + "description": "Total amount of open cases with status New", + "readOnly": true, + "type": "integer" + }, + "totalResolvedStatus": { + "description": "Total amount of closed cases with status Resolved", + "readOnly": true, + "type": "integer" + }, + "totalFalsePositiveStatus": { + "description": "Total amount of closed cases with status Closed and Close reason of False positive", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "totalTruePositiveStatus": { + "description": "Total amount of closed cases with status Closed and Close reason of True positive", + "readOnly": true, + "type": "integer", + "format": "int32" } - ], - "description": "AAD (Azure Active Directory) data connector properties.", + }, "type": "object" }, - "AADCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents AAD (Azure Active Directory) requirements check request.", + "CasesAggregationProperties": { + "description": "Aggregative results of cases property bag.", "properties": { - "properties": { - "$ref": "#/definitions/AADCheckRequirementsProperties", - "description": "AAD (Azure Active Directory) requirements check properties.", - "x-ms-client-flatten": true + "aggregationBySeverity": { + "$ref": "#/definitions/CasesAggregationBySeverityProperties", + "description": "Aggregations results by case severity." + }, + "aggregationByStatus": { + "$ref": "#/definitions/CasesAggregationByStatusProperties", + "description": "Aggregations results by case status." } }, - "type": "object", - "x-ms-discriminator-value": "AzureActiveDirectory" - }, - "AADCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "AAD (Azure Active Directory) requirements check properties.", "type": "object" }, - "AATPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", + "ClientInfo": { + "description": "Information on the client (user or application) that made some action", "properties": { - "properties": { - "$ref": "#/definitions/AATPDataConnectorProperties", - "description": "AATP (Azure Advanced Threat Protection) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureAdvancedThreatProtection" - }, - "AATPDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "email": { + "description": "The email of the client.", + "type": "string" }, - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" + "name": { + "description": "The name of the client.", + "type": "string" + }, + "objectId": { + "description": "The object id of the client.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the client.", + "type": "string" } - ], - "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + }, "type": "object" }, - "AATPCheckRequirements": { + "CloudApplicationEntity": { "allOf": [ { - "$ref": "#/definitions/DataConnectorsCheckRequirements" + "$ref": "#/definitions/Entity" } ], - "description": "Represents AATP (Azure Advanced Threat Protection) requirements check request.", + "description": "Represents a cloud application entity.", "properties": { "properties": { - "$ref": "#/definitions/AATPCheckRequirementsProperties", - "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", + "$ref": "#/definitions/CloudApplicationEntityProperties", + "description": "CloudApplication entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + "x-ms-discriminator-value": "CloudApplication" }, - "AATPCheckRequirementsProperties": { + "CloudApplicationEntityProperties": { "allOf": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", + "description": "CloudApplication entity property bag.", + "properties": { + "appId": { + "description": "The technical identifier of the application.", + "readOnly": true, + "type": "integer" + }, + "appName": { + "description": "The name of the related cloud application.", + "readOnly": true, + "type": "string" + }, + "instanceName": { + "description": "The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.", + "readOnly": true, + "type": "string" + } + }, "type": "object" }, - "MSTIDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents Microsoft Threat Intelligence data connector.", + "CloudError": { + "description": "Error response structure.", "properties": { - "properties": { - "$ref": "#/definitions/MSTIDataConnectorProperties", - "description": "Microsoft Threat Intelligence data connector properties.", + "error": { + "$ref": "#/definitions/CloudErrorBody", + "description": "Error data", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatIntelligence" + "x-ms-external": true }, - "MSTIDataConnectorDataTypes": { - "description": "The available data types for Microsoft Threat Intelligence Platforms data connector.", + "CloudErrorBody": { + "description": "Error details.", "properties": { - "bingSafetyPhishingURL": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "properties": { - "lookbackPeriod": { - "description": "lookback period", - "type": "string" - } - }, - "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", - "type": "object", - "required": [ - "lookbackPeriod" - ] + "code": { + "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", + "readOnly": true, + "type": "string" }, - "microsoftEmergingThreatFeed": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "properties": { - "lookbackPeriod": { - "description": "lookback period", - "type": "string" - } - }, - "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", - "type": "object", - "required": [ - "lookbackPeriod" - ] + "message": { + "description": "A message describing the error, intended to be suitable for display in a user interface.", + "readOnly": true, + "type": "string" } }, "type": "object", - "required": [ - "bingSafetyPhishingURL", - "microsoftEmergingThreatFeed" - ] + "x-ms-external": true }, - "MSTIDataConnectorProperties": { + "DataConnector": { "allOf": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/DataConnectorKind" } ], - "description": "Microsoft Threat Intelligence data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/MSTIDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, + "description": "Data connector.", + "discriminator": "kind", + "type": "object", "required": [ - "dataTypes" - ], - "type": "object" + "kind" + ] }, - "MSTICheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents Microsoft Threat Intelligence requirements check request.", + "DataConnectorsCheckRequirements": { + "description": "Data connector requirements properties.", "properties": { - "properties": { - "$ref": "#/definitions/MSTICheckRequirementsProperties", - "description": "Microsoft Threat Intelligence requirements check properties.", - "x-ms-client-flatten": true + "kind": { + "$ref": "#/definitions/DataConnectorKind", + "description": "Describes the kind of connector to be checked." } }, + "discriminator": "kind", "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatIntelligence" + "required": [ + "kind" + ] }, - "MSTICheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } + "DataConnectorAuthorizationState": { + "description": "Describes the state of user's authorization for a connector kind.", + "enum": [ + "Valid", + "Invalid" ], - "description": "Microsoft Threat Intelligence requirements check properties.", - "type": "object" + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorAuthorizationState", + "values": [ + { + "value": "Valid" + }, + { + "value": "Invalid" + } + ] + } }, - "MTPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } + "DataConnectorLicenseState": { + "description": "Describes the state of user's license for a connector kind.", + "enum": [ + "Valid", + "Invalid", + "Unknown" ], - "description": "Represents MTP (Microsoft Threat Protection) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/MTPDataConnectorProperties", - "description": "MTP (Microsoft Threat Protection) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatProtection" + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorLicenseState", + "values": [ + { + "value": "Valid" + }, + { + "value": "Invalid" + }, + { + "value": "Unknown" + } + ] + } }, - "MTPDataConnectorDataTypes": { - "description": "The available data types for Microsoft Threat Protection Platforms data connector.", + "DataConnectorDataTypeCommon": { + "description": "Common field for data type in data connectors.", "properties": { - "incidents": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } + "state": { + "description": "Describe whether this data type connection is enabled or not.", + "enum": [ + "Enabled", + "Disabled" ], - "description": "Data type for Microsoft Threat Protection Platforms data connector.", - "type": "object" + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataTypeState" + } } }, "type": "object", "required": [ - "incidents" + "state" ] }, - "MTPDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MTP (Microsoft Threat Protection) data connector properties.", + "DataConnectorKind": { + "description": "Describes an Azure resource with kind.", "properties": { - "dataTypes": { - "$ref": "#/definitions/MTPDataConnectorDataTypes", - "description": "The available data types for the connector." + "kind": { + "description": "The kind of the data connector", + "enum": [ + "AzureActiveDirectory", + "AzureSecurityCenter", + "MicrosoftCloudAppSecurity", + "ThreatIntelligence", + "ThreatIntelligenceTaxii", + "Office365", + "OfficeATP", + "AmazonWebServicesCloudTrail", + "AzureAdvancedThreatProtection", + "MicrosoftDefenderAdvancedThreatProtection", + "Dynamics365", + "MicrosoftThreatProtection", + "MicrosoftThreatIntelligence" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorKind", + "values": [ + { + "value": "AzureActiveDirectory" + }, + { + "value": "AzureSecurityCenter" + }, + { + "value": "MicrosoftCloudAppSecurity" + }, + { + "value": "ThreatIntelligence" + }, + { + "value": "ThreatIntelligenceTaxii" + }, + { + "value": "Office365" + }, + { + "value": "OfficeATP" + }, + { + "value": "AmazonWebServicesCloudTrail" + }, + { + "value": "AzureAdvancedThreatProtection" + }, + { + "value": "MicrosoftDefenderAdvancedThreatProtection" + }, + { + "value": "Dynamics365" + }, + { + "value": "MicrosoftThreatProtection" + }, + { + "value": "MicrosoftThreatIntelligence" + } + ] + } } }, "required": [ - "dataTypes" + "kind" ], "type": "object" }, - "MtpCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" + "DataConnectorList": { + "description": "List all the data connectors.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of data connectors.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of data connectors.", + "items": { + "$ref": "#/definitions/DataConnector" + }, + "type": "array" } - ], - "description": "Represents MTP (Microsoft Threat Protection) requirements check request.", + }, + "required": [ + "value" + ] + }, + "DataConnectorRequirementsState": { + "description": "Data connector requirements status.", "properties": { - "properties": { - "$ref": "#/definitions/MTPCheckRequirementsProperties", - "description": "MTP (Microsoft Threat Protection) requirements check properties.", - "x-ms-client-flatten": true + "authorizationState": { + "description": "Authorization state for this connector", + "$ref": "#/definitions/DataConnectorAuthorizationState" + }, + "licenseState": { + "description": "License state for this connector", + "$ref": "#/definitions/DataConnectorLicenseState" } }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatProtection" + "type": "object" }, - "MTPCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "DataConnectorTenantId": { + "description": "Properties data connector on tenant level.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" } + }, + "required": [ + "tenantId" ], - "description": "MTP (Microsoft Threat Protection) requirements check properties.", "type": "object" }, - "ASCDataConnector": { + "DataConnectorWithAlertsProperties": { + "description": "Data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "DnsEntity": { "allOf": [ { - "$ref": "#/definitions/DataConnector" + "$ref": "#/definitions/Entity" } ], - "description": "Represents ASC (Azure Security Center) data connector.", + "description": "Represents a dns entity.", "properties": { "properties": { - "$ref": "#/definitions/ASCDataConnectorProperties", - "description": "ASC (Azure Security Center) data connector properties.", + "$ref": "#/definitions/DnsEntityProperties", + "description": "Dns entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "AzureSecurityCenter" + "x-ms-discriminator-value": "DnsResolution" }, - "ASCDataConnectorProperties": { + "DnsEntityProperties": { "allOf": [ { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" + "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "ASC (Azure Security Center) data connector properties.", + "description": "Dns entity property bag.", "properties": { - "subscriptionId": { - "description": "The subscription id to connect to, and get the data from.", - "type": "string" - } - }, - "type": "object" - }, - "ASCCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents ASC (Azure Security Center) requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/ASCCheckRequirementsProperties", - "description": "ASC (Azure Security Center) requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureSecurityCenter" - }, - "ASCCheckRequirementsProperties": { - "description": "ASC (Azure Security Center) requirements check properties.", - "properties": { - "subscriptionId": { - "description": "The subscription id to connect to, and get the data from.", - "type": "string" - } - }, - "type": "object" - }, - "AccountEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an account entity.", - "properties": { - "properties": { - "$ref": "#/definitions/AccountEntityProperties", - "description": "Account entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Account" - }, - "AccountEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Account entity property bag.", - "properties": { - "aadTenantId": { - "description": "The Azure Active Directory tenant id.", - "readOnly": true, - "type": "string" - }, - "aadUserId": { - "description": "The Azure Active Directory user id.", - "readOnly": true, - "type": "string" - }, - "accountName": { - "description": "The name of the account. This field should hold only the name without any domain added to it, i.e. administrator.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name of the account.", - "readOnly": true, - "type": "string" - }, - "hostEntityId": { - "description": "The Host entity id that contains the account in case it is a local account (not domain joined)", - "readOnly": true, - "type": "string" - }, - "isDomainJoined": { - "description": "Determines whether this is a domain account.", - "readOnly": true, - "type": "boolean" - }, - "ntDomain": { - "description": "The NetBIOS domain name as it appears in the alert format – domain\\username. Examples: NT AUTHORITY.", - "readOnly": true, - "type": "string" - }, - "objectGuid": { - "description": "The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "puid": { - "description": "The Azure Active Directory Passport User ID.", - "readOnly": true, + "dnsServerIpEntityId": { + "description": "An ip entity id for the dns server resolving the request", + "readOnly": true, "type": "string" }, - "sid": { - "description": "The account security identifier, e.g. S-1-5-18.", + "domainName": { + "description": "The name of the dns record associated with the alert", "readOnly": true, "type": "string" }, - "upnSuffix": { - "description": "The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com.", + "hostIpAddressEntityId": { + "description": "An ip entity id for the dns request client", "readOnly": true, "type": "string" }, - "dnsDomain": { - "description": "The fully qualified domain DNS name.", + "ipAddressEntityIds": { + "description": "Ip entity identifiers for the resolved ip address.", + "items": { + "description": "Ip entity id", + "type": "string" + }, "readOnly": true, - "type": "string" + "type": "array" } }, "type": "object" }, - "ActionRequest": { + "Dynamics365DataConnector": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "#/definitions/DataConnector" } ], - "description": "Action for alert rule.", + "description": "Represents Dynamics365 data connector.", "properties": { "properties": { - "$ref": "#/definitions/ActionRequestProperties", - "description": "Action properties for put request", + "$ref": "#/definitions/Dynamics365DataConnectorProperties", + "description": "Dynamics365 data connector properties.", "x-ms-client-flatten": true } }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "Dynamics365" }, - "ActionPropertiesBase": { - "description": "Action property bag base.", + "Dynamics365DataConnectorDataTypes": { + "description": "The available data types for Dynamics365 data connector.", "properties": { - "logicAppResourceId": { - "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", - "type": "string" + "dynamics365CdsActivities": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Common Data Service data type connection.", + "type": "object" } }, + "type": "object", "required": [ - "logicAppResourceId" - ], - "type": "object" + "dynamics365CdsActivities" + ] }, - "ActionRequestProperties": { + "Dynamics365DataConnectorProperties": { "allOf": [ { - "$ref": "#/definitions/ActionPropertiesBase" + "$ref": "#/definitions/DataConnectorTenantId" } ], - "description": "Action property bag.", + "description": "Dynamics365 data connector properties.", "properties": { - "triggerUri": { - "description": "Logic App Callback URL for this specific workflow.", - "type": "string" + "dataTypes": { + "$ref": "#/definitions/Dynamics365DataConnectorDataTypes", + "description": "The available data types for the connector." } }, "required": [ - "triggerUri" + "dataTypes" ], "type": "object" }, - "ActionResponse": { + "Dynamics365CheckRequirements": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "#/definitions/DataConnectorsCheckRequirements" } ], - "description": "Action for alert rule.", + "description": "Represents Dynamics365 requirements check request.", "properties": { - "etag": { - "description": "Etag of the action.", - "type": "string" - }, "properties": { - "$ref": "#/definitions/ActionResponseProperties", - "description": "Action properties for get request", + "$ref": "#/definitions/Dynamics365CheckRequirementsProperties", + "description": "Dynamics365 requirements check properties.", "x-ms-client-flatten": true } }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "Dynamics365" }, - "ActionResponseProperties": { + "Dynamics365CheckRequirementsProperties": { "allOf": [ { - "$ref": "#/definitions/ActionPropertiesBase" + "$ref": "#/definitions/DataConnectorTenantId" } ], - "description": "Action property bag.", - "properties": { - "workflowId": { - "description": "The name of the logic app's workflow.", - "type": "string" - } - }, + "description": "Dynamics365 requirements check properties.", "type": "object" }, - "ActionsList": { - "description": "List all the actions.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of actions.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of actions.", - "items": { - "$ref": "#/definitions/ActionResponse" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "Aggregations": { + "Entity": { "allOf": [ { "$ref": "#/definitions/Resource" }, { - "$ref": "#/definitions/AggregationsKind" + "$ref": "#/definitions/EntityKind" } ], - "description": "The aggregation.", + "description": "Specific entity.", "discriminator": "kind", "type": "object", "required": [ "kind" ] }, - "AggregationsKind": { - "description": "Describes an Azure resource with kind.", + "EntityCommonProperties": { + "description": "Entity common property bag.", "properties": { - "kind": { - "description": "The kind of the setting", - "enum": [ - "CasesAggregation" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AggregationsKind" - } + "additionalData": { + "additionalProperties": { + "type": "object" + }, + "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "readOnly": true, + "type": "object" + }, + "friendlyName": { + "description": "The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.", + "readOnly": true, + "type": "string" } }, - "required": [ - "kind" - ], "type": "object" }, - "AlertRule": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - }, - { - "$ref": "#/definitions/AlertRuleKind" - } - ], - "description": "Alert rule.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "AlertRuleKind": { - "description": "Describes an Azure resource with kind.", - "properties": { - "kind": { - "description": "The kind of the alert rule", - "enum": [ - "Scheduled", - "MicrosoftSecurityIncidentCreation", - "Fusion", - "MLBehaviorAnalytics", - "ThreatIntelligence" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertRuleKind", - "values": [ - { - "value": "Scheduled" - }, - { - "value": "MicrosoftSecurityIncidentCreation" - }, - { - "value": "Fusion" - }, - { - "value": "MLBehaviorAnalytics" - }, - { - "value": "ThreatIntelligence" - } - ] - } - } - }, - "required": [ - "kind" - ], - "type": "object" - }, - "AlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - }, - { - "$ref": "#/definitions/AlertRuleKind" - } - ], - "description": "Alert rule template.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "AlertRuleTemplateDataSource": { - "description": "alert rule template data sources", - "properties": { - "connectorId": { - "description": "The connector id that provides the following data types", - "type": "string" - }, - "dataTypes": { - "description": "The data types used by the alert rule template", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, - "AlertRuleTemplatePropertiesBase": { - "description": "Base alert rule template property bag.", - "properties": { - "alertRulesCreatedByTemplateCount": { - "description": "the number of alert rules that were created by this template", - "type": "integer" - }, - "lastUpdatedDateUTC": { - "description": "The last time that this alert rule template has been updated.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "createdDateUTC": { - "description": "The time that this alert rule template has been added.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the alert rule template.", - "type": "string" - }, - "displayName": { - "description": "The display name for alert rule template.", - "type": "string" - }, - "requiredDataConnectors": { - "description": "The required data sources for this template", - "items": { - "$ref": "#/definitions/AlertRuleTemplateDataSource" - }, - "type": "array" - }, - "status": { - "description": "The alert rule template status.", - "enum": [ - "Installed", - "Available", - "NotAvailable" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TemplateStatus", - "values": [ - { - "description": "Alert rule template installed. and can not use more then once", - "value": "Installed" - }, - { - "description": "Alert rule template is available.", - "value": "Available" - }, - { - "description": "Alert rule template is not available", - "value": "NotAvailable" - } - ] - } - } - }, - "type": "object" - }, - "AlertRuleTemplatesList": { - "description": "List all the alert rule templates.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rule templates.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rule templates.", - "items": { - "$ref": "#/definitions/AlertRuleTemplate" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertRuleTriggerOperator": { - "description": "The operation against the threshold that triggers alert rule.", - "enum": [ - "GreaterThan", - "LessThan", - "Equal", - "NotEqual" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "TriggerOperator" - } - }, - "AlertRulesList": { - "description": "List all the alert rules.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rules.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rules.", - "items": { - "$ref": "#/definitions/AlertRule" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertSeverity": { - "description": "The severity of the alert", + "EntityInnerKind": { + "description": "The kind of the entity", "enum": [ - "High", - "Medium", - "Low", - "Informational" + "Account", + "Host", + "File", + "AzureResource", + "CloudApplication", + "DnsResolution", + "FileHash", + "Ip", + "Malware", + "Process", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "Url", + "IoTDevice", + "SecurityAlert", + "Bookmark", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" ], "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "AlertSeverity", + "name": "EntityKind", "values": [ { - "description": "High severity", - "value": "High" + "description": "Entity represents account in the system.", + "value": "Account" }, { - "description": "Medium severity", - "value": "Medium" + "description": "Entity represents host in the system.", + "value": "Host" }, { - "description": "Low severity", - "value": "Low" + "description": "Entity represents file in the system.", + "value": "File" }, { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "AlertsDataTypeOfDataConnector": { - "description": "Alerts data type for data connectors.", - "properties": { - "alerts": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Alerts data type connection.", - "type": "object" - } - }, - "type": "object", - "required": [ - "alerts" - ] + "description": "Entity represents azure resource in the system.", + "value": "AzureResource" + }, + { + "description": "Entity represents cloud application in the system.", + "value": "CloudApplication" + }, + { + "description": "Entity represents dns resolution in the system.", + "value": "DnsResolution" + }, + { + "description": "Entity represents file hash in the system.", + "value": "FileHash" + }, + { + "description": "Entity represents ip in the system.", + "value": "Ip" + }, + { + "description": "Entity represents malware in the system.", + "value": "Malware" + }, + { + "description": "Entity represents process in the system.", + "value": "Process" + }, + { + "description": "Entity represents registry key in the system.", + "value": "RegistryKey" + }, + { + "description": "Entity represents registry value in the system.", + "value": "RegistryValue" + }, + { + "description": "Entity represents security group in the system.", + "value": "SecurityGroup" + }, + { + "description": "Entity represents url in the system.", + "value": "Url" + }, + { + "description": "Entity represents IoT device in the system.", + "value": "IoTDevice" + }, + { + "description": "Entity represents security alert in the system.", + "value": "SecurityAlert" + }, + { + "description": "Entity represents bookmark in the system.", + "value": "Bookmark" + }, + { + "description": "Entity represents mail cluster in the system.", + "value": "MailCluster" + }, + { + "description": "Entity represents mail message in the system.", + "value": "MailMessage" + }, + { + "description": "Entity represents mailbox in the system.", + "value": "Mailbox" + }, + { + "description": "Entity represents submission mail in the system.", + "value": "SubmissionMail" + } + ] + } }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", + "EntityInnerType": { + "description": "The type of the entity", "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact", - "PreAttack" + "Account", + "Host", + "File", + "AzureResource", + "CloudApplication", + "DNS", + "FileHash", + "IP", + "Malware", + "Process", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "IoTDevice", + "SecurityAlert", + "HuntingBookmark", + "MailCluster", + "MailMessage", + "Mailbox", + "SubmissionMail" ], "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "AttackTactic" + "name": "EntityType", + "values": [ + { + "description": "Entity represents account in the system.", + "value": "Account" + }, + { + "description": "Entity represents host in the system.", + "value": "Host" + }, + { + "description": "Entity represents file in the system.", + "value": "File" + }, + { + "description": "Entity represents azure resource in the system.", + "value": "AzureResource" + }, + { + "description": "Entity represents cloud application in the system.", + "value": "CloudApplication" + }, + { + "description": "Entity represents dns in the system.", + "value": "DNS" + }, + { + "description": "Entity represents file hash in the system.", + "value": "FileHash" + }, + { + "description": "Entity represents ip in the system.", + "value": "IP" + }, + { + "description": "Entity represents malware in the system.", + "value": "Malware" + }, + { + "description": "Entity represents process in the system.", + "value": "Process" + }, + { + "description": "Entity represents registry key in the system.", + "value": "RegistryKey" + }, + { + "description": "Entity represents registry value in the system.", + "value": "RegistryValue" + }, + { + "description": "Entity represents security group in the system.", + "value": "SecurityGroup" + }, + { + "description": "Entity represents url in the system.", + "value": "URL" + }, + { + "description": "Entity represents IoT device in the system.", + "value": "IoTDevice" + }, + { + "description": "Entity represents security alert in the system.", + "value": "SecurityAlert" + }, + { + "description": "Entity represents HuntingBookmark in the system.", + "value": "HuntingBookmark" + }, + { + "description": "Entity represents mail cluster in the system.", + "value": "MailCluster" + }, + { + "description": "Entity represents mail message in the system.", + "value": "MailMessage" + }, + { + "description": "Entity represents mailbox in the system.", + "value": "Mailbox" + }, + { + "description": "Entity represents submission mail in the system.", + "value": "SubmissionMail" + } + ] } }, - "AwsCloudTrailDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents Amazon Web Services CloudTrail data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", - "description": "Amazon Web Services CloudTrail data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" - }, - "AwsCloudTrailDataConnectorDataTypes": { - "description": "The available data types for Amazon Web Services CloudTrail data connector.", - "properties": { - "logs": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Logs data type.", - "type": "object" - } - }, - "type": "object", - "required": [ - "logs" - ] - }, - "AwsCloudTrailDataConnectorProperties": { - "description": "Amazon Web Services CloudTrail data connector properties.", + "EntityKind": { + "description": "Describes an entity with kind.", "properties": { - "awsRoleArn": { - "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", - "type": "string" - }, - "dataTypes": { - "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, - "required": [ - "dataTypes" - ], - "type": "object" - }, - "AwsCloudTrailCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Amazon Web Services CloudTrail requirements check request.", - "type": "object", - "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" - }, - "AzureResourceEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an azure resource entity.", - "properties": { - "properties": { - "$ref": "#/definitions/AzureResourceEntityProperties", - "description": "AzureResource entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureResource" - }, - "AzureResourceEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "AzureResource entity property bag.", - "properties": { - "resourceId": { - "description": "The azure resource id of the resource", - "readOnly": true, - "type": "string" - }, - "subscriptionId": { - "description": "The subscription id of the resource", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "RelationBase": { - "type": "object", - "description": "Represents a relation", - "allOf": [ - { - "$ref": "#/definitions/Resource" - }, - { - "type": "object", - "properties": { - "kind": { - "type": "string", - "description": "The type of relation node", - "readOnly": true, - "enum": [ - "CasesToBookmarks" - ], - "x-ms-enum": { - "name": "RelationTypes", - "modelAsString": true, - "values": [ - { - "value": "CasesToBookmarks", - "description": "Relations between cases and bookmarks" - } - ] - } - }, - "etag": { - "type": "string", - "description": "ETag for relation" - } - } - } - ] - }, - "CaseRelationList": { - "description": "List of case relations.", - "properties": { - "nextLink": { - "readOnly": true, - "description": "URL to fetch the next set of relations.", - "type": "string" - }, - "value": { - "description": "Array of relations.", - "type": "array", - "items": { - "$ref": "#/definitions/CaseRelation" - } - } - }, - "required": [ - "value" - ] - }, - "CaseRelation": { - "type": "object", - "description": "Represents a case relation", - "allOf": [ - { - "$ref": "#/definitions/RelationBase" - } - ], - "properties": { - "properties": { - "x-ms-client-flatten": true, - "description": "Case relation properties", - "$ref": "#/definitions/CaseRelationProperties" - } - } - }, - "CaseRelationProperties": { - "type": "object", - "description": "Case relation properties", - "properties": { - "relationName": { - "type": "string", - "description": "Name of relation" - }, - "bookmarkId": { - "type": "string", - "description": "The case related bookmark id" - }, - "caseIdentifier": { - "type": "string", - "description": "The case identifier" - }, - "bookmarkName": { - "type": "string", - "description": "The case related bookmark name" - } - }, - "required": [ - "relationName", - "caseIdentifier", - "bookmarkId" - ] - }, - "RelationsModelInput": { - "type": "object", - "description": "Relation input model", - "allOf": [ - { - "$ref": "#/definitions/RelationBase" - } - ], - "properties": { - "properties": { - "x-ms-client-flatten": true, - "description": "Relation input properties", - "$ref": "#/definitions/RelationsModelInputProperties" - } - } - }, - "RelationsModelInputProperties": { - "type": "object", - "description": "Relation input properties", - "properties": { - "relationName": { - "type": "string", - "description": "Name of relation" - }, - "sourceRelationNode": { - "type": "object", - "description": "Relation source node", - "$ref": "#/definitions/RelationNode" - }, - "targetRelationNode": { - "type": "object", - "description": "Relation target node", - "$ref": "#/definitions/RelationNode" - } - } - }, - "RelationNode": { - "type": "object", - "description": "Relation node", - "properties": { - "relationNodeId": { - "type": "string", - "description": "Relation Node Id" - }, - "relationNodeKind": { - "type": "string", - "description": "The type of relation node", - "readOnly": true, - "enum": [ - "Case", - "Bookmark" - ], - "x-ms-enum": { - "name": "RelationNodeKind", - "modelAsString": true, - "values": [ - { - "value": "Case", - "description": "Case node part of the relation" - }, - { - "value": "Bookmark", - "description": "Bookmark node part of the relation" - } - ] - } - }, - "etag": { - "type": "string", - "description": "Etag for relation node" - }, - "relationAdditionalProperties": { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "description": "Additional set of properties" - } - } - }, - "Bookmark": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a bookmark in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/BookmarkProperties", - "description": "Bookmark properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "BookmarkList": { - "description": "List all the bookmarks.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of cases.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of bookmarks.", - "items": { - "$ref": "#/definitions/Bookmark" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "BookmarkProperties": { - "description": "Describes bookmark properties", - "properties": { - "created": { - "description": "The time the bookmark was created", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" - }, - "displayName": { - "description": "The display name of the bookmark", - "type": "string" - }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - }, - "notes": { - "description": "The notes of the bookmark", - "type": "string" - }, - "query": { - "description": "The query of the bookmark.", - "type": "string" - }, - "queryResult": { - "description": "The query result of the bookmark.", - "type": "string" - }, - "updated": { - "description": "The last time the bookmark was updated", - "format": "date-time", - "type": "string" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the bookmark", - "type": "object" - }, - "eventTime": { - "description": "The bookmark event time", - "format": "date-time", - "type": "string" - }, - "queryStartTime": { - "description": "The start time for the query", - "format": "date-time", - "type": "string" - }, - "queryEndTime": { - "description": "The end time for the query", - "format": "date-time", - "type": "string" - }, - "incidentInfo": { - "$ref": "#/definitions/IncidentInfo", - "description": "Describes an incident that relates to bookmark", - "type": "object" - } - }, - "required": [ - "displayName", - "query" - ], - "type": "object" - }, - "BookmarkExpandParameters": { - "description": "The parameters required to execute an expand operation on the given bookmark.", - "properties": { - "endTime": { - "description": "The end date filter, so the only expansion results returned are before this date.", - "format": "date-time", - "type": "string" - }, - "expansionId": { - "description": "The Id of the expansion to perform.", - "format": "uuid", - "type": "string" - }, - "startTime": { - "description": "The start date filter, so the only expansion results returned are after this date.", - "format": "date-time", - "type": "string" - } - } - }, - "BookmarkExpandResponse": { - "description": "The entity expansion result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/ExpansionResultsMetadata", - "description": "The metadata from the expansion operation results." - }, - "value": { - "description": "The expansion result values.", - "properties": { - "entities": { - "description": "Array of the expansion result entities.", - "items": { - "$ref": "#/definitions/Entity" - }, - "type": "array" - }, - "edges": { - "description": "Array of expansion result connected entities", - "items": { - "$ref": "#/definitions/ConnectedEntity" - }, - "type": "array" - } - }, - "type": "object" - } - } - }, - "Case": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a case in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/CaseProperties", - "description": "Case properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "CaseComment": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - } - ], - "description": "Represents a case comment", - "properties": { - "properties": { - "$ref": "#/definitions/CaseCommentProperties", - "description": "Case comment properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "CaseCommentList": { - "description": "List of case comments.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of comments.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of comments.", - "items": { - "$ref": "#/definitions/CaseComment" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "CaseCommentProperties": { - "description": "Case comment property bag.", - "properties": { - "createdTimeUtc": { - "description": "The time the comment was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "The comment message", - "type": "string" - }, - "userInfo": { - "$ref": "#/definitions/UserInfo", - "description": "Describes the user that created the comment", - "readOnly": true, - "type": "object" - } - }, - "required": [ - "message" - ], - "type": "object" - }, - "CaseList": { - "description": "List all the cases.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of cases.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of cases.", - "items": { - "$ref": "#/definitions/Case" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "CaseProperties": { - "description": "Describes case properties", - "properties": { - "caseNumber": { - "description": "a sequential number", - "readOnly": true, - "type": "integer" - }, - "closeReason": { - "description": "The reason the case was closed", - "enum": [ - "Resolved", - "Dismissed", - "TruePositive", - "FalsePositive", - "Other" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CloseReason", - "values": [ - { - "description": "Case was resolved", - "value": "Resolved" - }, - { - "description": "Case was dismissed", - "value": "Dismissed" - }, - { - "description": "Case was true positive", - "value": "TruePositive" - }, - { - "description": "Case was false positive", - "value": "FalsePositive" - }, - { - "description": "Case was closed for another reason", - "value": "Other" - } - ] - } - }, - "closedReasonText": { - "description": "the case close reason details", - "type": "string" - }, - "createdTimeUtc": { - "description": "The time the case was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the case", - "type": "string" - }, - "endTimeUtc": { - "description": "The end time of the case", - "format": "date-time", - "type": "string" - }, - "labels": { - "description": "List of labels relevant to this case", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - }, - "lastComment": { - "description": "the last comment in the case", - "readOnly": true, - "type": "string" - }, - "lastUpdatedTimeUtc": { - "description": "The last time the case was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "metrics": { - "description": "Dictionary of metrics, for example the number of alerts in the case", - "type": "object", - "additionalProperties": { - "type": "integer", - "format": "int32" - }, - "readOnly": true - }, - "owner": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that the case is assigned to", - "type": "object" - }, - "relatedAlertIds": { - "description": "List of related alert identifiers", - "items": { - "description": "related alert id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "relatedAlertProductNames": { - "description": "List of related alert product names", - "items": { - "description": "related alert product name", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "tactics": { - "description": "The tactics associated with case", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - }, - "severity": { - "description": "The severity of the case", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "startTimeUtc": { - "description": "The start time of the case", - "format": "date-time", - "type": "string" - }, - "status": { - "description": "The status of the case", - "enum": [ - "Draft", - "New", - "InProgress", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseStatus", - "values": [ - { - "description": "Case that wasn't promoted yet to active", - "value": "Draft" - }, - { - "description": "An active case which isn't handled currently", - "value": "New" - }, - { - "description": "An active case which is handled", - "value": "InProgress" - }, - { - "description": "A non active case", - "value": "Closed" - } - ] - } - }, - "title": { - "description": "The title of the case", - "type": "string" - }, - "totalComments": { - "description": "the number of total comments in the case", - "readOnly": true, - "type": "integer" - } - }, - "required": [ - "title", - "severity", - "status" - ], - "type": "object" - }, - "CasesAggregation": { - "allOf": [ - { - "$ref": "#/definitions/Aggregations" - } - ], - "description": "Represents aggregations results for cases.", - "properties": { - "properties": { - "$ref": "#/definitions/CasesAggregationProperties", - "description": "Properties of aggregations results of cases.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "CasesAggregation" - }, - "CasesAggregationBySeverityProperties": { - "description": "Aggregative results of cases by severity property bag.", - "properties": { - "totalCriticalSeverity": { - "description": "Total amount of open cases with severity Critical", - "readOnly": true, - "type": "integer" - }, - "totalHighSeverity": { - "description": "Total amount of open cases with severity High", - "readOnly": true, - "type": "integer" - }, - "totalInformationalSeverity": { - "description": "Total amount of open cases with severity Informational", - "readOnly": true, - "type": "integer" - }, - "totalLowSeverity": { - "description": "Total amount of open cases with severity Low", - "readOnly": true, - "type": "integer" - }, - "totalMediumSeverity": { - "description": "Total amount of open cases with severity medium", - "readOnly": true, - "type": "integer" - } - }, - "type": "object" - }, - "CasesAggregationByStatusProperties": { - "description": "Aggregative results of cases by status property bag.", - "properties": { - "totalDismissedStatus": { - "description": "Total amount of closed cases with status Dismissed", - "readOnly": true, - "type": "integer" - }, - "totalInProgressStatus": { - "description": "Total amount of open cases with status InProgress", - "readOnly": true, - "type": "integer" - }, - "totalNewStatus": { - "description": "Total amount of open cases with status New", - "readOnly": true, - "type": "integer" - }, - "totalResolvedStatus": { - "description": "Total amount of closed cases with status Resolved", - "readOnly": true, - "type": "integer" - }, - "totalFalsePositiveStatus": { - "description": "Total amount of closed cases with status Closed and Close reason of False positive", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "totalTruePositiveStatus": { - "description": "Total amount of closed cases with status Closed and Close reason of True positive", - "readOnly": true, - "type": "integer", - "format": "int32" - } - }, - "type": "object" - }, - "CasesAggregationProperties": { - "description": "Aggregative results of cases property bag.", - "properties": { - "aggregationBySeverity": { - "$ref": "#/definitions/CasesAggregationBySeverityProperties", - "description": "Aggregations results by case severity." - }, - "aggregationByStatus": { - "$ref": "#/definitions/CasesAggregationByStatusProperties", - "description": "Aggregations results by case status." - } - }, - "type": "object" - }, - "ClientInfo": { - "description": "Information on the client (user or application) that made some action", - "properties": { - "email": { - "description": "The email of the client.", - "type": "string" - }, - "name": { - "description": "The name of the client.", - "type": "string" - }, - "objectId": { - "description": "The object id of the client.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the client.", - "type": "string" - } - }, - "type": "object" - }, - "CloudApplicationEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a cloud application entity.", - "properties": { - "properties": { - "$ref": "#/definitions/CloudApplicationEntityProperties", - "description": "CloudApplication entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "CloudApplication" - }, - "CloudApplicationEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "CloudApplication entity property bag.", - "properties": { - "appId": { - "description": "The technical identifier of the application.", - "readOnly": true, - "type": "integer" - }, - "appName": { - "description": "The name of the related cloud application.", - "readOnly": true, - "type": "string" - }, - "instanceName": { - "description": "The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "CloudError": { - "description": "Error response structure.", - "properties": { - "error": { - "$ref": "#/definitions/CloudErrorBody", - "description": "Error data", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-external": true - }, - "CloudErrorBody": { - "description": "Error details.", - "properties": { - "code": { - "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "A message describing the error, intended to be suitable for display in a user interface.", - "readOnly": true, - "type": "string" - } - }, - "type": "object", - "x-ms-external": true - }, - "DataConnector": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - }, - { - "$ref": "#/definitions/DataConnectorKind" - } - ], - "description": "Data connector.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "DataConnectorsCheckRequirements": { - "description": "Data connector requirements properties.", - "properties": { - "kind": { - "$ref": "#/definitions/DataConnectorKind", - "description": "Describes the kind of connector to be checked." - } - }, - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "DataConnectorAuthorizationState": { - "description": "Describes the state of user's authorization for a connector kind.", - "enum": [ - "Valid", - "Invalid" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataConnectorAuthorizationState", - "values": [ - { - "value": "Valid" - }, - { - "value": "Invalid" - } - ] - } - }, - "DataConnectorLicenseState": { - "description": "Describes the state of user's license for a connector kind.", - "enum": [ - "Valid", - "Invalid", - "Unknown" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataConnectorLicenseState", - "values": [ - { - "value": "Valid" - }, - { - "value": "Invalid" - }, - { - "value": "Unknown" - } - ] - } - }, - "DataConnectorDataTypeCommon": { - "description": "Common field for data type in data connectors.", - "properties": { - "state": { - "description": "Describe whether this data type connection is enabled or not.", - "enum": [ - "Enabled", - "Disabled" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataTypeState" - } - } - }, - "type": "object", - "required": [ - "state" - ] - }, - "DataConnectorKind": { - "description": "Describes an Azure resource with kind.", - "properties": { - "kind": { - "description": "The kind of the data connector", - "enum": [ - "AzureActiveDirectory", - "AzureSecurityCenter", - "MicrosoftCloudAppSecurity", - "ThreatIntelligence", - "ThreatIntelligenceTaxii", - "Office365", - "OfficeATP", - "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", - "MicrosoftDefenderAdvancedThreatProtection", - "Dynamics365", - "MicrosoftThreatProtection", - "MicrosoftThreatIntelligence" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataConnectorKind", - "values": [ - { - "value": "AzureActiveDirectory" - }, - { - "value": "AzureSecurityCenter" - }, - { - "value": "MicrosoftCloudAppSecurity" - }, - { - "value": "ThreatIntelligence" - }, - { - "value": "ThreatIntelligenceTaxii" - }, - { - "value": "Office365" - }, - { - "value": "OfficeATP" - }, - { - "value": "AmazonWebServicesCloudTrail" - }, - { - "value": "AzureAdvancedThreatProtection" - }, - { - "value": "MicrosoftDefenderAdvancedThreatProtection" - }, - { - "value": "Dynamics365" - }, - { - "value": "MicrosoftThreatProtection" - }, - { - "value": "MicrosoftThreatIntelligence" - } - ] - } - } - }, - "required": [ - "kind" - ], - "type": "object" - }, - "DataConnectorList": { - "description": "List all the data connectors.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of data connectors.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of data connectors.", - "items": { - "$ref": "#/definitions/DataConnector" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "DataConnectorRequirementsState": { - "description": "Data connector requirements status.", - "properties": { - "authorizationState": { - "description": "Authorization state for this connector", - "$ref": "#/definitions/DataConnectorAuthorizationState" - }, - "licenseState": { - "description": "License state for this connector", - "$ref": "#/definitions/DataConnectorLicenseState" - } - }, - "type": "object" - }, - "DataConnectorTenantId": { - "description": "Properties data connector on tenant level.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - } - }, - "required": [ - "tenantId" - ], - "type": "object" - }, - "DataConnectorWithAlertsProperties": { - "description": "Data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector", - "description": "The available data types for the connector." - } - }, - "type": "object" - }, - "DnsEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a dns entity.", - "properties": { - "properties": { - "$ref": "#/definitions/DnsEntityProperties", - "description": "Dns entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "DnsResolution" - }, - "DnsEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Dns entity property bag.", - "properties": { - "dnsServerIpEntityId": { - "description": "An ip entity id for the dns server resolving the request", - "readOnly": true, - "type": "string" - }, - "domainName": { - "description": "The name of the dns record associated with the alert", - "readOnly": true, - "type": "string" - }, - "hostIpAddressEntityId": { - "description": "An ip entity id for the dns request client", - "readOnly": true, - "type": "string" - }, - "ipAddressEntityIds": { - "description": "Ip entity identifiers for the resolved ip address.", - "items": { - "description": "Ip entity id", - "type": "string" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "Dynamics365DataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents Dynamics365 data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/Dynamics365DataConnectorProperties", - "description": "Dynamics365 data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Dynamics365" - }, - "Dynamics365DataConnectorDataTypes": { - "description": "The available data types for Dynamics365 data connector.", - "properties": { - "dynamics365CdsActivities": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Common Data Service data type connection.", - "type": "object" - } - }, - "type": "object", - "required": [ - "dynamics365CdsActivities" - ] - }, - "Dynamics365DataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Dynamics365 data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/Dynamics365DataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, - "required": [ - "dataTypes" - ], - "type": "object" - }, - "Dynamics365CheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents Dynamics365 requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/Dynamics365CheckRequirementsProperties", - "description": "Dynamics365 requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Dynamics365" - }, - "Dynamics365CheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Dynamics365 requirements check properties.", - "type": "object" - }, - "EnrichmentDomainWhois": { - "description": "Whois information for a given domain and associated metadata", - "properties": { - "domain": { - "description": "The domain for this whois record", - "type": "string" - }, - "server": { - "description": "The hostname of this registrar's whois server", - "type": "string" - }, - "created": { - "description": "The timestamp at which this record was created", - "format": "date-time", - "type": "string" - }, - "updated": { - "description": "The timestamp at which this record was last updated", - "format": "date-time", - "type": "string" - }, - "expires": { - "description": "The timestamp at which this record will expire", - "format": "date-time", - "type": "string" - }, - "parsedWhois": { - "description": "The whois record for a given domain", - "$ref": "#/definitions/EnrichmentDomainWhoisDetails" - } - } - }, - "EnrichmentDomainWhoisDetails": { - "description": "The whois record for a given domain", - "properties": { - "registrar": { - "description": "The registrar associated with this domain", - "$ref": "#/definitions/EnrichmentDomainWhoisRegistrarDetails" - }, - "contacts": { - "description": "The set of contacts associated with this domain", - "$ref": "#/definitions/EnrichmentDomainWhoisContacts" - }, - "nameServers": { - "description": "A list of name servers associated with this domain", - "type": "array", - "items": { - "type": "string" - } - }, - "statuses": { - "description": "The set of status flags for this whois record", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "EnrichmentDomainWhoisRegistrarDetails": { - "description": "The registrar associated with this domain", - "properties": { - "name": { - "description": "The name of this registrar", - "type": "string" - }, - "abuseContactEmail": { - "description": "This registrar's abuse contact email", - "type": "string" - }, - "abuseContactPhone": { - "description": "This registrar's abuse contact phone number", - "type": "string" - }, - "ianaId": { - "description": "This registrar's Internet Assigned Numbers Authority id", - "type": "string" - }, - "url": { - "description": "This registrar's URL", - "type": "string" - }, - "whoisServer": { - "description": "The hostname of this registrar's whois server", - "type": "string" - } - } - }, - "EnrichmentDomainWhoisContacts": { - "description": "The set of contacts associated with this domain", - "properties": { - "admin": { - "description": "The admin contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" - }, - "billing": { - "description": "The billing contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" - }, - "registrant": { - "description": "The registrant contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" - }, - "tech": { - "description": "The technical contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" - } - } - }, - "EnrichmentDomainWhoisContact": { - "description": "An individual contact associated with this domain", - "properties": { - "name": { - "description": "The name of this contact", - "type": "string" - }, - "org": { - "description": "The organization for this contact", - "type": "string" - }, - "street": { - "description": "A list describing the street address for this contact", - "type": "array", - "items": { - "type": "string" - } - }, - "city": { - "description": "The city for this contact", - "type": "string" - }, - "state": { - "description": "The state for this contact", - "type": "string" - }, - "postal": { - "description": "The postal code for this contact", - "type": "string" - }, - "country": { - "description": "The country for this contact", - "type": "string" - }, - "phone": { - "description": "The phone number for this contact", - "type": "string" - }, - "fax": { - "description": "The fax number for this contact", - "type": "string" - }, - "email": { - "description": "The email address for this contact", - "type": "string" - } - } - }, - "EnrichmentIpGeodata": { - "description": "Geodata information for a given IP address", - "properties": { - "asn": { - "description": "The autonomous system number associated with this IP address", - "type": "string" - }, - "carrier": { - "description": "The name of the carrier for this IP address", - "type": "string" - }, - "city": { - "description": "The city this IP address is located in", - "type": "string" - }, - "cityCf": { - "description": "A numeric rating of confidence that the value in the 'city' field is correct, on a scale of 0-100", - "type": "integer", - "format": "int32" - }, - "continent": { - "description": "The continent this IP address is located on", - "type": "string" - }, - "country": { - "description": "The county this IP address is located in", - "type": "string" - }, - "countryCf": { - "description": "A numeric rating of confidence that the value in the 'country' field is correct on a scale of 0-100", - "type": "integer", - "format": "int32" - }, - "ipAddr": { - "description": "The dotted-decimal or colon-separated string representation of the IP address", - "type": "string" - }, - "ipRoutingType": { - "description": "A description of the connection type of this IP address", - "type": "string" - }, - "latitude": { - "description": "The latitude of this IP address", - "type": "string" - }, - "longitude": { - "description": "The longitude of this IP address", - "type": "string" - }, - "organization": { - "description": "The name of the organization for this IP address", - "type": "string" - }, - "organizationType": { - "description": "The type of the organization for this IP address", - "type": "string" - }, - "region": { - "description": "The geographic region this IP address is located in", - "type": "string" - }, - "state": { - "description": "The state this IP address is located in", - "type": "string" - }, - "stateCf": { - "description": "A numeric rating of confidence that the value in the 'state' field is correct on a scale of 0-100", - "type": "integer", - "format": "int32" - }, - "stateCode": { - "description": "The abbreviated name for the state this IP address is located in", - "type": "string" - } - } - }, - "Entity": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - }, - { - "$ref": "#/definitions/EntityKind" - } - ], - "description": "Specific entity.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "EntityEdges": { - "description": "The edge that connects the entity to the other entity.", - "properties": { - "targetEntityId": { - "description": "The target entity Id.", - "type": "string" - }, - "additionalData": { - "additionalProperties": { - "type": "object" - }, - "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", - "type": "object" - } - }, - "type": "object" - }, - "EntityCommonProperties": { - "description": "Entity common property bag.", - "properties": { - "additionalData": { - "additionalProperties": { - "type": "object" - }, - "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", - "readOnly": true, - "type": "object" - }, - "friendlyName": { - "description": "The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "EntityExpandParameters": { - "description": "The parameters required to execute an expand operation on the given entity.", - "properties": { - "endTime": { - "description": "The end date filter, so the only expansion results returned are before this date.", - "format": "date-time", - "type": "string" - }, - "expansionId": { - "description": "The Id of the expansion to perform.", - "format": "uuid", - "type": "string" - }, - "startTime": { - "description": "The start date filter, so the only expansion results returned are after this date.", - "format": "date-time", - "type": "string" - } - } - }, - "EntityTimelineParameters": { - "description": "The parameters required to execute s timeline operation on the given entity.", - "properties": { - "kinds": { - "description": "Array of timeline Item kinds.", - "items": { - "$ref": "#/definitions/EntityTimelineKind" - }, - "type": "array" - }, - "startTime": { - "description": "The start timeline date, so the results returned are after this date.", - "format": "date-time", - "type": "string" - }, - "endTime": { - "description": "The end timeline date, so the results returned are before this date.", - "format": "date-time", - "type": "string" - }, - "numberOfBucket": { - "description": "The number of bucket for timeline queries aggregation.", - "type": "integer", - "format": "int32" - } - }, - "required": [ - "startTime", - "endTime" - ] - }, - "EntityExpandResponse": { - "description": "The entity expansion result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/ExpansionResultsMetadata", - "description": "The metadata from the expansion operation results." - }, - "value": { - "description": "The expansion result values.", - "properties": { - "entities": { - "description": "Array of the expansion result entities.", - "items": { - "$ref": "#/definitions/Entity" - }, - "type": "array" - }, - "edges": { - "description": "Array of edges that connects the entity to the list of entities.", - "items": { - "$ref": "#/definitions/EntityEdges" - }, - "type": "array" - } - }, - "type": "object" - } - } - }, - "EntityTimelineResponse": { - "description": "The entity timeline result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/TimelineResultsMetadata", - "description": "The metadata from the timeline operation results." - }, - "value": { - "description": "The timeline result values.", - "items": { - "$ref": "#/definitions/EntityTimelineItem" - }, - "type": "array" - } - } - }, - "GetQueriesResponse": { - "description": "Retrieve queries for entity result operation response.", - "properties": { - "value": { - "description": "The query result values.", - "items": { - "$ref": "#/definitions/EntityQueryItem" - }, - "type": "array" - } - } - }, - "EntityInnerKind": { - "description": "The kind of the entity", - "enum": [ - "Account", - "Host", - "File", - "AzureResource", - "CloudApplication", - "DnsResolution", - "FileHash", - "Ip", - "Malware", - "Process", - "RegistryKey", - "RegistryValue", - "SecurityGroup", - "Url", - "IoTDevice", - "SecurityAlert", - "Bookmark", - "Mailbox", - "MailCluster", - "MailMessage", - "SubmissionMail" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityKind", - "values": [ - { - "description": "Entity represents account in the system.", - "value": "Account" - }, - { - "description": "Entity represents host in the system.", - "value": "Host" - }, - { - "description": "Entity represents file in the system.", - "value": "File" - }, - { - "description": "Entity represents azure resource in the system.", - "value": "AzureResource" - }, - { - "description": "Entity represents cloud application in the system.", - "value": "CloudApplication" - }, - { - "description": "Entity represents dns resolution in the system.", - "value": "DnsResolution" - }, - { - "description": "Entity represents file hash in the system.", - "value": "FileHash" - }, - { - "description": "Entity represents ip in the system.", - "value": "Ip" - }, - { - "description": "Entity represents malware in the system.", - "value": "Malware" - }, - { - "description": "Entity represents process in the system.", - "value": "Process" - }, - { - "description": "Entity represents registry key in the system.", - "value": "RegistryKey" - }, - { - "description": "Entity represents registry value in the system.", - "value": "RegistryValue" - }, - { - "description": "Entity represents security group in the system.", - "value": "SecurityGroup" - }, - { - "description": "Entity represents url in the system.", - "value": "Url" - }, - { - "description": "Entity represents IoT device in the system.", - "value": "IoTDevice" - }, - { - "description": "Entity represents security alert in the system.", - "value": "SecurityAlert" - }, - { - "description": "Entity represents bookmark in the system.", - "value": "Bookmark" - }, - { - "description": "Entity represents mail cluster in the system.", - "value": "MailCluster" - }, - { - "description": "Entity represents mail message in the system.", - "value": "MailMessage" - }, - { - "description": "Entity represents mailbox in the system.", - "value": "Mailbox" - }, - { - "description": "Entity represents submission mail in the system.", - "value": "SubmissionMail" - } - ] - } - }, - "EntityInnerType": { - "description": "The type of the entity", - "enum": [ - "Account", - "Host", - "File", - "AzureResource", - "CloudApplication", - "DNS", - "FileHash", - "IP", - "Malware", - "Process", - "RegistryKey", - "RegistryValue", - "SecurityGroup", - "URL", - "IoTDevice", - "SecurityAlert", - "HuntingBookmark", - "MailCluster", - "MailMessage", - "Mailbox", - "SubmissionMail" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityType", - "values": [ - { - "description": "Entity represents account in the system.", - "value": "Account" - }, - { - "description": "Entity represents host in the system.", - "value": "Host" - }, - { - "description": "Entity represents file in the system.", - "value": "File" - }, - { - "description": "Entity represents azure resource in the system.", - "value": "AzureResource" - }, - { - "description": "Entity represents cloud application in the system.", - "value": "CloudApplication" - }, - { - "description": "Entity represents dns in the system.", - "value": "DNS" - }, - { - "description": "Entity represents file hash in the system.", - "value": "FileHash" - }, - { - "description": "Entity represents ip in the system.", - "value": "IP" - }, - { - "description": "Entity represents malware in the system.", - "value": "Malware" - }, - { - "description": "Entity represents process in the system.", - "value": "Process" - }, - { - "description": "Entity represents registry key in the system.", - "value": "RegistryKey" - }, - { - "description": "Entity represents registry value in the system.", - "value": "RegistryValue" - }, - { - "description": "Entity represents security group in the system.", - "value": "SecurityGroup" - }, - { - "description": "Entity represents url in the system.", - "value": "URL" - }, - { - "description": "Entity represents IoT device in the system.", - "value": "IoTDevice" - }, - { - "description": "Entity represents security alert in the system.", - "value": "SecurityAlert" - }, - { - "description": "Entity represents HuntingBookmark in the system.", - "value": "HuntingBookmark" - }, - { - "description": "Entity represents mail cluster in the system.", - "value": "MailCluster" - }, - { - "description": "Entity represents mail message in the system.", - "value": "MailMessage" - }, - { - "description": "Entity represents mailbox in the system.", - "value": "Mailbox" - }, - { - "description": "Entity represents submission mail in the system.", - "value": "SubmissionMail" - } - ] - } - }, - "EntityKind": { - "description": "Describes an entity with kind.", - "properties": { - "kind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the entity." - } - }, - "required": [ - "kind" - ], - "type": "object" - }, - "EntityList": { - "description": "List of all the entities.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of entities.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of entities.", - "items": { - "$ref": "#/definitions/Entity" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "EntityQueryKind": { - "description": "Describes an Entity query resource with kind.", - "properties": { - "kind": { - "description": "The kind of the entity query", - "enum": [ - "Expansion", - "Insight" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityQueryKind", - "values": [ - { - "value": "Expansion" - }, - { - "value": "Insight" - } - ] - } - } - }, - "required": [ - "kind" - ], - "type": "object" - }, - "EntityQuery": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - }, - { - "$ref": "#/definitions/EntityQueryKind" - } - ], - "description": "Specific entity query.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "ExpansionEntityQuery": { - "description": "Represents Expansion entity query.", - "allOf": [ - { - "$ref": "#/definitions/EntityQuery" - } - ], - "properties": { - "properties": { - "$ref": "#/definitions/ExpansionEntityQueriesProperties", - "description": "Expansion entity query properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Expansion" - }, - "EntityTimelineKind": { - "description": "The entity query kind", - "enum": [ - "Activity", - "Bookmark", - "SecurityAlert" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityTimelineKind", - "values": [ - { - "description": "activity", - "value": "Activity" - }, - { - "description": "bookmarks", - "value": "Bookmark" - }, - { - "description": "security alerts", - "value": "SecurityAlert" - } - ] - } - }, - "EntityQueryList": { - "description": "List of all the entity queries.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of entity queries.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of entity queries.", - "items": { - "$ref": "#/definitions/EntityQuery" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "ExpansionEntityQueriesProperties": { - "description": "Describes expansion entity query properties", - "properties": { - "dataSources": { - "description": "List of the data sources that are required to run the query", - "items": { - "description": "data source", - "type": "string" - }, - "type": "array" - }, - "displayName": { - "description": "The query display name", - "type": "string" - }, - "inputEntityType": { - "$ref": "#/definitions/EntityInnerType", - "description": "The type of the query's source entity" - }, - "inputFields": { - "description": "List of the fields of the source entity that are required to run the query", - "items": { - "description": "input field", - "type": "string" - }, - "type": "array" - }, - "outputEntityTypes": { - "description": "List of the desired output types to be constructed from the result", - "items": { - "$ref": "#/definitions/EntityInnerType", - "description": "output entity type" - }, - "type": "array" - }, - "queryTemplate": { - "description": "The template query string to be parsed and formatted", - "type": "string" - } - }, - "type": "object" - }, - "ExpansionResultAggregation": { - "description": "Information of a specific aggregation in the expansion result.", - "properties": { - "aggregationType": { - "description": "The common type of the aggregation. (for e.g. entity field name)", - "type": "string" - }, - "count": { - "description": "Total number of aggregations of the given kind (and aggregationType if given) in the expansion result.", - "type": "integer" - }, - "displayName": { - "description": "The display name of the aggregation by type.", - "type": "string" - }, - "entityKind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the aggregated entity." - } - }, - "required": [ - "entityKind", - "count" - ], - "type": "object" - }, - "ExpansionResultsMetadata": { - "description": "Expansion result metadata.", - "properties": { - "aggregations": { - "description": "Information of the aggregated nodes in the expansion result.", - "items": { - "$ref": "#/definitions/ExpansionResultAggregation" - }, - "type": "array" - } - }, - "type": "object" - }, - "ConnectedEntity": { - "description": "Expansion result connected entities", - "properties": { - "targetEntityId": { - "description": "Entity Id of the connected entity", - "type": "string" - }, - "additionalData": { - "description": "key-value pairs for a connected entity mapping", - "type": "object" - } - } - }, - "TimelineResultsMetadata": { - "description": "Expansion result metadata.", - "properties": { - "totalCount": { - "description": "the total items found for the timeline request", - "type": "integer", - "format": "int32" - }, - "aggregations": { - "description": "timeline aggregation per kind", - "items": { - "$ref": "#/definitions/TimelineAggregation" - }, - "type": "array" - }, - "errors": { - "description": "information about the failure queries", - "items": { - "$ref": "#/definitions/TimelineError" - }, - "type": "array" - } - }, - "required": [ - "totalCount", - "aggregations" - ], - "type": "object" - }, - "TimelineError": { - "description": "Timeline Query Errors.", - "properties": { - "kind": { - "description": "the query kind", - "$ref": "#/definitions/EntityTimelineKind" - }, - "queryId": { - "description": "the query id", - "type": "string" - }, - "errorMessage": { - "description": "the error message", - "type": "string" - } - }, - "required": [ - "kind", - "errorMessage" - ], - "type": "object" - }, - "TimelineAggregation": { - "description": "timeline aggregation information per kind", - "properties": { - "count": { - "description": "the total items found for a kind", - "type": "integer", - "format": "int32" - }, - "kind": { - "description": "the query kind", - "$ref": "#/definitions/EntityTimelineKind" - } - }, - "required": [ - "kind", - "count" - ], - "type": "object" - }, - "EntityTimelineItem": { - "description": "Entity timeline Item.", - "discriminator": "kind", - "type": "object", - "properties": { - "kind": { - "$ref": "#/definitions/EntityTimelineKind", - "description": "The entity query kind type." - } - }, - "required": [ - "kind" - ] - }, - "FileEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a file entity.", - "properties": { - "properties": { - "$ref": "#/definitions/FileEntityProperties", - "description": "File entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "File" - }, - "FileEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "File entity property bag.", - "properties": { - "directory": { - "description": "The full path to the file.", - "readOnly": true, - "type": "string" - }, - "fileHashEntityIds": { - "description": "The file hash entity identifiers associated with this file", - "items": { - "description": "file hash id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "fileName": { - "description": "The file name without path (some alerts might not include path).", - "readOnly": true, - "type": "string" - }, - "hostEntityId": { - "description": "The Host entity id which the file belongs to", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "FileHashEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a file hash entity.", - "properties": { - "properties": { - "$ref": "#/definitions/FileHashEntityProperties", - "description": "FileHash entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "FileHash" - }, - "FileHashEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "FileHash entity property bag.", - "properties": { - "algorithm": { - "description": "The hash algorithm type.", - "enum": [ - "Unknown", - "MD5", - "SHA1", - "SHA256", - "SHA256AC" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "FileHashAlgorithm", - "values": [ - { - "description": "Unknown hash algorithm", - "value": "Unknown" - }, - { - "description": "MD5 hash type", - "value": "MD5" - }, - { - "description": "SHA1 hash type", - "value": "SHA1" - }, - { - "description": "SHA256 hash type", - "value": "SHA256" - }, - { - "description": "SHA256 Authenticode hash type", - "value": "SHA256AC" - } - ] - } - }, - "hashValue": { - "description": "The file hash value.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "InsightQueryItem": { - "allOf": [ - { - "$ref": "#/definitions/EntityQueryItem" - } - ], - "description": "Represents Insight Query.", - "properties": { - "properties": { - "description": "Properties bag for InsightQueryItem", - "$ref": "#/definitions/InsightQueryItemProperties" - } - }, - "type": "object", - "x-ms-discriminator-value": "Insight" - }, - "InsightQueryItemProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityQueryItemProperties" - } - ], - "description": "Represents Insight Query.", - "properties": { - "displayName": { - "type": "string", - "description": "The insight display name." - }, - "description": { - "type": "string", - "description": "The insight description." - }, - "baseQuery": { - "type": "string", - "description": "The base query of the insight." - }, - "tableQuery": { - "type": "object", - "description": "The insight table query.", - "properties": { - "columnsDefinitions": { - "type": "array", - "description": "List of insight column definitions.", - "items": { - "properties": { - "header": { - "type": "string", - "description": "Insight column header." - }, - "outputType": { - "type": "string", - "description": "Insights Column type.", - "enum": [ - "Number", - "String", - "Date", - "Entity" - ], - "x-ms-enum": { - "modelAsString": true, - "name": "outputType" - } - }, - "supportDeepLink": { - "type": "boolean", - "description": "Is query supports deep-link." - } - } - } - }, - "queriesDefinitions": { - "type": "array", - "description": "List of insight queries definitions.", - "items": { - "properties": { - "filter": { - "type": "string", - "description": "Insight column header." - }, - "summarize": { - "type": "string", - "description": "Insight column header." - }, - "project": { - "type": "string", - "description": "Insight column header." - }, - "linkColumnsDefinitions": { - "type": "array", - "description": "Insight column header.", - "items": { - "properties": { - "projectedName": { - "type": "string", - "description": "Insight Link Definition Projected Name." - }, - "Query": { - "type": "string", - "description": "Insight Link Definition Query." - } - } - } - } - } - } - } - } - }, - "chartQuery": { - "type": "object", - "description": "The insight chart query." - }, - "additionalQuery": { - "type": "object", - "description": "The activity query definitions.", - "properties": { - "query": { - "type": "string", - "description": "The insight query." - }, - "text": { - "type": "string", - "description": "The insight text." - } - } - }, - "defaultTimeRange": { - "type": "object", - "description": "The insight chart query.", - "properties": { - "beforeRange": { - "type": "string", - "description": "The padding for the start time of the query." - }, - "afterRange": { - "type": "string", - "description": "The padding for the end time of the query." - } - } - }, - "referenceTimeRange": { - "type": "object", - "description": "The insight chart query.", - "properties": { - "beforeRange": { - "type": "string", - "description": "Additional query time for looking back." - } - } - } - }, - "type": "object", - "x-ms-discriminator-value": "Insight" - }, - "ActivityTimelineItem": { - "allOf": [ - { - "$ref": "#/definitions/EntityTimelineItem" - } - ], - "description": "Represents Activity timeline item.", - "properties": { - "queryId": { - "type": "string", - "description": "The activity query id." - }, - "bucketStartTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The grouping bucket start time." - }, - "bucketEndTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The grouping bucket end time." - }, - "firstActivityTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The time of the first activity in the grouping bucket." - }, - "lastActivityTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The time of the last activity in the grouping bucket." - }, - "content": { - "type": "string", - "description": "The activity timeline content." - }, - "title": { - "type": "string", - "description": "The activity timeline title." - } - }, - "required": [ - "queryId", - "bucketStartTimeUTC", - "bucketEndTimeUTC", - "firstActivityTimeUTC", - "lastActivityTimeUTC", - "content", - "title" - ], - "type": "object", - "x-ms-discriminator-value": "Activity" - }, - "SecurityAlertTimelineItem": { - "allOf": [ - { - "$ref": "#/definitions/EntityTimelineItem" - } - ], - "description": "Represents security alert timeline item.", - "properties": { - "azureResourceId": { - "type": "string", - "description": "The alert azure resource id." - }, - "productName": { - "type": "string", - "description": "The alert product name." - }, - "description": { - "type": "string", - "description": "The alert description." - }, - "displayName": { - "type": "string", - "description": "The alert name." - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The alert severity." - }, - "endTimeUtc": { - "format": "date-time", - "type": "string", - "description": "The alert end time." - }, - "startTimeUtc": { - "format": "date-time", - "type": "string", - "description": "The alert start time." - }, - "timeGenerated": { - "format": "date-time", - "type": "string", - "description": "The alert generated time." - }, - "alertType": { - "type": "string", - "description": "The name of the alert type." - } - }, - "required": [ - "azureResourceId", - "displayName", - "severity", - "endTimeUtc", - "startTimeUtc", - "timeGenerated", - "alertType" - ], - "type": "object", - "x-ms-discriminator-value": "SecurityAlert" - }, - "BookmarkTimelineItem": { - "allOf": [ - { - "$ref": "#/definitions/EntityTimelineItem" - } - ], - "description": "Represents bookmark timeline item.", - "properties": { - "azureResourceId": { - "type": "string", - "description": "The bookmark azure resource id." - }, - "displayName": { - "type": "string", - "description": "The bookmark display name." - }, - "notes": { - "type": "string", - "description": "The notes of the bookmark" - }, - "endTimeUtc": { - "format": "date-time", - "type": "string", - "description": "The bookmark end time." - }, - "startTimeUtc": { - "format": "date-time", - "type": "string", - "description": "TThe bookmark start time." - }, - "eventTime": { - "format": "date-time", - "type": "string", - "description": "The bookmark event time." - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" - }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - } - }, - "required": [ - "azureResourceId" - ], - "type": "object", - "x-ms-discriminator-value": "Bookmark" - }, - "FusionAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents Fusion alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/FusionAlertRuleProperties", - "description": "Fusion alert rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Fusion" - }, - "FusionAlertRuleProperties": { - "description": "Fusion alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "readOnly": true, - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule.", - "readOnly": true - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } - }, - "required": [ - "alertRuleTemplateName", - "enabled" - ], - "type": "object" - }, - "FusionAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents Fusion alert rule template.", - "properties": { - "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - } - ], - "description": "Fusion alert rule template properties", - "properties": { - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "required": [ - "displayName", - "description", - "status", - "severity", - "alertRulesCreatedByTemplateCount" - ], - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Fusion" - }, - "ThreatIntelligenceAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents Threat Intelligence alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/ThreatIntelligenceAlertRuleProperties", - "description": "Threat Intelligence alert rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" - }, - "ThreatIntelligenceAlertRuleProperties": { - "description": "Threat Intelligence alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "readOnly": true, - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule.", - "readOnly": true - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } - }, - "required": [ - "alertRuleTemplateName", - "enabled" - ], - "type": "object" - }, - "ThreatIntelligenceAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents Threat Intelligence alert rule template.", - "properties": { - "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - } - ], - "description": "Threat Intelligence alert rule template properties", - "properties": { - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "required": [ - "displayName", - "description", - "status", - "severity", - "alertRulesCreatedByTemplateCount" - ], - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" - }, - "GeoLocation": { - "description": "The geo-location context attached to the ip entity", - "properties": { - "asn": { - "description": "Autonomous System Number", - "readOnly": true, - "type": "integer" - }, - "city": { - "description": "City name", - "readOnly": true, - "type": "string" - }, - "countryCode": { - "description": "The country code according to ISO 3166 format", - "readOnly": true, - "type": "string" - }, - "countryName": { - "description": "Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name", - "readOnly": true, - "type": "string" - }, - "latitude": { - "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.", - "format": "double", - "readOnly": true, - "type": "number" - }, - "longitude": { - "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.", - "format": "double", - "readOnly": true, - "type": "number" - }, - "state": { - "description": "State name", - "readOnly": true, - "type": "string" - } - }, - "readOnly": true, - "type": "object" - }, - "HostEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a host entity.", - "properties": { - "properties": { - "$ref": "#/definitions/HostEntityProperties", - "description": "Host entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Host" - }, - "HostEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Host entity property bag.", - "properties": { - "azureID": { - "description": "The azure resource id of the VM.", - "readOnly": true, - "type": "string" - }, - "dnsDomain": { - "description": "The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain", - "readOnly": true, - "type": "string" - }, - "hostName": { - "description": "The hostname without the domain suffix.", - "readOnly": true, - "type": "string" - }, - "isDomainJoined": { - "description": "Determines whether this host belongs to a domain.", - "readOnly": true, - "type": "boolean" - }, - "netBiosName": { - "description": "The host name (pre-windows2000).", - "readOnly": true, - "type": "string" - }, - "ntDomain": { - "description": "The NT domain that this host belongs to.", - "readOnly": true, - "type": "string" - }, - "omsAgentID": { - "description": "The OMS agent id, if the host has OMS agent installed.", - "readOnly": true, - "type": "string" - }, - "osFamily": { - "description": "The operating system type.", - "enum": [ - "Linux", - "Windows", - "Android", - "IOS", - "Unknown" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "OSFamily", - "values": [ - { - "description": "Host with Linux operating system.", - "value": "Linux" - }, - { - "description": "Host with Windows operating system.", - "value": "Windows" - }, - { - "description": "Host with Android operating system.", - "value": "Android" - }, - { - "description": "Host with IOS operating system.", - "value": "IOS" - }, - { - "description": "Host with Unknown operating system.", - "value": "Unknown" - } - ] - } - }, - "osVersion": { - "description": "A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "Incident": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an incident in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentProperties", - "description": "Incident properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "HuntingBookmark": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a Hunting bookmark entity.", - "properties": { - "properties": { - "$ref": "#/definitions/HuntingBookmarkProperties", - "description": "HuntingBookmark entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Bookmark" - }, - "HuntingBookmarkProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Describes bookmark properties", - "properties": { - "created": { - "description": "The time the bookmark was created", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" - }, - "displayName": { - "description": "The display name of the bookmark", - "type": "string" - }, - "eventTime": { - "description": "The time of the event", - "format": "date-time", - "type": "string" - }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - }, - "notes": { - "description": "The notes of the bookmark", - "type": "string" - }, - "query": { - "description": "The query of the bookmark.", - "type": "string" - }, - "queryResult": { - "description": "The query result of the bookmark.", - "type": "string" - }, - "updated": { - "description": "The last time the bookmark was updated", - "format": "date-time", - "type": "string" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the bookmark", - "type": "object" - }, - "incidentInfo": { - "$ref": "#/definitions/IncidentInfo", - "description": "Describes an incident that relates to bookmark", - "type": "object" - } - }, - "required": [ - "displayName", - "query" - ], - "type": "object" - }, - "IncidentAdditionalData": { - "description": "Incident additional data property bag.", - "properties": { - "alertsCount": { - "description": "The number of alerts in the incident", - "readOnly": true, - "type": "integer" - }, - "bookmarksCount": { - "description": "The number of bookmarks in the incident", - "readOnly": true, - "type": "integer" - }, - "commentsCount": { - "description": "The number of comments in the incident", - "readOnly": true, - "type": "integer" - }, - "alertProductNames": { - "description": "List of product names of alerts in the incident", - "items": { - "description": "Alert product name", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "tactics": { - "description": "The tactics associated with incident", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "IncidentAlertList": { - "description": "List of incident alerts.", - "properties": { - "value": { - "description": "Array of incident alerts.", - "type": "array", - "items": { - "$ref": "#/definitions/SecurityAlert" - } - } - }, - "required": [ - "value" - ] - }, - "IncidentBookmarkList": { - "description": "List of incident bookmarks.", - "properties": { - "value": { - "description": "Array of incident bookmarks.", - "type": "array", - "items": { - "$ref": "#/definitions/HuntingBookmark" - } - } - }, - "required": [ - "value" - ] - }, - "IncidentComment": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an incident comment", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentCommentProperties", - "description": "Incident comment properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "IncidentCommentList": { - "description": "List of incident comments.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of comments.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of comments.", - "items": { - "$ref": "#/definitions/IncidentComment" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "IncidentCommentProperties": { - "description": "Incident comment property bag.", - "properties": { - "createdTimeUtc": { - "description": "The time the comment was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "lastModifiedTimeUtc": { - "description": "The time the comment was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "The comment message", - "type": "string" - }, - "author": { - "$ref": "#/definitions/ClientInfo", - "description": "Describes the client that created the comment", - "readOnly": true, - "type": "object" - } - }, - "required": [ - "message" - ], - "type": "object" - }, - "IncidentEntitiesResponse": { - "description": "The incident related entities response.", - "properties": { - "entities": { - "description": "Array of the incident related entities.", - "type": "array", - "items": { - "$ref": "#/definitions/Entity" - } - }, - "metaData": { - "description": "The metadata from the incident related entities results.", - "type": "array", - "items": { - "$ref": "#/definitions/IncidentEntitiesResultsMetadata" - } - } - } - }, - "IncidentEntitiesResultsMetadata": { - "description": "Information of a specific aggregation in the incident related entities result.", - "properties": { - "count": { - "description": "Total number of aggregations of the given kind in the incident related entities result.", - "type": "integer", - "format": "int32" - }, - "entityKind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the aggregated entity." - } - }, - "required": [ - "entityKind", - "count" - ], - "type": "object" - }, - "IncidentLabel": { - "description": "Represents an incident label", - "properties": { - "labelName": { - "description": "The name of the label", - "type": "string" - }, - "labelType": { - "description": "The type of the label", - "enum": [ - "User", - "System" - ], - "type": "string", - "readOnly": true, - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentLabelType", - "values": [ - { - "description": "Label manually created by a user", - "value": "User" - }, - { - "description": "Label automatically created by the system", - "value": "System" - } - ] - } - } - }, - "required": [ - "labelName" - ], - "type": "object" - }, - "IncidentList": { - "description": "List all the incidents.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of incidents.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of incidents.", - "items": { - "$ref": "#/definitions/Incident" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "IncidentOwnerInfo": { - "description": "Information on the user an incident is assigned to", - "properties": { - "email": { - "description": "The email of the user the incident is assigned to.", - "type": "string" - }, - "assignedTo": { - "description": "The name of the user the incident is assigned to.", - "type": "string" - }, - "objectId": { - "description": "The object id of the user the incident is assigned to.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the user the incident is assigned to.", - "type": "string" - } - }, - "type": "object" - }, - "IncidentClassification": { - "description": "The reason the incident was closed", - "enum": [ - "Undetermined", - "TruePositive", - "BenignPositive", - "FalsePositive" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassification", - "values": [ - { - "description": "Incident classification was undetermined", - "value": "Undetermined" - }, - { - "description": "Incident was true positive", - "value": "TruePositive" - }, - { - "description": "Incident was benign positive", - "value": "BenignPositive" - }, - { - "description": "Incident was false positive", - "value": "FalsePositive" - } - ] - } - }, - "IncidentClassificationReason": { - "description": "The classification reason the incident was closed with", - "enum": [ - "SuspiciousActivity", - "SuspiciousButExpected", - "IncorrectAlertLogic", - "InaccurateData" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassificationReason", - "values": [ - { - "description": "Classification reason was suspicious activity", - "value": "SuspiciousActivity" - }, - { - "description": "Classification reason was suspicious but expected", - "value": "SuspiciousButExpected" - }, - { - "description": "Classification reason was incorrect alert logic", - "value": "IncorrectAlertLogic" - }, - { - "description": "Classification reason was inaccurate data", - "value": "InaccurateData" - } - ] - } - }, - "IncidentSeverity": { - "description": "The severity of the incident", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "IncidentStatus": { - "description": "The status of the incident", - "enum": [ - "New", - "Active", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentStatus", - "values": [ - { - "description": "An active incident which isn't being handled currently", - "value": "New" - }, - { - "description": "An active incident which is being handled", - "value": "Active" - }, - { - "description": "A non-active incident", - "value": "Closed" - } - ] - } - }, - "IncidentProperties": { - "description": "Describes incident properties", - "properties": { - "additionalData": { - "$ref": "#/definitions/IncidentAdditionalData", - "description": "Additional data on the incident", - "readOnly": true, - "type": "object" - }, - "classification": { - "$ref": "#/definitions/IncidentClassification", - "description": "The reason the incident was closed" - }, - "classificationComment": { - "description": "Describes the reason the incident was closed", - "type": "string" - }, - "classificationReason": { - "$ref": "#/definitions/IncidentClassificationReason", - "description": "The classification reason the incident was closed with" - }, - "createdTimeUtc": { - "description": "The time the incident was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the incident", - "type": "string" - }, - "firstActivityTimeUtc": { - "description": "The time of the first activity in the incident", - "format": "date-time", - "type": "string" - }, - "incidentUrl": { - "description": "The deep-link url to the incident in Azure portal", - "readOnly": true, - "type": "string" - }, - "incidentNumber": { - "description": "A sequential number", - "readOnly": true, - "type": "integer" - }, - "labels": { - "description": "List of labels relevant to this incident", - "items": { - "$ref": "#/definitions/IncidentLabel" - }, - "type": "array" - }, - "providerName": { - "description": "The name of the source provider that generated the incident", - "type": "string" - }, - "providerIncidentId": { - "description": "The incident ID assigned by the incident provider", - "type": "string" - }, - "lastActivityTimeUtc": { - "description": "The time of the last activity in the incident", - "format": "date-time", - "type": "string" - }, - "lastModifiedTimeUtc": { - "description": "The last time the incident was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "owner": { - "$ref": "#/definitions/IncidentOwnerInfo", - "description": "Describes a user that the incident is assigned to", - "type": "object" - }, - "relatedAnalyticRuleIds": { - "description": "List of resource ids of Analytic rules related to the incident", - "items": { - "description": "Related Analytic rule resource id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "severity": { - "$ref": "#/definitions/IncidentSeverity", - "description": "The severity of the incident" - }, - "status": { - "$ref": "#/definitions/IncidentStatus", - "description": "The status of the incident" - }, - "title": { - "description": "The title of the incident", - "type": "string" - } - }, - "required": [ - "title", - "severity", - "status" - ], - "type": "object" - }, - "IpEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an ip entity.", - "properties": { - "properties": { - "$ref": "#/definitions/IpEntityProperties", - "description": "Ip entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Ip" - }, - "IpEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Ip entity property bag.", - "properties": { - "address": { - "description": "The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6)", - "readOnly": true, - "type": "string" - }, - "location": { - "$ref": "#/definitions/GeoLocation", - "description": "The geo-location context attached to the ip entity" - }, - "threatIntelligence": { - "description": "A list of TI contexts attached to the ip entity.", - "items": { - "$ref": "#/definitions/ThreatIntelligence" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "Label": { - "description": "Label that will be used to tag and filter on.", - "type": "string" - }, - "MailboxEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mailbox entity.", - "properties": { - "properties": { - "$ref": "#/definitions/MailboxEntityProperties", - "description": "Mailbox entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Mailbox" - }, - "MailboxEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Mailbox entity property bag.", - "properties": { - "mailboxPrimaryAddress": { - "description": "The mailbox's primary address", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The mailbox's display name", - "readOnly": true, - "type": "string" - }, - "upn": { - "description": "The mailbox's UPN", - "readOnly": true, - "type": "string" - }, - "externalDirectoryObjectId": { - "description": "The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side", - "format": "uuid", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "MailClusterEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mail cluster entity.", - "properties": { - "properties": { - "$ref": "#/definitions/MailClusterEntityProperties", - "description": "Mail cluster entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MailCluster" - }, - "MailClusterEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Mail cluster entity property bag.", - "properties": { - "networkMessageIds": { - "description": "The mail message IDs that are part of the mail cluster", - "items": { - "description": "A mail message ID", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "countByDeliveryStatus": { - "description": "Count of mail messages by DeliveryStatus string representation", - "readOnly": true, - "type": "object" - }, - "countByThreatType": { - "description": "Count of mail messages by ThreatType string representation", - "readOnly": true, - "type": "object" - }, - "countByProtectionStatus": { - "description": "Count of mail messages by ProtectionStatus string representation", - "readOnly": true, - "type": "object" - }, - "threats": { - "description": "The threats of mail messages that are part of the mail cluster", - "items": { - "description": "A threat", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "query": { - "description": "The query that was used to identify the messages of the mail cluster", - "readOnly": true, - "type": "string" - }, - "queryTime": { - "description": "The query time", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "mailCount": { - "description": "The number of mail messages that are part of the mail cluster", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "isVolumeAnomaly": { - "description": "Is this a volume anomaly mail cluster", - "readOnly": true, - "type": "boolean" - }, - "source": { - "description": "The source of the mail cluster (default is 'O365 ATP')", - "readOnly": true, - "type": "string" - }, - "clusterSourceIdentifier": { - "description": "The id of the cluster source", - "readOnly": true, - "type": "string" - }, - "clusterSourceType": { - "description": "The type of the cluster source", - "readOnly": true, - "type": "string" - }, - "clusterQueryStartTime": { - "description": "The cluster query start time", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "clusterQueryEndTime": { - "description": "The cluster query end time", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "clusterGroup": { - "description": "The cluster group", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "MailMessageEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mail message entity.", - "properties": { - "properties": { - "$ref": "#/definitions/MailMessageEntityProperties", - "description": "Mail message entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MailMessage" - }, - "MailMessageEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Mail message entity property bag.", - "properties": { - "fileEntityIds": { - "description": "The File entity ids of this mail message's attachments", - "items": { - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "recipient": { - "description": "The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient", - "readOnly": true, - "type": "string" - }, - "urls": { - "description": "The Urls contained in this mail message", - "items": { - "description": "A Url contained in this mail message", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "threats": { - "description": "The threats of this mail message", - "items": { - "description": "A threat of the mail message", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "p1Sender": { - "description": "The p1 sender's email address", - "readOnly": true, - "type": "string" - }, - "p1SenderDisplayName": { - "description": "The p1 sender's display name", - "readOnly": true, - "type": "string" - }, - "p1SenderDomain": { - "description": "The p1 sender's domain", - "readOnly": true, - "type": "string" - }, - "senderIP": { - "description": "The sender's IP address", - "readOnly": true, - "type": "string" - }, - "p2Sender": { - "description": "The p2 sender's email address", - "readOnly": true, - "type": "string" - }, - "p2SenderDisplayName": { - "description": "The p2 sender's display name", - "readOnly": true, - "type": "string" - }, - "p2SenderDomain": { - "description": "The p2 sender's domain", - "readOnly": true, - "type": "string" - }, - "receiveDate": { - "description": "The receive date of this message", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "networkMessageId": { - "description": "The network message id of this mail message", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "internetMessageId": { - "description": "The internet message id of this mail message", - "readOnly": true, - "type": "string" - }, - "subject": { - "description": "The subject of this mail message", - "readOnly": true, - "type": "string" - }, - "language": { - "description": "The language of this mail message", - "readOnly": true, - "type": "string" - }, - "threatDetectionMethods": { - "description": "The threat detection methods", - "items": { - "description": "A threat detection method", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "bodyFingerprintBin1": { - "description": "The bodyFingerprintBin1", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin2": { - "description": "The bodyFingerprintBin2", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin3": { - "description": "The bodyFingerprintBin3", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin4": { - "description": "The bodyFingerprintBin4", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin5": { - "description": "The bodyFingerprintBin5", - "type": "integer", - "format": "int32" - }, - "antispamDirection": { - "description": "The directionality of this mail message", - "enum": [ - "Unknown", - "Inbound", - "Outbound", - "Intraorg" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AntispamMailDirection", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "Inbound", - "value": "Inbound" - }, - { - "description": "Outbound", - "value": "Outbound" - }, - { - "description": "Intraorg", - "value": "Intraorg" - } - ] - } - }, - "deliveryAction": { - "description": "The delivery action of this mail message like Delivered, Blocked, Replaced etc", - "enum": [ - "Unknown", - "DeliveredAsSpam", - "Delivered", - "Blocked", - "Replaced" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "DeliveryAction", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "DeliveredAsSpam", - "value": "DeliveredAsSpam" - }, - { - "description": "Delivered", - "value": "Delivered" - }, - { - "description": "Blocked", - "value": "Blocked" - }, - { - "description": "Replaced", - "value": "Replaced" - } - ] - } - }, - "deliveryLocation": { - "description": "The delivery location of this mail message like Inbox, JunkFolder etc", - "enum": [ - "Unknown", - "Inbox", - "JunkFolder", - "DeletedFolder", - "Quarantine", - "External", - "Failed", - "Dropped", - "Forwarded" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "DeliveryLocation", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "Inbox", - "value": "Inbox" - }, - { - "description": "JunkFolder", - "value": "JunkFolder" - }, - { - "description": "DeletedFolder", - "value": "DeletedFolder" - }, - { - "description": "Quarantine", - "value": "Quarantine" - }, - { - "description": "External", - "value": "External" - }, - { - "description": "Failed", - "value": "Failed" - }, - { - "description": "Dropped", - "value": "Dropped" - }, - { - "description": "Forwarded", - "value": "Forwarded" - } - ] - } - } - }, - "type": "object" - }, - "SubmissionMailEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a submission mail entity.", - "properties": { - "properties": { - "$ref": "#/definitions/SubmissionMailEntityProperties", - "description": "Submission mail entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "SubmissionMail" - }, - "SubmissionMailEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Submission mail entity property bag.", - "properties": { - "networkMessageId": { - "description": "The network message id of email to which submission belongs", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "submissionId": { - "description": "The submission id", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "submitter": { - "description": "The submitter", - "readOnly": true, - "type": "string" - }, - "submissionDate": { - "description": "The submission date", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "timestamp": { - "description": "The Time stamp when the message is received (Mail)", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "recipient": { - "description": "The recipient of the mail", - "readOnly": true, - "type": "string" - }, - "sender": { - "description": "The sender of the mail", - "readOnly": true, - "type": "string" - }, - "senderIp": { - "description": "The sender's IP", - "readOnly": true, - "type": "string" - }, - "subject": { - "description": "The subject of submission mail", - "readOnly": true, - "type": "string" - }, - "reportType": { - "description": "The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "MCASDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/MCASDataConnectorProperties", - "description": "MCAS (Microsoft Cloud App Security) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" - }, - "MCASDataConnectorDataTypes": { - "allOf": [ - { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + "kind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the entity." } + }, + "required": [ + "kind" ], - "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", + "type": "object" + }, + "EntityQueryKind": { + "description": "Describes an Entity query resource with kind.", "properties": { - "discoveryLogs": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } + "kind": { + "description": "The kind of the entity query", + "enum": [ + "Expansion", + "Insight" ], - "description": "Discovery log data type connection.", - "type": "object" + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityQueryKind", + "values": [ + { + "value": "Expansion" + }, + { + "value": "Insight" + } + ] + } } }, + "required": [ + "kind" + ], "type": "object" }, - "MCASDataConnectorProperties": { + "EntityQuery": { "allOf": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/EntityQueryKind" } ], - "description": "MCAS (Microsoft Cloud App Security) data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/MCASDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, + "description": "Specific entity query.", + "discriminator": "kind", + "type": "object", "required": [ - "dataTypes" - ], - "type": "object" + "kind" + ] }, - "MCASCheckRequirements": { + "ExpansionEntityQuery": { + "description": "Represents Expansion entity query.", "allOf": [ { - "$ref": "#/definitions/DataConnectorsCheckRequirements" + "$ref": "#/definitions/EntityQuery" } ], - "description": "Represents MCAS (Microsoft Cloud App Security) requirements check request.", "properties": { "properties": { - "$ref": "#/definitions/MCASCheckRequirementsProperties", - "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", + "$ref": "#/definitions/ExpansionEntityQueriesProperties", + "description": "Expansion entity query properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" - }, - "MCASCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", - "type": "object" + "x-ms-discriminator-value": "Expansion" }, - "MDATPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", + "EntityQueryList": { + "description": "List of all the entity queries.", "properties": { - "properties": { - "$ref": "#/definitions/MDATPDataConnectorProperties", - "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", - "x-ms-client-flatten": true + "nextLink": { + "description": "URL to fetch the next set of entity queries.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of entity queries.", + "items": { + "$ref": "#/definitions/EntityQuery" + }, + "type": "array" } }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + "required": [ + "value" + ] }, - "MDATPDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "ExpansionResultAggregation": { + "description": "Information of a specific aggregation in the expansion result.", + "properties": { + "aggregationType": { + "description": "The common type of the aggregation. (for e.g. entity field name)", + "type": "string" }, - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" + "count": { + "description": "Total number of aggregations of the given kind (and aggregationType if given) in the expansion result.", + "type": "integer" + }, + "displayName": { + "description": "The display name of the aggregation by type.", + "type": "string" + }, + "entityKind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the aggregated entity." } + }, + "required": [ + "entityKind", + "count" ], - "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", "type": "object" }, - "MDATPCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) requirements check request.", + "ExpansionResultsMetadata": { + "description": "Expansion result metadata.", "properties": { - "properties": { - "$ref": "#/definitions/MDATPCheckRequirementsProperties", - "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", - "x-ms-client-flatten": true + "aggregations": { + "description": "Information of the aggregated nodes in the expansion result.", + "items": { + "$ref": "#/definitions/ExpansionResultAggregation" + }, + "type": "array" } }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + "type": "object" }, - "MDATPCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "ExpansionEntityQueriesProperties": { + "description": "Describes expansion entity query properties", + "properties": { + "dataSources": { + "description": "List of the data sources that are required to run the query", + "items": { + "description": "data source", + "type": "string" + }, + "type": "array" + }, + "displayName": { + "description": "The query display name", + "type": "string" + }, + "inputEntityType": { + "$ref": "#/definitions/EntityInnerType", + "description": "The type of the query's source entity" + }, + "inputFields": { + "description": "List of the fields of the source entity that are required to run the query", + "items": { + "description": "input field", + "type": "string" + }, + "type": "array" + }, + "outputEntityTypes": { + "description": "List of the desired output types to be constructed from the result", + "items": { + "$ref": "#/definitions/EntityInnerType", + "description": "output entity type" + }, + "type": "array" + }, + "queryTemplate": { + "description": "The template query string to be parsed and formatted", + "type": "string" } - ], - "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", + }, "type": "object" }, - "MalwareEntity": { + "ConnectedEntity": { + "description": "Expansion result connected entities", + "properties": { + "targetEntityId": { + "description": "Entity Id of the connected entity", + "type": "string" + }, + "additionalData": { + "description": "key-value pairs for a connected entity mapping", + "type": "object" + } + } + }, + "FileEntity": { "allOf": [ { "$ref": "#/definitions/Entity" } ], - "description": "Represents a malware entity.", + "description": "Represents a file entity.", "properties": { "properties": { - "$ref": "#/definitions/MalwareEntityProperties", + "$ref": "#/definitions/FileEntityProperties", "description": "File entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "Malware" + "x-ms-discriminator-value": "File" }, - "MalwareEntityProperties": { + "FileEntityProperties": { "allOf": [ { "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "Malware entity property bag.", + "description": "File entity property bag.", "properties": { - "category": { - "description": "The malware category by the vendor, e.g. Trojan", + "directory": { + "description": "The full path to the file.", "readOnly": true, "type": "string" }, - "fileEntityIds": { - "description": "List of linked file entity identifiers on which the malware was found", + "fileHashEntityIds": { + "description": "The file hash entity identifiers associated with this file", "items": { - "description": "file entity id", + "description": "file hash id", "type": "string" }, "readOnly": true, "type": "array" }, - "malwareName": { - "description": "The malware name by the vendor, e.g. Win32/Toga!rfn", + "fileName": { + "description": "The file name without path (some alerts might not include path).", "readOnly": true, "type": "string" }, - "processEntityIds": { - "description": "List of linked process entity identifiers on which the malware was found.", - "items": { - "description": "process entity id", - "type": "string" - }, + "hostEntityId": { + "description": "The Host entity id which the file belongs to", "readOnly": true, - "type": "array" + "type": "string" } }, "type": "object" }, - "MicrosoftSecurityIncidentCreationAlertRule": { + "FileHashEntity": { "allOf": [ { - "$ref": "#/definitions/AlertRule" + "$ref": "#/definitions/Entity" } ], - "description": "Represents MicrosoftSecurityIncidentCreation rule.", + "description": "Represents a file hash entity.", "properties": { "properties": { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", - "description": "MicrosoftSecurityIncidentCreation rule properties", + "$ref": "#/definitions/FileHashEntityProperties", + "description": "FileHash entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + "x-ms-discriminator-value": "FileHash" }, - "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { - "description": "MicrosoftSecurityIncidentCreation rule common property bag.", + "FileHashEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "FileHash entity property bag.", "properties": { - "displayNamesFilter": { - "description": "the alerts' displayNames on which the cases will be generated", - "items": { - "type": "string" - }, - "type": "array" - }, - "displayNamesExcludeFilter": { - "description": "the alerts' displayNames on which the cases will not be generated", - "items": { - "type": "string" - }, - "type": "array" - }, - "productFilter": { - "description": "The alerts' productName on which the cases will be generated", + "algorithm": { + "description": "The hash algorithm type.", "enum": [ - "Microsoft Cloud App Security", - "Azure Security Center", - "Azure Advanced Threat Protection", - "Azure Active Directory Identity Protection", - "Azure Security Center for IoT", - "Office 365 Advanced Threat Protection", - "Microsoft Defender Advanced Threat Protection" + "Unknown", + "MD5", + "SHA1", + "SHA256", + "SHA256AC" ], + "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "MicrosoftSecurityProductName" + "name": "FileHashAlgorithm", + "values": [ + { + "description": "Unknown hash algorithm", + "value": "Unknown" + }, + { + "description": "MD5 hash type", + "value": "MD5" + }, + { + "description": "SHA1 hash type", + "value": "SHA1" + }, + { + "description": "SHA256 hash type", + "value": "SHA256" + }, + { + "description": "SHA256 Authenticode hash type", + "value": "SHA256AC" + } + ] } }, - "severitiesFilter": { - "description": "the alerts' severities on which the cases will be generated", - "items": { - "$ref": "#/definitions/AlertSeverity" - }, - "type": "array" + "hashValue": { + "description": "The file hash value.", + "readOnly": true, + "type": "string" } }, - "required": [ - "productFilter" - ], "type": "object" }, - "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "FusionAlertRule": { "allOf": [ { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + "$ref": "#/definitions/AlertRule" } ], - "description": "MicrosoftSecurityIncidentCreation rule property bag.", + "description": "Represents Fusion alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/FusionAlertRuleProperties", + "description": "Fusion alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "FusionAlertRuleProperties": { + "description": "Fusion alert rule base property bag.", "properties": { "alertRuleTemplateName": { "description": "The Name of the alert rule template used to create this rule.", @@ -10112,10 +4611,12 @@ }, "description": { "description": "The description of the alert rule.", + "readOnly": true, "type": "string" }, "displayName": { "description": "The display name for alerts created by this alert rule.", + "readOnly": true, "type": "string" }, "enabled": { @@ -10127,1944 +4628,3017 @@ "format": "date-time", "readOnly": true, "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" } }, "required": [ - "displayName", - "enabled", - "productFilter" + "alertRuleTemplateName", + "enabled" ], "type": "object" }, - "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { + "FusionAlertRuleTemplate": { "allOf": [ { "$ref": "#/definitions/AlertRuleTemplate" } ], - "description": "Represents MicrosoftSecurityIncidentCreation rule template.", + "description": "Represents Fusion alert rule template.", "properties": { "properties": { "allOf": [ { "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - }, - { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" } ], - "description": "MicrosoftSecurityIncidentCreation rule template properties", + "description": "Fusion alert rule template properties", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, "required": [ "displayName", "description", - "createdDateUTC", "status", - "alertRulesCreatedByTemplateCount", - "productFilter" + "severity", + "alertRulesCreatedByTemplateCount" ], "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + "x-ms-discriminator-value": "Fusion" }, - "OfficeATPDataConnector": { + "ThreatIntelligenceAlertRule": { "allOf": [ { - "$ref": "#/definitions/DataConnector" + "$ref": "#/definitions/AlertRule" } ], - "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) data connector.", + "description": "Represents Threat Intelligence alert rule.", "properties": { "properties": { - "$ref": "#/definitions/OfficeATPDataConnectorProperties", - "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "$ref": "#/definitions/ThreatIntelligenceAlertRuleProperties", + "description": "Threat Intelligence alert rule properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "OfficeATP" - }, - "OfficeATPDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - }, - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", - "type": "object" + "x-ms-discriminator-value": "ThreatIntelligence" }, - "OfficeATPCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) requirements check request.", + "ThreatIntelligenceAlertRuleProperties": { + "description": "Threat Intelligence alert rule base property bag.", "properties": { - "properties": { - "$ref": "#/definitions/OfficeATPCheckRequirementsProperties", - "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", - "x-ms-client-flatten": true + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" } }, - "type": "object", - "x-ms-discriminator-value": "OfficeATP" - }, - "OfficeATPCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } + "required": [ + "alertRuleTemplateName", + "enabled" ], - "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", "type": "object" }, - "OfficeConsent": { + "ThreatIntelligenceAlertRuleTemplate": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "#/definitions/AlertRuleTemplate" } ], - "description": "Consent for Office365 tenant that already made.", + "description": "Represents Threat Intelligence alert rule template.", "properties": { "properties": { - "$ref": "#/definitions/OfficeConsentProperties", - "description": "Office consent properties", + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + } + ], + "description": "Threat Intelligence alert rule template properties", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], "x-ms-client-flatten": true } }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" }, - "OfficeConsentList": { - "description": "List of all the office365 consents.", + "GeoLocation": { + "description": "The geo-location context attached to the ip entity", "properties": { - "nextLink": { - "description": "URL to fetch the next set of office consents.", + "asn": { + "description": "Autonomous System Number", + "readOnly": true, + "type": "integer" + }, + "city": { + "description": "City name", "readOnly": true, "type": "string" }, - "value": { - "description": "Array of the consents.", - "items": { - "$ref": "#/definitions/OfficeConsent" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "OfficeConsentProperties": { - "description": "Consent property bag.", - "properties": { - "tenantId": { - "description": "The tenantId of the Office365 with the consent.", + "countryCode": { + "description": "The country code according to ISO 3166 format", + "readOnly": true, + "type": "string" + }, + "countryName": { + "description": "Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name", + "readOnly": true, "type": "string" }, - "consentId": { - "description": "Help to easily cascade among the data layers.", + "latitude": { + "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "longitude": { + "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "state": { + "description": "State name", + "readOnly": true, "type": "string" } }, + "readOnly": true, "type": "object" }, - "OfficeDataConnector": { + "HostEntity": { "allOf": [ { - "$ref": "#/definitions/DataConnector" + "$ref": "#/definitions/Entity" } ], - "description": "Represents office data connector.", + "description": "Represents a host entity.", "properties": { "properties": { - "$ref": "#/definitions/OfficeDataConnectorProperties", - "description": "Office data connector properties.", + "$ref": "#/definitions/HostEntityProperties", + "description": "Host entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "Office365" + "x-ms-discriminator-value": "Host" }, - "OfficeDataConnectorDataTypes": { - "description": "The available data types for office data connector.", + "HostEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Host entity property bag.", "properties": { - "exchange": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Exchange data type connection.", - "type": "object" + "azureID": { + "description": "The azure resource id of the VM.", + "readOnly": true, + "type": "string" }, - "sharePoint": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "SharePoint data type connection.", - "type": "object" + "dnsDomain": { + "description": "The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain", + "readOnly": true, + "type": "string" }, - "teams": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } + "hostName": { + "description": "The hostname without the domain suffix.", + "readOnly": true, + "type": "string" + }, + "isDomainJoined": { + "description": "Determines whether this host belongs to a domain.", + "readOnly": true, + "type": "boolean" + }, + "netBiosName": { + "description": "The host name (pre-windows2000).", + "readOnly": true, + "type": "string" + }, + "ntDomain": { + "description": "The NT domain that this host belongs to.", + "readOnly": true, + "type": "string" + }, + "omsAgentID": { + "description": "The OMS agent id, if the host has OMS agent installed.", + "readOnly": true, + "type": "string" + }, + "osFamily": { + "description": "The operating system type.", + "enum": [ + "Linux", + "Windows", + "Android", + "IOS", + "Unknown" ], - "description": "Teams data type connection.", - "type": "object" + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "OSFamily", + "values": [ + { + "description": "Host with Linux operating system.", + "value": "Linux" + }, + { + "description": "Host with Windows operating system.", + "value": "Windows" + }, + { + "description": "Host with Android operating system.", + "value": "Android" + }, + { + "description": "Host with IOS operating system.", + "value": "IOS" + }, + { + "description": "Host with Unknown operating system.", + "value": "Unknown" + } + ] + } + }, + "osVersion": { + "description": "A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration", + "readOnly": true, + "type": "string" } }, - "type": "object", - "required": [ - "exchange", - "sharePoint", - "teams" - ] + "type": "object" }, - "OfficeDataConnectorProperties": { + "Incident": { "allOf": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/definitions/ResourceWithEtag" } ], - "description": "Office data connector properties.", + "description": "Represents an incident in Azure Security Insights.", "properties": { - "dataTypes": { - "$ref": "#/definitions/OfficeDataConnectorDataTypes", - "description": "The available data types for the connector." + "properties": { + "$ref": "#/definitions/IncidentProperties", + "description": "Incident properties", + "x-ms-client-flatten": true } }, - "required": [ - "dataTypes" - ], "type": "object" }, - "Operation": { - "description": "Operation provided by provider", - "properties": { - "display": { - "description": "Properties of the operation", - "properties": { - "description": { - "description": "Description of the operation", - "type": "string" - }, - "operation": { - "description": "Operation name", - "type": "string" - }, - "provider": { - "description": "Provider name", - "type": "string" - }, - "resource": { - "description": "Resource name", - "type": "string" - } - }, - "type": "object" - }, - "name": { - "description": "Name of the operation", - "type": "string" - }, - "origin": { - "description": "The origin of the operation", - "type": "string" - } - } - }, - "OperationsList": { - "description": "Lists the operations available in the SecurityInsights RP.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of operations.", - "type": "string" - }, - "value": { - "description": "Array of operations", - "items": { - "$ref": "#/definitions/Operation" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "ProcessEntity": { + "HuntingBookmark": { "allOf": [ { "$ref": "#/definitions/Entity" } ], - "description": "Represents a process entity.", + "description": "Represents a Hunting bookmark entity.", "properties": { "properties": { - "$ref": "#/definitions/ProcessEntityProperties", - "description": "Process entity properties", + "$ref": "#/definitions/HuntingBookmarkProperties", + "description": "HuntingBookmark entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "Process" + "x-ms-discriminator-value": "Bookmark" }, - "ProcessEntityProperties": { + "HuntingBookmarkProperties": { "allOf": [ { "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "Process entity property bag.", + "description": "Describes bookmark properties", "properties": { - "accountEntityId": { - "description": "The account entity id running the processes.", - "readOnly": true, + "created": { + "description": "The time the bookmark was created", + "format": "date-time", "type": "string" }, - "commandLine": { - "description": "The command line used to create the process", - "readOnly": true, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "displayName": { + "description": "The display name of the bookmark", "type": "string" }, - "creationTimeUtc": { - "description": "The time when the process started to run", + "eventTime": { + "description": "The time of the event", "format": "date-time", - "readOnly": true, "type": "string" }, - "elevationToken": { - "description": "The elevation token associated with the process.", - "enum": [ - "Default", - "Full", - "Limited" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "ElevationToken", - "values": [ - { - "description": "Default elevation token", - "value": "Default" - }, - { - "description": "Full elevation token", - "value": "Full" - }, - { - "description": "Limited elevation token", - "value": "Limited" - } - ] - } + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" }, - "hostEntityId": { - "description": "The host entity id on which the process was running", - "readOnly": true, + "notes": { + "description": "The notes of the bookmark", "type": "string" }, - "hostLogonSessionEntityId": { - "description": "The session entity id in which the process was running", - "readOnly": true, + "query": { + "description": "The query of the bookmark.", "type": "string" }, - "imageFileEntityId": { - "description": "Image file entity id", - "readOnly": true, + "queryResult": { + "description": "The query result of the bookmark.", "type": "string" }, - "parentProcessEntityId": { - "description": "The parent process entity id.", - "readOnly": true, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", "type": "string" }, - "processId": { - "description": "The process ID", - "readOnly": true, - "type": "string" + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "incidentInfo": { + "$ref": "#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" } }, + "required": [ + "displayName", + "query" + ], "type": "object" }, - "RegistryKeyEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a registry key entity.", + "IncidentAdditionalData": { + "description": "Incident additional data property bag.", "properties": { - "properties": { - "$ref": "#/definitions/RegistryKeyEntityProperties", - "description": "RegistryKey entity properties", - "x-ms-client-flatten": true + "alertsCount": { + "description": "The number of alerts in the incident", + "readOnly": true, + "type": "integer" + }, + "bookmarksCount": { + "description": "The number of bookmarks in the incident", + "readOnly": true, + "type": "integer" + }, + "commentsCount": { + "description": "The number of comments in the incident", + "readOnly": true, + "type": "integer" + }, + "alertProductNames": { + "description": "List of product names of alerts in the incident", + "items": { + "description": "Alert product name", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "tactics": { + "description": "The tactics associated with incident", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" } }, - "type": "object", - "x-ms-discriminator-value": "RegistryKey" + "type": "object" }, - "RegistryKeyEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" + "IncidentAlertList": { + "description": "List of incident alerts.", + "properties": { + "value": { + "description": "Array of incident alerts.", + "type": "array", + "items": { + "$ref": "#/definitions/SecurityAlert" + } } - ], - "description": "RegistryKey entity property bag.", + }, + "required": [ + "value" + ] + }, + "IncidentBookmarkList": { + "description": "List of incident bookmarks.", "properties": { - "hive": { - "description": "the hive that holds the registry key.", - "enum": [ - "HKEY_LOCAL_MACHINE", - "HKEY_CLASSES_ROOT", - "HKEY_CURRENT_CONFIG", - "HKEY_USERS", - "HKEY_CURRENT_USER_LOCAL_SETTINGS", - "HKEY_PERFORMANCE_DATA", - "HKEY_PERFORMANCE_NLSTEXT", - "HKEY_PERFORMANCE_TEXT", - "HKEY_A", - "HKEY_CURRENT_USER" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "RegistryHive", - "values": [ - { - "description": "HKEY_LOCAL_MACHINE", - "value": "HKEY_LOCAL_MACHINE" - }, - { - "description": "HKEY_CLASSES_ROOT", - "value": "HKEY_CLASSES_ROOT" - }, - { - "description": "HKEY_CURRENT_CONFIG", - "value": "HKEY_CURRENT_CONFIG" - }, - { - "description": "HKEY_USERS", - "value": "HKEY_USERS" - }, - { - "description": "HKEY_CURRENT_USER_LOCAL_SETTINGS", - "value": "HKEY_CURRENT_USER_LOCAL_SETTINGS" - }, - { - "description": "HKEY_PERFORMANCE_DATA", - "value": "HKEY_PERFORMANCE_DATA" - }, - { - "description": "HKEY_PERFORMANCE_NLSTEXT", - "value": "HKEY_PERFORMANCE_NLSTEXT" - }, - { - "description": "HKEY_PERFORMANCE_TEXT", - "value": "HKEY_PERFORMANCE_TEXT" - }, - { - "description": "HKEY_A", - "value": "HKEY_A" - }, - { - "description": "HKEY_CURRENT_USER", - "value": "HKEY_CURRENT_USER" - } - ] + "value": { + "description": "Array of incident bookmarks.", + "type": "array", + "items": { + "$ref": "#/definitions/HuntingBookmark" } - }, - "key": { - "description": "The registry key path.", - "readOnly": true, - "type": "string" } }, - "type": "object" + "required": [ + "value" + ] }, - "RegistryValueEntity": { + "IncidentComment": { "allOf": [ { - "$ref": "#/definitions/Entity" + "$ref": "#/definitions/ResourceWithEtag" } ], - "description": "Represents a registry value entity.", + "description": "Represents an incident comment", "properties": { "properties": { - "$ref": "#/definitions/RegistryValueEntityProperties", - "description": "RegistryKey entity properties", + "$ref": "#/definitions/IncidentCommentProperties", + "description": "Incident comment properties", "x-ms-client-flatten": true } }, - "type": "object", - "x-ms-discriminator-value": "RegistryValue" + "type": "object" }, - "RegistryValueEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" + "IncidentCommentList": { + "description": "List of incident comments.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of comments.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of comments.", + "items": { + "$ref": "#/definitions/IncidentComment" + }, + "type": "array" } - ], - "description": "RegistryValue entity property bag.", + }, + "required": [ + "value" + ] + }, + "IncidentCommentProperties": { + "description": "Incident comment property bag.", "properties": { - "keyEntityId": { - "description": "The registry key entity id.", + "createdTimeUtc": { + "description": "The time the comment was created", + "format": "date-time", "readOnly": true, "type": "string" }, - "valueData": { - "description": "String formatted representation of the value data.", + "lastModifiedTimeUtc": { + "description": "The time the comment was updated", + "format": "date-time", "readOnly": true, "type": "string" }, - "valueName": { - "description": "The registry value name.", + "message": { + "description": "The comment message", + "type": "string" + }, + "author": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that created the comment", "readOnly": true, + "type": "object" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "IncidentEntitiesResponse": { + "description": "The incident related entities response.", + "properties": { + "entities": { + "description": "Array of the incident related entities.", + "type": "array", + "items": { + "$ref": "#/definitions/Entity" + } + }, + "metaData": { + "description": "The metadata from the incident related entities results.", + "type": "array", + "items": { + "$ref": "#/definitions/IncidentEntitiesResultsMetadata" + } + } + } + }, + "IncidentEntitiesResultsMetadata": { + "description": "Information of a specific aggregation in the incident related entities result.", + "properties": { + "count": { + "description": "Total number of aggregations of the given kind in the incident related entities result.", + "type": "integer", + "format": "int32" + }, + "entityKind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the aggregated entity." + } + }, + "required": [ + "entityKind", + "count" + ], + "type": "object" + }, + "IncidentLabel": { + "description": "Represents an incident label", + "properties": { + "labelName": { + "description": "The name of the label", "type": "string" }, - "valueType": { - "description": "Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.", + "labelType": { + "description": "The type of the label", "enum": [ - "None", - "Unknown", - "String", - "ExpandString", - "Binary", - "DWord", - "MultiString", - "QWord" + "User", + "System" ], - "readOnly": true, "type": "string", + "readOnly": true, "x-ms-enum": { "modelAsString": true, - "name": "RegistryValueKind", + "name": "IncidentLabelType", "values": [ { - "description": "None", - "value": "None" - }, - { - "description": "Unknown value type", - "value": "Unknown" - }, - { - "description": "String value type", - "value": "String" - }, - { - "description": "ExpandString value type", - "value": "ExpandString" - }, - { - "description": "Binary value type", - "value": "Binary" - }, - { - "description": "DWord value type", - "value": "DWord" - }, - { - "description": "MultiString value type", - "value": "MultiString" + "description": "Label manually created by a user", + "value": "User" }, { - "description": "QWord value type", - "value": "QWord" + "description": "Label automatically created by the system", + "value": "System" } ] } } }, + "required": [ + "labelName" + ], "type": "object" }, - "RelationList": { - "description": "List of relations.", + "IncidentList": { + "description": "List all the incidents.", "properties": { "nextLink": { + "description": "URL to fetch the next set of incidents.", "readOnly": true, - "description": "URL to fetch the next set of relations.", "type": "string" }, "value": { - "description": "Array of relations.", - "type": "array", + "description": "Array of incidents.", "items": { - "$ref": "#/definitions/Relation" + "$ref": "#/definitions/Incident" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "IncidentOwnerInfo": { + "description": "Information on the user an incident is assigned to", + "properties": { + "email": { + "description": "The email of the user the incident is assigned to.", + "type": "string" + }, + "assignedTo": { + "description": "The name of the user the incident is assigned to.", + "type": "string" + }, + "objectId": { + "description": "The object id of the user the incident is assigned to.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the user the incident is assigned to.", + "type": "string" + } + }, + "type": "object" + }, + "IncidentClassification": { + "description": "The reason the incident was closed", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassification", + "values": [ + { + "description": "Incident classification was undetermined", + "value": "Undetermined" + }, + { + "description": "Incident was true positive", + "value": "TruePositive" + }, + { + "description": "Incident was benign positive", + "value": "BenignPositive" + }, + { + "description": "Incident was false positive", + "value": "FalsePositive" + } + ] + } + }, + "IncidentClassificationReason": { + "description": "The classification reason the incident was closed with", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassificationReason", + "values": [ + { + "description": "Classification reason was suspicious activity", + "value": "SuspiciousActivity" + }, + { + "description": "Classification reason was suspicious but expected", + "value": "SuspiciousButExpected" + }, + { + "description": "Classification reason was incorrect alert logic", + "value": "IncorrectAlertLogic" + }, + { + "description": "Classification reason was inaccurate data", + "value": "InaccurateData" } - } - }, - "required": [ - "value" - ] + ] + } }, - "Relation": { - "type": "object", - "description": "Represents a relation between two resources", - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } + "IncidentSeverity": { + "description": "The severity of the incident", + "enum": [ + "High", + "Medium", + "Low", + "Informational" ], - "properties": { - "properties": { - "$ref": "#/definitions/RelationProperties", - "description": "Relation properties", - "x-ms-client-flatten": true - } + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] } }, - "RelationProperties": { - "description": "Relation property bag.", + "IncidentStatus": { + "description": "The status of the incident", + "enum": [ + "New", + "Active", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentStatus", + "values": [ + { + "description": "An active incident which isn't being handled currently", + "value": "New" + }, + { + "description": "An active incident which is being handled", + "value": "Active" + }, + { + "description": "A non-active incident", + "value": "Closed" + } + ] + } + }, + "IncidentProperties": { + "description": "Describes incident properties", "properties": { - "relatedResourceId": { - "description": "The resource ID of the related resource", + "additionalData": { + "$ref": "#/definitions/IncidentAdditionalData", + "description": "Additional data on the incident", + "readOnly": true, + "type": "object" + }, + "classification": { + "$ref": "#/definitions/IncidentClassification", + "description": "The reason the incident was closed" + }, + "classificationComment": { + "description": "Describes the reason the incident was closed", "type": "string" }, - "relatedResourceName": { - "description": "The name of the related resource", + "classificationReason": { + "$ref": "#/definitions/IncidentClassificationReason", + "description": "The classification reason the incident was closed with" + }, + "createdTimeUtc": { + "description": "The time the incident was created", + "format": "date-time", "readOnly": true, "type": "string" }, - "relatedResourceType": { - "description": "The resource type of the related resource", - "readOnly": true, + "description": { + "description": "The description of the incident", "type": "string" }, - "relatedResourceKind": { - "description": "The resource kind of the related resource", - "readOnly": true, + "firstActivityTimeUtc": { + "description": "The time of the first activity in the incident", + "format": "date-time", "type": "string" - } - }, - "required": [ - "relatedResourceId" - ], - "type": "object" - }, - "Resource": { - "description": "An azure resource object", - "properties": { - "id": { - "description": "Azure resource Id", + }, + "incidentUrl": { + "description": "The deep-link url to the incident in Azure portal", "readOnly": true, "type": "string" }, - "name": { - "description": "Azure resource name", + "incidentNumber": { + "description": "A sequential number", "readOnly": true, + "type": "integer" + }, + "labels": { + "description": "List of labels relevant to this incident", + "items": { + "$ref": "#/definitions/IncidentLabel" + }, + "type": "array" + }, + "providerName": { + "description": "The name of the source provider that generated the incident", "type": "string" }, - "type": { - "description": "Azure resource type", - "readOnly": true, + "providerIncidentId": { + "description": "The incident ID assigned by the incident provider", "type": "string" - } - }, - "x-ms-azure-resource": true - }, - "ResourceWithEtag": { - "description": "An azure resource object with an Etag property", - "properties": { - "id": { - "description": "Azure resource Id", - "readOnly": true, + }, + "lastActivityTimeUtc": { + "description": "The time of the last activity in the incident", + "format": "date-time", "type": "string" }, - "name": { - "description": "Azure resource name", + "lastModifiedTimeUtc": { + "description": "The last time the incident was updated", + "format": "date-time", "readOnly": true, "type": "string" }, - "type": { - "description": "Azure resource type", + "owner": { + "$ref": "#/definitions/IncidentOwnerInfo", + "description": "Describes a user that the incident is assigned to", + "type": "object" + }, + "relatedAnalyticRuleIds": { + "description": "List of resource ids of Analytic rules related to the incident", + "items": { + "description": "Related Analytic rule resource id", + "type": "string" + }, "readOnly": true, - "type": "string" + "type": "array" }, - "etag": { - "description": "Etag of the azure resource", + "severity": { + "$ref": "#/definitions/IncidentSeverity", + "description": "The severity of the incident" + }, + "status": { + "$ref": "#/definitions/IncidentStatus", + "description": "The status of the incident" + }, + "title": { + "description": "The title of the incident", "type": "string" } }, - "x-ms-azure-resource": true + "required": [ + "title", + "severity", + "status" + ], + "type": "object" }, - "ScheduledAlertRule": { + "IpEntity": { "allOf": [ { - "$ref": "#/definitions/AlertRule" + "$ref": "#/definitions/Entity" } ], - "description": "Represents scheduled alert rule.", + "description": "Represents an ip entity.", "properties": { "properties": { - "$ref": "#/definitions/ScheduledAlertRuleProperties", - "description": "Scheduled alert rule properties", + "$ref": "#/definitions/IpEntityProperties", + "description": "Ip entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "Scheduled" + "x-ms-discriminator-value": "Ip" }, - "ScheduledAlertRuleCommonProperties": { - "description": "Scheduled alert rule template property bag.", + "IpEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Ip entity property bag.", "properties": { - "query": { - "description": "The query that creates alerts for this rule.", - "type": "string" - }, - "queryFrequency": { - "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", - "format": "duration", - "type": "string" - }, - "queryPeriod": { - "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", - "format": "duration", + "address": { + "description": "The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6)", + "readOnly": true, "type": "string" }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "triggerOperator": { - "$ref": "#/definitions/AlertRuleTriggerOperator", - "description": "The operation against the threshold that triggers alert rule." - }, - "triggerThreshold": { - "description": "The threshold triggers this alert rule.", - "type": "integer" - }, - "eventGroupingSettings": { - "$ref": "#/definitions/EventGroupingSettings", - "description": "The event grouping settings." + "location": { + "$ref": "#/definitions/GeoLocation", + "description": "The geo-location context attached to the ip entity" + }, + "threatIntelligence": { + "description": "A list of TI contexts attached to the ip entity.", + "items": { + "$ref": "#/definitions/ThreatIntelligence" + }, + "readOnly": true, + "type": "array" } }, "type": "object" }, - "EventGroupingSettings": { - "description": "Event grouping settings property bag.", + "Label": { + "description": "Label that will be used to tag and filter on.", + "type": "string" + }, + "MailboxEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mailbox entity.", "properties": { - "aggregationKind": { - "$ref": "#/definitions/EventGroupingAggregationKind" + "properties": { + "$ref": "#/definitions/MailboxEntityProperties", + "description": "Mailbox entity properties", + "x-ms-client-flatten": true } }, - "type": "object" - }, - "EventGroupingAggregationKind": { - "description": "The event grouping aggregation kinds", - "enum": [ - "SingleAlert", - "AlertPerResult" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EventGroupingAggregationKind" - } + "type": "object", + "x-ms-discriminator-value": "Mailbox" }, - "ScheduledAlertRuleProperties": { + "MailboxEntityProperties": { "allOf": [ { - "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "Scheduled alert rule base property bag.", + "description": "Mailbox entity property bag.", "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", + "mailboxPrimaryAddress": { + "description": "The mailbox's primary address", + "readOnly": true, "type": "string" }, "displayName": { - "description": "The display name for alerts created by this alert rule.", + "description": "The mailbox's display name", + "readOnly": true, "type": "string" }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert rule has been modified.", - "format": "date-time", + "upn": { + "description": "The mailbox's UPN", "readOnly": true, "type": "string" }, - "suppressionDuration": { - "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", - "format": "duration", + "externalDirectoryObjectId": { + "description": "The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side", + "format": "uuid", + "readOnly": true, "type": "string" - }, - "suppressionEnabled": { - "description": "Determines whether the suppression for this alert rule is enabled or disabled.", - "type": "boolean" - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - }, - "incidentConfiguration": { - "$ref": "#/definitions/IncidentConfiguration", - "description": "The settings of the incidents that created from alerts triggered by this analytics rule" } }, - "required": [ - "displayName", - "enabled", - "severity", - "query", - "queryFrequency", - "queryPeriod", - "triggerOperator", - "triggerThreshold", - "suppressionEnabled", - "suppressionDuration" - ], "type": "object" }, - "ScheduledAlertRuleTemplate": { + "MailClusterEntity": { "allOf": [ { - "$ref": "#/definitions/AlertRuleTemplate" + "$ref": "#/definitions/Entity" } ], - "description": "Represents scheduled alert rule template.", + "description": "Represents a mail cluster entity.", "properties": { "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - }, - { - "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" - } - ], - "description": "Scheduled alert rule template properties", - "properties": { - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "required": [ - "displayName", - "description", - "status", - "alertRulesCreatedByTemplateCount", - "severity", - "query", - "queryFrequency", - "queryPeriod", - "triggerOperator", - "triggerThreshold" - ], + "$ref": "#/definitions/MailClusterEntityProperties", + "description": "Mail cluster entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "Scheduled" + "x-ms-discriminator-value": "MailCluster" }, - "IncidentConfiguration": { - "description": "Incident Configuration property bag.", - "properties": { - "createIncident": { - "description": "Create incidents from alerts triggered by this analytics rule", - "type": "boolean" - }, - "groupingConfiguration": { - "$ref": "#/definitions/GroupingConfiguration", - "description": "Set how the alerts that are triggered by this analytics rule, are grouped into incidents" + "MailClusterEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" } - }, - "type": "object", - "required": [ - "createIncident" - ] - }, - "GroupingConfiguration": { - "description": "Grouping configuration property bag.", + ], + "description": "Mail cluster entity property bag.", "properties": { - "enabled": { - "description": "Grouping enabled", - "type": "boolean" - }, - "reopenClosedIncident": { - "description": "Re-open closed matching incidents", - "type": "boolean" - }, - "lookbackDuration": { - "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", - "format": "duration", - "type": "string" + "networkMessageIds": { + "description": "The mail message IDs that are part of the mail cluster", + "items": { + "description": "A mail message ID", + "type": "string" + }, + "readOnly": true, + "type": "array" }, - "entitiesMatchingMethod": { - "description": "Grouping matching method", - "enum": [ - "All", - "None", - "Custom" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntitiesMatchingMethod", - "values": [ - { - "description": "Grouping alerts into a single incident if all the entities match", - "value": "All" - }, - { - "description": "Grouping all alerts triggered by this rule into a single incident", - "value": "None" - }, - { - "description": "Grouping alerts into a single incident if the selected entities match", - "value": "Custom" - } - ] - } + "countByDeliveryStatus": { + "description": "Count of mail messages by DeliveryStatus string representation", + "readOnly": true, + "type": "object" }, - "groupByEntities": { - "description": "A list of entity types to group by (when entitiesMatchingMethod is Custom)", - "items": { - "description": "Grouping entity type", - "enum": [ - "Account", - "Host", - "Ip", - "Url", - "FileHash" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "GroupingEntityType", - "values": [ - { - "description": "Account entity", - "value": "Account" - }, - { - "description": "Host entity", - "value": "Host" - }, - { - "description": "Ip entity", - "value": "Ip" - }, - { - "description": "Url entity", - "value": "Url" - }, - { - "description": "FileHash entity", - "value": "FileHash" - } - ] - } + "countByThreatType": { + "description": "Count of mail messages by ThreatType string representation", + "readOnly": true, + "type": "object" + }, + "countByProtectionStatus": { + "description": "Count of mail messages by ProtectionStatus string representation", + "readOnly": true, + "type": "object" + }, + "threats": { + "description": "The threats of mail messages that are part of the mail cluster", + "items": { + "description": "A threat", + "type": "string" }, + "readOnly": true, "type": "array" + }, + "query": { + "description": "The query that was used to identify the messages of the mail cluster", + "readOnly": true, + "type": "string" + }, + "queryTime": { + "description": "The query time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "mailCount": { + "description": "The number of mail messages that are part of the mail cluster", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "isVolumeAnomaly": { + "description": "Is this a volume anomaly mail cluster", + "readOnly": true, + "type": "boolean" + }, + "source": { + "description": "The source of the mail cluster (default is 'O365 ATP')", + "readOnly": true, + "type": "string" + }, + "clusterSourceIdentifier": { + "description": "The id of the cluster source", + "readOnly": true, + "type": "string" + }, + "clusterSourceType": { + "description": "The type of the cluster source", + "readOnly": true, + "type": "string" + }, + "clusterQueryStartTime": { + "description": "The cluster query start time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "clusterQueryEndTime": { + "description": "The cluster query end time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "clusterGroup": { + "description": "The cluster group", + "readOnly": true, + "type": "string" } }, - "type": "object", - "required": [ - "enabled", - "reopenClosedIncident", - "lookbackDuration", - "entitiesMatchingMethod" - ] + "type": "object" }, - "SecurityAlert": { + "MailMessageEntity": { "allOf": [ { "$ref": "#/definitions/Entity" } ], - "description": "Represents a security alert entity.", + "description": "Represents a mail message entity.", "properties": { "properties": { - "$ref": "#/definitions/SecurityAlertProperties", - "description": "SecurityAlert entity properties", + "$ref": "#/definitions/MailMessageEntityProperties", + "description": "Mail message entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "SecurityAlert" + "x-ms-discriminator-value": "MailMessage" }, - "SecurityAlertProperties": { + "MailMessageEntityProperties": { "allOf": [ { "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "SecurityAlert entity property bag.", + "description": "Mail message entity property bag.", "properties": { - "alertDisplayName": { - "description": "The display name of the alert.", + "fileEntityIds": { + "description": "The File entity ids of this mail message's attachments", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "recipient": { + "description": "The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient", "readOnly": true, "type": "string" }, - "alertType": { - "description": "The type name of the alert.", + "urls": { + "description": "The Urls contained in this mail message", + "items": { + "description": "A Url contained in this mail message", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "threats": { + "description": "The threats of this mail message", + "items": { + "description": "A threat of the mail message", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "p1Sender": { + "description": "The p1 sender's email address", "readOnly": true, "type": "string" }, - "compromisedEntity": { - "description": "Display name of the main entity being reported on.", + "p1SenderDisplayName": { + "description": "The p1 sender's display name", "readOnly": true, "type": "string" }, - "confidenceLevel": { - "description": "The confidence level of this alert.", - "enum": [ - "Unknown", - "Low", - "High" - ], + "p1SenderDomain": { + "description": "The p1 sender's domain", "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ConfidenceLevel", - "values": [ - { - "description": "Unknown confidence, the is the default value", - "value": "Unknown" - }, - { - "description": "Low confidence, meaning we have some doubts this is indeed malicious or part of an attack", - "value": "Low" - }, - { - "description": "High confidence that the alert is true positive malicious", - "value": "High" - } - ] - } + "type": "string" }, - "confidenceReasons": { - "description": "The confidence reasons", + "senderIP": { + "description": "The sender's IP address", + "readOnly": true, + "type": "string" + }, + "p2Sender": { + "description": "The p2 sender's email address", + "readOnly": true, + "type": "string" + }, + "p2SenderDisplayName": { + "description": "The p2 sender's display name", + "readOnly": true, + "type": "string" + }, + "p2SenderDomain": { + "description": "The p2 sender's domain", + "readOnly": true, + "type": "string" + }, + "receiveDate": { + "description": "The receive date of this message", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "networkMessageId": { + "description": "The network message id of this mail message", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "internetMessageId": { + "description": "The internet message id of this mail message", + "readOnly": true, + "type": "string" + }, + "subject": { + "description": "The subject of this mail message", + "readOnly": true, + "type": "string" + }, + "language": { + "description": "The language of this mail message", + "readOnly": true, + "type": "string" + }, + "threatDetectionMethods": { + "description": "The threat detection methods", "items": { - "description": "confidence reason item", - "properties": { - "reason": { - "description": "The reason's description", - "readOnly": true, - "type": "string" - }, - "reasonType": { - "description": "The type (category) of the reason", - "readOnly": true, - "type": "string" - } - }, - "type": "object" + "description": "A threat detection method", + "type": "string" }, "readOnly": true, "type": "array" }, - "confidenceScore": { - "description": "The confidence score of the alert.", - "format": "double", - "readOnly": true, - "type": "number" + "bodyFingerprintBin1": { + "description": "The bodyFingerprintBin1", + "type": "integer", + "format": "int32" }, - "confidenceScoreStatus": { - "description": "The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.", + "bodyFingerprintBin2": { + "description": "The bodyFingerprintBin2", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin3": { + "description": "The bodyFingerprintBin3", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin4": { + "description": "The bodyFingerprintBin4", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin5": { + "description": "The bodyFingerprintBin5", + "type": "integer", + "format": "int32" + }, + "antispamDirection": { + "description": "The directionality of this mail message", "enum": [ - "NotApplicable", - "InProcess", - "NotFinal", - "Final" + "Unknown", + "Inbound", + "Outbound", + "Intraorg" ], - "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "ConfidenceScoreStatus", + "name": "AntispamMailDirection", "values": [ { - "description": "Score will not be calculated for this alert as it is not supported by virtual analyst", - "value": "NotApplicable" + "description": "Unknown", + "value": "Unknown" }, { - "description": "No score was set yet and calculation is in progress", - "value": "InProcess" + "description": "Inbound", + "value": "Inbound" }, { - "description": "Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data", - "value": "NotFinal" + "description": "Outbound", + "value": "Outbound" }, { - "description": "Final score was calculated and available", - "value": "Final" + "description": "Intraorg", + "value": "Intraorg" } ] } }, - "description": { - "description": "Alert description.", - "readOnly": true, - "type": "string" - }, - "endTimeUtc": { - "description": "The impact end time of the alert (the time of the last event contributing to the alert).", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "intent": { - "description": "Holds the alert intent stage(s) mapping for this alert.", + "deliveryAction": { + "description": "The delivery action of this mail message like Delivered, Blocked, Replaced etc", "enum": [ "Unknown", - "Probing", - "Exploitation", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Execution", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact" + "DeliveredAsSpam", + "Delivered", + "Blocked", + "Replaced" ], - "readOnly": true, "type": "string", "x-ms-enum": { - "modelAsString": true, - "name": "KillChainIntent", + "modelAsString": false, + "name": "DeliveryAction", "values": [ { - "description": "The default value.", + "description": "Unknown", "value": "Unknown" }, { - "description": "Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.", - "value": "Probing" + "description": "DeliveredAsSpam", + "value": "DeliveredAsSpam" }, { - "description": "Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.", - "value": "Exploitation" + "description": "Delivered", + "value": "Delivered" }, { - "description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.", - "value": "Persistence" + "description": "Blocked", + "value": "Blocked" }, { - "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.", - "value": "PrivilegeEscalation" - }, + "description": "Replaced", + "value": "Replaced" + } + ] + } + }, + "deliveryLocation": { + "description": "The delivery location of this mail message like Inbox, JunkFolder etc", + "enum": [ + "Unknown", + "Inbox", + "JunkFolder", + "DeletedFolder", + "Quarantine", + "External", + "Failed", + "Dropped", + "Forwarded" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "DeliveryLocation", + "values": [ { - "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ", - "value": "DefenseEvasion" + "description": "Unknown", + "value": "Unknown" }, { - "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.", - "value": "CredentialAccess" + "description": "Inbox", + "value": "Inbox" }, { - "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", - "value": "Discovery" + "description": "JunkFolder", + "value": "JunkFolder" }, { - "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.", - "value": "LateralMovement" + "description": "DeletedFolder", + "value": "DeletedFolder" }, { - "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.", - "value": "Execution" + "description": "Quarantine", + "value": "Quarantine" }, { - "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", - "value": "Collection" + "description": "External", + "value": "External" }, { - "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", - "value": "Exfiltration" + "description": "Failed", + "value": "Failed" }, { - "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network.", - "value": "CommandAndControl" + "description": "Dropped", + "value": "Dropped" }, { - "description": "The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.", - "value": "Impact" + "description": "Forwarded", + "value": "Forwarded" } ] } + } + }, + "type": "object" + }, + "SubmissionMailEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a submission mail entity.", + "properties": { + "properties": { + "$ref": "#/definitions/SubmissionMailEntityProperties", + "description": "Submission mail entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SubmissionMail" + }, + "SubmissionMailEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Submission mail entity property bag.", + "properties": { + "networkMessageId": { + "description": "The network message id of email to which submission belongs", + "format": "uuid", + "readOnly": true, + "type": "string" }, - "providerAlertId": { - "description": "The identifier of the alert inside the product which generated the alert.", + "submissionId": { + "description": "The submission id", + "format": "uuid", "readOnly": true, "type": "string" }, - "processingEndTime": { - "description": "The time the alert was made available for consumption.", + "submitter": { + "description": "The submitter", + "readOnly": true, + "type": "string" + }, + "submissionDate": { + "description": "The submission date", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "timestamp": { + "description": "The Time stamp when the message is received (Mail)", "format": "date-time", "readOnly": true, "type": "string" }, - "productComponentName": { - "description": "The name of a component inside the product which generated the alert.", + "recipient": { + "description": "The recipient of the mail", + "readOnly": true, + "type": "string" + }, + "sender": { + "description": "The sender of the mail", + "readOnly": true, + "type": "string" + }, + "senderIp": { + "description": "The sender's IP", + "readOnly": true, + "type": "string" + }, + "subject": { + "description": "The subject of submission mail", + "readOnly": true, + "type": "string" + }, + "reportType": { + "description": "The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "MCASDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASDataConnectorProperties", + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + }, + "MCASDataConnectorDataTypes": { + "allOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "discoveryLogs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Discovery log data type connection.", + "type": "object" + } + }, + "type": "object" + }, + "MCASDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MCASDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "MCASCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASCheckRequirementsProperties", + "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + }, + "MCASCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", + "type": "object" + }, + "MDATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPDataConnectorProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "MDATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPCheckRequirementsProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "MalwareEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a malware entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MalwareEntityProperties", + "description": "File entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Malware" + }, + "MalwareEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Malware entity property bag.", + "properties": { + "category": { + "description": "The malware category by the vendor, e.g. Trojan", "readOnly": true, "type": "string" }, - "productName": { - "description": "The name of the product which published this alert.", + "fileEntityIds": { + "description": "List of linked file entity identifiers on which the malware was found", + "items": { + "description": "file entity id", + "type": "string" + }, "readOnly": true, - "type": "string" + "type": "array" }, - "productVersion": { - "description": "The version of the product generating the alert.", + "malwareName": { + "description": "The malware name by the vendor, e.g. Win32/Toga!rfn", "readOnly": true, "type": "string" }, - "remediationSteps": { - "description": "Manual action items to take to remediate the alert.", + "processEntityIds": { + "description": "List of linked process entity identifiers on which the malware was found.", "items": { + "description": "process entity id", "type": "string" }, "readOnly": true, "type": "array" + } + }, + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule.", + "properties": { + "properties": { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", + "description": "MicrosoftSecurityIncidentCreation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { + "description": "MicrosoftSecurityIncidentCreation rule common property bag.", + "properties": { + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity of the alert" - }, - "startTimeUtc": { - "description": "The impact start time of the alert (the time of the first event contributing to the alert).", - "format": "date-time", - "readOnly": true, - "type": "string" + "displayNamesExcludeFilter": { + "description": "the alerts' displayNames on which the cases will not be generated", + "items": { + "type": "string" + }, + "type": "array" }, - "status": { - "description": "The lifecycle status of the alert.", + "productFilter": { + "description": "The alerts' productName on which the cases will be generated", "enum": [ - "Unknown", - "New", - "Resolved", - "Dismissed", - "InProgress" + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT", + "Office 365 Advanced Threat Protection", + "Microsoft Defender Advanced Threat Protection" ], - "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "AlertStatus", - "values": [ - { - "description": "Unknown value", - "value": "Unknown" - }, - { - "description": "New alert", - "value": "New" - }, - { - "description": "Alert closed after handling", - "value": "Resolved" - }, - { - "description": "Alert dismissed as false positive", - "value": "Dismissed" - }, - { - "description": "Alert is being handled", - "value": "InProgress" - } - ] + "name": "MicrosoftSecurityProductName" } }, - "systemAlertId": { - "description": "Holds the product identifier of the alert for the product.", - "readOnly": true, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "#/definitions/AlertSeverity" + }, + "type": "array" + } + }, + "required": [ + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", "type": "string" }, - "tactics": { - "description": "The tactics of the alert", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - }, - "timeGenerated": { - "description": "The time the alert was generated.", - "format": "date-time", - "readOnly": true, + "description": { + "description": "The description of the alert rule.", "type": "string" }, - "vendorName": { - "description": "The name of the vendor that raise the alert.", - "readOnly": true, + "displayName": { + "description": "The display name for alerts created by this alert rule.", "type": "string" }, - "alertLink": { - "description": "The uri link of the alert.", - "readOnly": true, - "type": "string" + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" }, - "resourceIdentifiers": { - "description": "The list of resource identifiers of the alert.", - "items": { - "type": "object" - }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", "readOnly": true, - "type": "array" + "type": "string" } }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], "type": "object" }, - "SecurityGroupEntity": { + "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { "allOf": [ { - "$ref": "#/definitions/Entity" + "$ref": "#/definitions/AlertRuleTemplate" } ], - "description": "Represents a security group entity.", + "description": "Represents MicrosoftSecurityIncidentCreation rule template.", "properties": { "properties": { - "$ref": "#/definitions/SecurityGroupEntityProperties", - "description": "SecurityGroup entity properties", + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + }, + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "required": [ + "displayName", + "description", + "createdDateUTC", + "status", + "alertRulesCreatedByTemplateCount", + "productFilter" + ], "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "SecurityGroup" + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" }, - "SecurityGroupEntityProperties": { + "OfficeATPDataConnector": { "allOf": [ { - "$ref": "#/definitions/EntityCommonProperties" + "$ref": "#/definitions/DataConnector" } ], - "description": "SecurityGroup entity property bag.", + "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) data connector.", "properties": { - "distinguishedName": { - "description": "The group distinguished name", - "readOnly": true, - "type": "string" - }, - "objectGuid": { - "description": "A single-value attribute that is the unique identifier for the object, assigned by active directory.", - "format": "uuid", - "readOnly": true, - "type": "string" + "properties": { + "$ref": "#/definitions/OfficeATPDataConnectorProperties", + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "OfficeATP" + }, + "OfficeATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" }, - "sid": { - "description": "The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group", - "readOnly": true, - "type": "string" + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "OfficeATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeATPCheckRequirementsProperties", + "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true } }, + "type": "object", + "x-ms-discriminator-value": "OfficeATP" + }, + "OfficeATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", "type": "object" }, - "SettingList": { - "description": "List of all the settings.", + "OfficeDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents office data connector.", "properties": { - "value": { - "description": "Array of settings.", - "items": { - "$ref": "#/definitions/Settings" - }, - "type": "array" + "properties": { + "$ref": "#/definitions/OfficeDataConnectorProperties", + "description": "Office data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Office365" + }, + "OfficeDataConnectorDataTypes": { + "description": "The available data types for office data connector.", + "properties": { + "exchange": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Exchange data type connection.", + "type": "object" + }, + "sharePoint": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "SharePoint data type connection.", + "type": "object" + }, + "teams": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Teams data type connection.", + "type": "object" } }, + "type": "object", "required": [ - "value" + "exchange", + "sharePoint", + "teams" ] }, - "Settings": { + "OfficeDataConnectorProperties": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" - }, - { - "$ref": "#/definitions/SettingsKind" + "$ref": "#/definitions/DataConnectorTenantId" } ], - "description": "The Setting.", - "discriminator": "kind", + "description": "Office data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/OfficeDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], "type": "object" }, - "SettingsKind": { - "description": "Describes an Azure resource with kind.", + "Operation": { + "description": "Operation provided by provider", "properties": { - "kind": { - "description": "The kind of the setting", - "enum": [ - "EyesOn", - "EntityAnalytics", - "Ueba" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "SettingKind" - } + "display": { + "description": "Properties of the operation", + "properties": { + "description": { + "description": "Description of the operation", + "type": "string" + }, + "operation": { + "description": "Operation name", + "type": "string" + }, + "provider": { + "description": "Provider name", + "type": "string" + }, + "resource": { + "description": "Resource name", + "type": "string" + } + }, + "type": "object" + }, + "name": { + "description": "Name of the operation", + "type": "string" + }, + "origin": { + "description": "The origin of the operation", + "type": "string" + } + } + }, + "OperationsList": { + "description": "Lists the operations available in the SecurityInsights RP.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of operations.", + "type": "string" + }, + "value": { + "description": "Array of operations", + "items": { + "$ref": "#/definitions/Operation" + }, + "type": "array" } }, "required": [ - "kind" - ], - "type": "object" + "value" + ] }, - "TIDataConnector": { + "ProcessEntity": { "allOf": [ { - "$ref": "#/definitions/DataConnector" + "$ref": "#/definitions/Entity" } ], - "description": "Data connector to pull threat intelligence data from TIP products.", + "description": "Represents a process entity.", "properties": { "properties": { - "$ref": "#/definitions/TIDataConnectorProperties", - "description": "Threat Intelligence Platforms data connector properties.", + "$ref": "#/definitions/ProcessEntityProperties", + "description": "Process entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" + "x-ms-discriminator-value": "Process" }, - "TIDataConnectorDataTypes": { - "description": "The available data types for Threat Intelligence Platforms data connector.", - "properties": { - "indicators": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Data type for Threat Intelligence Platforms data connector.", - "type": "object" + "ProcessEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" } - }, - "type": "object", - "required": [ - "indicators" - ] - }, - "TIDataConnectorProperties": { - "description": "TI (Threat Intelligence) data connector properties.", + ], + "description": "Process entity property bag.", "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", + "accountEntityId": { + "description": "The account entity id running the processes.", + "readOnly": true, "type": "string" }, - "tipLookbackPeriod": { - "description": "The lookback period for the feed to be imported.", + "commandLine": { + "description": "The command line used to create the process", + "readOnly": true, + "type": "string" + }, + "creationTimeUtc": { + "description": "The time when the process started to run", "format": "date-time", + "readOnly": true, + "type": "string" + }, + "elevationToken": { + "description": "The elevation token associated with the process.", + "enum": [ + "Default", + "Full", + "Limited" + ], "type": "string", - "x-nullable": true + "x-ms-enum": { + "modelAsString": false, + "name": "ElevationToken", + "values": [ + { + "description": "Default elevation token", + "value": "Default" + }, + { + "description": "Full elevation token", + "value": "Full" + }, + { + "description": "Limited elevation token", + "value": "Limited" + } + ] + } }, - "dataTypes": { - "$ref": "#/definitions/TIDataConnectorDataTypes", - "description": "The available data types for the connector." + "hostEntityId": { + "description": "The host entity id on which the process was running", + "readOnly": true, + "type": "string" + }, + "hostLogonSessionEntityId": { + "description": "The session entity id in which the process was running", + "readOnly": true, + "type": "string" + }, + "imageFileEntityId": { + "description": "Image file entity id", + "readOnly": true, + "type": "string" + }, + "parentProcessEntityId": { + "description": "The parent process entity id.", + "readOnly": true, + "type": "string" + }, + "processId": { + "description": "The process ID", + "readOnly": true, + "type": "string" } }, - "type": "object", - "required": [ - "tenantId", - "dataTypes" - ] + "type": "object" }, - "TICheckRequirements": { + "RegistryKeyEntity": { "allOf": [ { - "$ref": "#/definitions/DataConnectorsCheckRequirements" + "$ref": "#/definitions/Entity" } ], - "description": "Threat Intelligence Platforms data connector check requirements", + "description": "Represents a registry key entity.", "properties": { "properties": { - "$ref": "#/definitions/TICheckRequirementsProperties", - "description": "Threat Intelligence Platforms data connector check required properties", + "$ref": "#/definitions/RegistryKeyEntityProperties", + "description": "RegistryKey entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" - }, - "TICheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Threat Intelligence Platforms data connector required properties.", - "properties": {}, - "type": "object" + "x-ms-discriminator-value": "RegistryKey" }, - "TiTaxiiDataConnector": { + "RegistryKeyEntityProperties": { "allOf": [ { - "$ref": "#/definitions/DataConnector" + "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server", + "description": "RegistryKey entity property bag.", "properties": { - "properties": { - "$ref": "#/definitions/TiTaxiiDataConnectorProperties", - "description": "Threat intelligence TAXII data connector properties.", - "x-ms-client-flatten": true + "hive": { + "description": "the hive that holds the registry key.", + "enum": [ + "HKEY_LOCAL_MACHINE", + "HKEY_CLASSES_ROOT", + "HKEY_CURRENT_CONFIG", + "HKEY_USERS", + "HKEY_CURRENT_USER_LOCAL_SETTINGS", + "HKEY_PERFORMANCE_DATA", + "HKEY_PERFORMANCE_NLSTEXT", + "HKEY_PERFORMANCE_TEXT", + "HKEY_A", + "HKEY_CURRENT_USER" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "RegistryHive", + "values": [ + { + "description": "HKEY_LOCAL_MACHINE", + "value": "HKEY_LOCAL_MACHINE" + }, + { + "description": "HKEY_CLASSES_ROOT", + "value": "HKEY_CLASSES_ROOT" + }, + { + "description": "HKEY_CURRENT_CONFIG", + "value": "HKEY_CURRENT_CONFIG" + }, + { + "description": "HKEY_USERS", + "value": "HKEY_USERS" + }, + { + "description": "HKEY_CURRENT_USER_LOCAL_SETTINGS", + "value": "HKEY_CURRENT_USER_LOCAL_SETTINGS" + }, + { + "description": "HKEY_PERFORMANCE_DATA", + "value": "HKEY_PERFORMANCE_DATA" + }, + { + "description": "HKEY_PERFORMANCE_NLSTEXT", + "value": "HKEY_PERFORMANCE_NLSTEXT" + }, + { + "description": "HKEY_PERFORMANCE_TEXT", + "value": "HKEY_PERFORMANCE_TEXT" + }, + { + "description": "HKEY_A", + "value": "HKEY_A" + }, + { + "description": "HKEY_CURRENT_USER", + "value": "HKEY_CURRENT_USER" + } + ] + } + }, + "key": { + "description": "The registry key path.", + "readOnly": true, + "type": "string" } }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + "type": "object" }, - "TiTaxiiDataConnectorDataTypes": { - "description": "The available data types for Threat Intelligence TAXII data connector.", - "properties": { - "taxiiClient": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Data type for TAXII connector.", - "type": "object" + "RegistryValueEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a registry value entity.", + "properties": { + "properties": { + "$ref": "#/definitions/RegistryValueEntityProperties", + "description": "RegistryKey entity properties", + "x-ms-client-flatten": true } }, "type": "object", - "required": [ - "taxiiClient" - ] + "x-ms-discriminator-value": "RegistryValue" }, - "TiTaxiiDataConnectorProperties": { + "RegistryValueEntityProperties": { "allOf": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "Threat Intelligence TAXII data connector properties.", + "description": "RegistryValue entity property bag.", "properties": { - "workspaceId": { - "description": "The workspace id.", - "type": "string" - }, - "friendlyName": { - "description": "The friendly name for the TAXII server.", - "type": "string" - }, - "taxiiServer": { - "description": "The API root for the TAXII server.", - "type": "string" - }, - "collectionId": { - "description": "The collection id of the TAXII server.", + "keyEntityId": { + "description": "The registry key entity id.", + "readOnly": true, "type": "string" }, - "userName": { - "description": "The userName for the TAXII server.", + "valueData": { + "description": "String formatted representation of the value data.", + "readOnly": true, "type": "string" }, - "password": { - "description": "The password for the TAXII server.", + "valueName": { + "description": "The registry value name.", + "readOnly": true, "type": "string" }, - "taxiiLookbackPeriod": { - "description": "The lookback period for the TAXII server.", - "format": "date-time", - "type": "string", - "x-nullable": true - }, - "pollingFrequency": { - "description": "The polling frequency for the TAXII server.", - "type": "string", - "x-nullable": true, + "valueType": { + "description": "Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.", "enum": [ - "OnceAMinute", - "OnceAnHour", - "OnceADay" + "None", + "Unknown", + "String", + "ExpandString", + "Binary", + "DWord", + "MultiString", + "QWord" ], + "readOnly": true, + "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "PollingFrequency", + "name": "RegistryValueKind", "values": [ { - "description": "Once a minute", - "value": "OnceAMinute" + "description": "None", + "value": "None" }, { - "description": "Once an hour", - "value": "OnceAnHour" + "description": "Unknown value type", + "value": "Unknown" }, { - "description": "Once a day", - "value": "OnceADay" + "description": "String value type", + "value": "String" + }, + { + "description": "ExpandString value type", + "value": "ExpandString" + }, + { + "description": "Binary value type", + "value": "Binary" + }, + { + "description": "DWord value type", + "value": "DWord" + }, + { + "description": "MultiString value type", + "value": "MultiString" + }, + { + "description": "QWord value type", + "value": "QWord" } ] } + } + }, + "type": "object" + }, + "RelationList": { + "description": "List of relations.", + "properties": { + "nextLink": { + "readOnly": true, + "description": "URL to fetch the next set of relations.", + "type": "string" }, - "dataTypes": { - "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes", - "description": "The available data types for Threat Intelligence TAXII data connector." + "value": { + "description": "Array of relations.", + "type": "array", + "items": { + "$ref": "#/definitions/Relation" + } } }, "required": [ - "dataTypes", - "pollingFrequency" - ], - "type": "object" + "value" + ] }, - "TiTaxiiCheckRequirements": { + "Relation": { + "type": "object", + "description": "Represents a relation between two resources", "allOf": [ { - "$ref": "#/definitions/DataConnectorsCheckRequirements" + "$ref": "#/definitions/ResourceWithEtag" } ], - "description": "Threat Intelligence TAXII data connector check requirements", "properties": { "properties": { - "$ref": "#/definitions/TiTaxiiCheckRequirementsProperties", - "description": "Threat Intelligence TAXII check required properties.", + "$ref": "#/definitions/RelationProperties", + "description": "Relation properties", "x-ms-client-flatten": true } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + } }, - "TiTaxiiCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "RelationProperties": { + "description": "Relation property bag.", + "properties": { + "relatedResourceId": { + "description": "The resource ID of the related resource", + "type": "string" + }, + "relatedResourceName": { + "description": "The name of the related resource", + "readOnly": true, + "type": "string" + }, + "relatedResourceType": { + "description": "The resource type of the related resource", + "readOnly": true, + "type": "string" + }, + "relatedResourceKind": { + "description": "The resource kind of the related resource", + "readOnly": true, + "type": "string" } + }, + "required": [ + "relatedResourceId" ], - "description": "Threat Intelligence TAXII data connector required properties.", "type": "object" }, - "ThreatIntelligence": { - "description": "ThreatIntelligence property bag.", + "Resource": { + "description": "An azure resource object", "properties": { - "confidence": { - "description": "Confidence (must be between 0 and 1)", - "format": "double", + "id": { + "description": "Azure resource Id", "readOnly": true, - "type": "number" + "type": "string" }, - "providerName": { - "description": "Name of the provider from whom this Threat Intelligence information was received", + "name": { + "description": "Azure resource name", "readOnly": true, "type": "string" }, - "reportLink": { - "description": "Report link", + "type": { + "description": "Azure resource type", "readOnly": true, "type": "string" - }, - "threatDescription": { - "description": "Threat description (free text)", + } + }, + "x-ms-azure-resource": true + }, + "ResourceWithEtag": { + "description": "An azure resource object with an Etag property", + "properties": { + "id": { + "description": "Azure resource Id", "readOnly": true, "type": "string" }, - "threatName": { - "description": "Threat name (e.g. \"Jedobot malware\")", + "name": { + "description": "Azure resource name", "readOnly": true, "type": "string" }, - "threatType": { - "description": "Threat type (e.g. \"Botnet\")", + "type": { + "description": "Azure resource type", "readOnly": true, "type": "string" + }, + "etag": { + "description": "Etag of the azure resource", + "type": "string" } }, - "type": "object" + "x-ms-azure-resource": true }, - "IPSyncer": { + "ScheduledAlertRule": { "allOf": [ { - "$ref": "#/definitions/Settings" + "$ref": "#/definitions/AlertRule" } ], - "description": "Settings with single toggle.", + "description": "Represents scheduled alert rule.", "properties": { "properties": { - "$ref": "#/definitions/IPSyncerSettingsProperties", - "description": "IPSyncer properties", + "$ref": "#/definitions/ScheduledAlertRuleProperties", + "description": "Scheduled alert rule properties", "x-ms-client-flatten": true } }, - "type": "object", - "x-ms-discriminator-value": "IPSyncer" + "type": "object", + "x-ms-discriminator-value": "Scheduled" + }, + "ScheduledAlertRuleCommonProperties": { + "description": "Scheduled alert rule template property bag.", + "properties": { + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "queryFrequency": { + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", + "format": "duration", + "type": "string" + }, + "queryPeriod": { + "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", + "format": "duration", + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "type": "integer" + }, + "eventGroupingSettings": { + "$ref": "#/definitions/EventGroupingSettings", + "description": "The event grouping settings." + } + }, + "type": "object" }, - "IPSyncerSettingsProperties": { - "description": "IPSyncer property bag.", + "EventGroupingSettings": { + "description": "Event grouping settings property bag.", "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "readOnly": true, - "type": "boolean" + "aggregationKind": { + "$ref": "#/definitions/EventGroupingAggregationKind" } }, "type": "object" }, - "EyesOn": { + "EventGroupingAggregationKind": { + "description": "The event grouping aggregation kinds", + "enum": [ + "SingleAlert", + "AlertPerResult" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EventGroupingAggregationKind" + } + }, + "ScheduledAlertRuleProperties": { "allOf": [ { - "$ref": "#/definitions/Settings" + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" } ], - "description": "Settings with single toggle.", - "properties": { - "properties": { - "$ref": "#/definitions/EyesOnSettingsProperties", - "description": "EyesOn properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "EyesOn" - }, - "EyesOnSettingsProperties": { - "description": "EyesOn property bag.", + "description": "Scheduled alert rule base property bag.", "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", "readOnly": true, + "type": "string" + }, + "suppressionDuration": { + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + "format": "duration", + "type": "string" + }, + "suppressionEnabled": { + "description": "Determines whether the suppression for this alert rule is enabled or disabled.", "type": "boolean" + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + }, + "incidentConfiguration": { + "$ref": "#/definitions/IncidentConfiguration", + "description": "The settings of the incidents that created from alerts triggered by this analytics rule" } }, + "required": [ + "displayName", + "enabled", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold", + "suppressionEnabled", + "suppressionDuration" + ], "type": "object" }, - "EntityAnalytics": { + "ScheduledAlertRuleTemplate": { "allOf": [ { - "$ref": "#/definitions/Settings" + "$ref": "#/definitions/AlertRuleTemplate" } ], - "description": "Settings with single toggle.", + "description": "Represents scheduled alert rule template.", "properties": { "properties": { - "$ref": "#/definitions/EntityAnalyticsProperties", - "description": "EntityAnalytics properties", + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + }, + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + } + ], + "description": "Scheduled alert rule template properties", + "properties": { + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "description", + "status", + "alertRulesCreatedByTemplateCount", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold" + ], "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "EntityAnalytics" + "x-ms-discriminator-value": "Scheduled" }, - "EntityAnalyticsProperties": { - "description": "EntityAnalytics property bag.", + "IncidentConfiguration": { + "description": "Incident Configuration property bag.", "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "readOnly": true, + "createIncident": { + "description": "Create incidents from alerts triggered by this analytics rule", "type": "boolean" - } - }, - "type": "object" - }, - "Ueba": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Settings with single toggle.", - "properties": { - "properties": { - "$ref": "#/definitions/UebaProperties", - "description": "Ueba properties", - "x-ms-client-flatten": true + }, + "groupingConfiguration": { + "$ref": "#/definitions/GroupingConfiguration", + "description": "Set how the alerts that are triggered by this analytics rule, are grouped into incidents" } }, "type": "object", - "x-ms-discriminator-value": "Ueba" + "required": [ + "createIncident" + ] }, - "UebaProperties": { - "description": "Ueba property bag.", + "GroupingConfiguration": { + "description": "Grouping configuration property bag.", "properties": { - "dataSources": { - "description": "The relevant data sources that enriched by ueba", + "enabled": { + "description": "Grouping enabled", + "type": "boolean" + }, + "reopenClosedIncident": { + "description": "Re-open closed matching incidents", + "type": "boolean" + }, + "lookbackDuration": { + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "entitiesMatchingMethod": { + "description": "Grouping matching method", + "enum": [ + "All", + "None", + "Custom" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntitiesMatchingMethod", + "values": [ + { + "description": "Grouping alerts into a single incident if all the entities match", + "value": "All" + }, + { + "description": "Grouping all alerts triggered by this rule into a single incident", + "value": "None" + }, + { + "description": "Grouping alerts into a single incident if the selected entities match", + "value": "Custom" + } + ] + } + }, + "groupByEntities": { + "description": "A list of entity types to group by (when entitiesMatchingMethod is Custom)", "items": { - "$ref": "#/definitions/UebaDataSources" + "description": "Grouping entity type", + "enum": [ + "Account", + "Host", + "Ip", + "Url", + "FileHash" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "GroupingEntityType", + "values": [ + { + "description": "Account entity", + "value": "Account" + }, + { + "description": "Host entity", + "value": "Host" + }, + { + "description": "Ip entity", + "value": "Ip" + }, + { + "description": "Url entity", + "value": "Url" + }, + { + "description": "FileHash entity", + "value": "FileHash" + } + ] + } }, "type": "array" } }, - "type": "object" - }, - "UebaDataSources": { - "description": "The data source that enriched by ueba.", - "enum": [ - "AuditLogs", - "AzureActivity", - "SecurityEvent", - "SigninLogs" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "UebaDataSources" - } + "type": "object", + "required": [ + "enabled", + "reopenClosedIncident", + "lookbackDuration", + "entitiesMatchingMethod" + ] }, - "UrlEntity": { + "SecurityAlert": { "allOf": [ { "$ref": "#/definitions/Entity" } ], - "description": "Represents a url entity.", + "description": "Represents a security alert entity.", "properties": { "properties": { - "$ref": "#/definitions/UrlEntityProperties", - "description": "Url entity properties", + "$ref": "#/definitions/SecurityAlertProperties", + "description": "SecurityAlert entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "Url" + "x-ms-discriminator-value": "SecurityAlert" }, - "UrlEntityProperties": { + "SecurityAlertProperties": { "allOf": [ { "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "Url entity property bag.", + "description": "SecurityAlert entity property bag.", "properties": { - "url": { - "description": "A full URL the entity points to", + "alertDisplayName": { + "description": "The display name of the alert.", "readOnly": true, "type": "string" - } - }, - "type": "object" - }, - "IoTDeviceEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an IoT device entity.", - "properties": { - "properties": { - "$ref": "#/definitions/IoTDeviceEntityProperties", - "description": "IoTDevice entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "IoTDevice" - }, - "IoTDeviceEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "IoTDevice entity property bag.", - "properties": { - "deviceId": { - "description": "The ID of the IoT Device in the IoT Hub", + }, + "alertType": { + "description": "The type name of the alert.", + "readOnly": true, + "type": "string" + }, + "compromisedEntity": { + "description": "Display name of the main entity being reported on.", + "readOnly": true, + "type": "string" + }, + "confidenceLevel": { + "description": "The confidence level of this alert.", + "enum": [ + "Unknown", + "Low", + "High" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConfidenceLevel", + "values": [ + { + "description": "Unknown confidence, the is the default value", + "value": "Unknown" + }, + { + "description": "Low confidence, meaning we have some doubts this is indeed malicious or part of an attack", + "value": "Low" + }, + { + "description": "High confidence that the alert is true positive malicious", + "value": "High" + } + ] + } + }, + "confidenceReasons": { + "description": "The confidence reasons", + "items": { + "description": "confidence reason item", + "properties": { + "reason": { + "description": "The reason's description", + "readOnly": true, + "type": "string" + }, + "reasonType": { + "description": "The type (category) of the reason", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "readOnly": true, + "type": "array" + }, + "confidenceScore": { + "description": "The confidence score of the alert.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "confidenceScoreStatus": { + "description": "The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.", + "enum": [ + "NotApplicable", + "InProcess", + "NotFinal", + "Final" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConfidenceScoreStatus", + "values": [ + { + "description": "Score will not be calculated for this alert as it is not supported by virtual analyst", + "value": "NotApplicable" + }, + { + "description": "No score was set yet and calculation is in progress", + "value": "InProcess" + }, + { + "description": "Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data", + "value": "NotFinal" + }, + { + "description": "Final score was calculated and available", + "value": "Final" + } + ] + } + }, + "description": { + "description": "Alert description.", + "readOnly": true, + "type": "string" + }, + "endTimeUtc": { + "description": "The impact end time of the alert (the time of the last event contributing to the alert).", + "format": "date-time", "readOnly": true, "type": "string" }, - "deviceName": { - "description": "The friendly name of the device", + "intent": { + "description": "Holds the alert intent stage(s) mapping for this alert.", + "enum": [ + "Unknown", + "Probing", + "Exploitation", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Execution", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "KillChainIntent", + "values": [ + { + "description": "The default value.", + "value": "Unknown" + }, + { + "description": "Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.", + "value": "Probing" + }, + { + "description": "Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.", + "value": "Exploitation" + }, + { + "description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.", + "value": "Persistence" + }, + { + "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.", + "value": "PrivilegeEscalation" + }, + { + "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ", + "value": "DefenseEvasion" + }, + { + "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.", + "value": "CredentialAccess" + }, + { + "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", + "value": "Discovery" + }, + { + "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.", + "value": "LateralMovement" + }, + { + "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.", + "value": "Execution" + }, + { + "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Collection" + }, + { + "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Exfiltration" + }, + { + "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network.", + "value": "CommandAndControl" + }, + { + "description": "The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.", + "value": "Impact" + } + ] + } + }, + "providerAlertId": { + "description": "The identifier of the alert inside the product which generated the alert.", "readOnly": true, "type": "string" }, - "source": { - "description": "The source of the device", + "processingEndTime": { + "description": "The time the alert was made available for consumption.", + "format": "date-time", "readOnly": true, "type": "string" }, - "iotSecurityAgentId": { - "description": "The ID of the security agent running on the device", - "format": "uuid", + "productComponentName": { + "description": "The name of a component inside the product which generated the alert.", "readOnly": true, "type": "string" }, - "deviceType": { - "description": "The type of the device", + "productName": { + "description": "The name of the product which published this alert.", "readOnly": true, "type": "string" }, - "vendor": { - "description": "The vendor of the device", + "productVersion": { + "description": "The version of the product generating the alert.", "readOnly": true, "type": "string" }, - "edgeId": { - "description": "The ID of the edge device", + "remediationSteps": { + "description": "Manual action items to take to remediate the alert.", + "items": { + "type": "string" + }, "readOnly": true, - "type": "string" + "type": "array" }, - "macAddress": { - "description": "The MAC address of the device", - "readOnly": true, - "type": "string" + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity of the alert" }, - "model": { - "description": "The model of the device", + "startTimeUtc": { + "description": "The impact start time of the alert (the time of the first event contributing to the alert).", + "format": "date-time", "readOnly": true, "type": "string" }, - "serialNumber": { - "description": "The serial number of the device", + "status": { + "description": "The lifecycle status of the alert.", + "enum": [ + "Unknown", + "New", + "Resolved", + "Dismissed", + "InProgress" + ], "readOnly": true, - "type": "string" + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertStatus", + "values": [ + { + "description": "Unknown value", + "value": "Unknown" + }, + { + "description": "New alert", + "value": "New" + }, + { + "description": "Alert closed after handling", + "value": "Resolved" + }, + { + "description": "Alert dismissed as false positive", + "value": "Dismissed" + }, + { + "description": "Alert is being handled", + "value": "InProgress" + } + ] + } }, - "firmwareVersion": { - "description": "The firmware version of the device", + "systemAlertId": { + "description": "Holds the product identifier of the alert for the product.", "readOnly": true, "type": "string" }, - "operatingSystem": { - "description": "The operating system of the device", + "tactics": { + "description": "The tactics of the alert", + "items": { + "$ref": "#/definitions/AttackTactic" + }, "readOnly": true, - "type": "string" + "type": "array" }, - "iotHubEntityId": { - "description": "The AzureResource entity id of the IoT Hub", + "timeGenerated": { + "description": "The time the alert was generated.", + "format": "date-time", "readOnly": true, "type": "string" }, - "hostEntityId": { - "description": "The Host entity id of this device", + "vendorName": { + "description": "The name of the vendor that raise the alert.", "readOnly": true, "type": "string" }, - "ipAddressEntityId": { - "description": "The IP entity if of this device", + "alertLink": { + "description": "The uri link of the alert.", "readOnly": true, "type": "string" }, - "threatIntelligence": { - "description": "A list of TI contexts attached to the IoTDevice entity.", - "items": { - "$ref": "#/definitions/ThreatIntelligence" - }, - "readOnly": true, - "type": "array" - }, - "protocols": { - "description": "A list of protocols of the IoTDevice entity.", + "resourceIdentifiers": { + "description": "The list of resource identifiers of the alert.", "items": { - "type": "string" + "type": "object" }, "readOnly": true, "type": "array" @@ -12072,824 +7646,731 @@ }, "type": "object" }, - "UserInfo": { - "description": "User information that made some action", + "SecurityGroupEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a security group entity.", "properties": { - "email": { - "description": "The email of the user.", + "properties": { + "$ref": "#/definitions/SecurityGroupEntityProperties", + "description": "SecurityGroup entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SecurityGroup" + }, + "SecurityGroupEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "SecurityGroup entity property bag.", + "properties": { + "distinguishedName": { + "description": "The group distinguished name", "readOnly": true, "type": "string" }, - "name": { - "description": "The name of the user.", + "objectGuid": { + "description": "A single-value attribute that is the unique identifier for the object, assigned by active directory.", + "format": "uuid", "readOnly": true, "type": "string" }, - "objectId": { - "description": "The object id of the user.", - "format": "uuid", + "sid": { + "description": "The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "SettingList": { + "description": "List of all the settings.", + "properties": { + "value": { + "description": "Array of settings.", + "items": { + "$ref": "#/definitions/Settings" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Settings": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/SettingsKind" + } + ], + "description": "The Setting.", + "discriminator": "kind", + "type": "object" + }, + "SettingsKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the setting", + "enum": [ + "EyesOn", + "EntityAnalytics", + "Ueba" + ], "type": "string", - "x-nullable": true + "x-ms-enum": { + "modelAsString": true, + "name": "SettingKind" + } + } + }, + "required": [ + "kind" + ], + "type": "object" + }, + "TIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Data connector to pull threat intelligence data from TIP products.", + "properties": { + "properties": { + "$ref": "#/definitions/TIDataConnectorProperties", + "description": "Threat Intelligence Platforms data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TIDataConnectorDataTypes": { + "description": "The available data types for Threat Intelligence Platforms data connector.", + "properties": { + "indicators": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for Threat Intelligence Platforms data connector.", + "type": "object" } }, - "type": "object" + "type": "object", + "required": [ + "indicators" + ] }, - "IncidentInfo": { - "description": "Describes related incident information for the bookmark", + "TIDataConnectorProperties": { + "description": "TI (Threat Intelligence) data connector properties.", "properties": { - "incidentId": { - "description": "Incident Id", + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", "type": "string" }, - "severity": { - "description": "The severity of the incident", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], + "tipLookbackPeriod": { + "description": "The lookback period for the feed to be imported.", + "format": "date-time", "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "title": { - "description": "The title of the incident", - "type": "string" + "x-nullable": true }, - "relationName": { - "description": "Relation Name", - "type": "string" + "dataTypes": { + "$ref": "#/definitions/TIDataConnectorDataTypes", + "description": "The available data types for the connector." } }, - "type": "object" + "type": "object", + "required": [ + "tenantId", + "dataTypes" + ] }, - "WatchlistList": { - "description": "List all the watchlists.", + "TICheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Threat Intelligence Platforms data connector check requirements", "properties": { - "nextLink": { - "description": "URL to fetch the next set of watchlists.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of watchlist.", - "items": { - "$ref": "#/definitions/Watchlist" - }, - "type": "array" + "properties": { + "$ref": "#/definitions/TICheckRequirementsProperties", + "description": "Threat Intelligence Platforms data connector check required properties", + "x-ms-client-flatten": true } }, - "required": [ - "value" - ] + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" }, - "Watchlist": { + "TICheckRequirementsProperties": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "#/definitions/DataConnectorTenantId" } ], - "description": "Represents a Watchlist in Azure Security Insights.", + "description": "Threat Intelligence Platforms data connector required properties.", + "properties": {}, + "type": "object" + }, + "TiTaxiiDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server", "properties": { "properties": { - "$ref": "#/definitions/WatchlistProperties", - "description": "Watchlist properties", + "$ref": "#/definitions/TiTaxiiDataConnectorProperties", + "description": "Threat intelligence TAXII data connector properties.", "x-ms-client-flatten": true } }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" }, - "WatchlistProperties": { - "description": "Describes watchlist properties", + "TiTaxiiDataConnectorDataTypes": { + "description": "The available data types for Threat Intelligence TAXII data connector.", "properties": { - "watchlistId": { - "description": "The id (a Guid) of the watchlist", - "type": "string" - }, - "displayName": { - "description": "The display name of the watchlist", + "taxiiClient": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for TAXII connector.", + "type": "object" + } + }, + "type": "object", + "required": [ + "taxiiClient" + ] + }, + "TiTaxiiDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence TAXII data connector properties.", + "properties": { + "workspaceId": { + "description": "The workspace id.", "type": "string" }, - "provider": { - "description": "The provider of the watchlist", + "friendlyName": { + "description": "The friendly name for the TAXII server.", "type": "string" }, - "source": { - "description": "The source of the watchlist", - "enum": [ - "Local file", - "Remote storage" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "source" - } - }, - "created": { - "description": "The time the watchlist was created", - "format": "date-time", + "taxiiServer": { + "description": "The API root for the TAXII server.", "type": "string" }, - "updated": { - "description": "The last time the watchlist was updated", - "format": "date-time", + "collectionId": { + "description": "The collection id of the TAXII server.", "type": "string" }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the watchlist", - "type": "object" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the watchlist", - "type": "object" - }, - "description": { - "description": "A description of the watchlist", + "userName": { + "description": "The userName for the TAXII server.", "type": "string" }, - "watchlistType": { - "description": "The type of the watchlist", + "password": { + "description": "The password for the TAXII server.", "type": "string" }, - "watchlistAlias": { - "description": "The alias of the watchlist", - "type": "string" + "taxiiLookbackPeriod": { + "description": "The lookback period for the TAXII server.", + "format": "date-time", + "type": "string", + "x-nullable": true }, - "isDeleted": { - "description": "A flag that indicates if the watchlist is deleted or not", - "type": "boolean" + "pollingFrequency": { + "description": "The polling frequency for the TAXII server.", + "type": "string", + "x-nullable": true, + "enum": [ + "OnceAMinute", + "OnceAnHour", + "OnceADay" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "PollingFrequency", + "values": [ + { + "description": "Once a minute", + "value": "OnceAMinute" + }, + { + "description": "Once an hour", + "value": "OnceAnHour" + }, + { + "description": "Once a day", + "value": "OnceADay" + } + ] + } }, - "labels": { - "description": "List of labels relevant to this watchlist", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" + "dataTypes": { + "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes", + "description": "The available data types for Threat Intelligence TAXII data connector." + } + }, + "required": [ + "dataTypes", + "pollingFrequency" + ], + "type": "object" + }, + "TiTaxiiCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Threat Intelligence TAXII data connector check requirements", + "properties": { + "properties": { + "$ref": "#/definitions/TiTaxiiCheckRequirementsProperties", + "description": "Threat Intelligence TAXII check required properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + }, + "TiTaxiiCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence TAXII data connector required properties.", + "type": "object" + }, + "ThreatIntelligence": { + "description": "ThreatIntelligence property bag.", + "properties": { + "confidence": { + "description": "Confidence (must be between 0 and 1)", + "format": "double", + "readOnly": true, + "type": "number" }, - "defaultDuration": { - "description": "The default duration of a watchlist (in ISO 8601 duration format)", - "format": "duration", + "providerName": { + "description": "Name of the provider from whom this Threat Intelligence information was received", + "readOnly": true, "type": "string" }, - "tenantId": { - "description": "The tenantId where the watchlist belongs to", + "reportLink": { + "description": "Report link", + "readOnly": true, "type": "string" }, - "numberOfLinesToSkip": { - "description": "The number of lines in a csv/tsv content to skip before the header", - "type": "integer", - "format": "int32" - }, - "rawContent": { - "description": "The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint", + "threatDescription": { + "description": "Threat description (free text)", + "readOnly": true, "type": "string" }, - "contentType": { - "description": "The content type of the raw content. Example : text/csv or text/tsv ", + "threatName": { + "description": "Threat name (e.g. \"Jedobot malware\")", + "readOnly": true, "type": "string" }, - "uploadStatus": { - "description": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted", + "threatType": { + "description": "Threat type (e.g. \"Botnet\")", + "readOnly": true, "type": "string" - }, - "watchlistItemsCount": { - "description": "The number of Watchlist Items in the Watchlist", - "type": "integer", - "format": "int32" } }, - "required": [ - "displayName", - "source", - "provider" - ], "type": "object" }, - "WatchlistItemList": { - "description": "List all the watchlist items.", + "IPSyncer": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", "properties": { - "nextLink": { - "description": "URL to fetch the next set of watchlist item.", + "properties": { + "$ref": "#/definitions/IPSyncerSettingsProperties", + "description": "IPSyncer properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "IPSyncer" + }, + "IPSyncerSettingsProperties": { + "description": "IPSyncer property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of watchlist items.", - "items": { - "$ref": "#/definitions/WatchlistItem" - }, - "type": "array" + "type": "boolean" } }, - "required": [ - "value" - ] + "type": "object" }, - "WatchlistItem": { + "EyesOn": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "#/definitions/Settings" } ], - "description": "Represents a Watchlist item in Azure Security Insights.", + "description": "Settings with single toggle.", "properties": { "properties": { - "$ref": "#/definitions/WatchlistItemProperties", - "description": "Watchlist Item properties", + "$ref": "#/definitions/EyesOnSettingsProperties", + "description": "EyesOn properties", "x-ms-client-flatten": true } }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "EyesOn" }, - "WatchlistItemProperties": { - "description": "Describes watchlist item properties", + "EyesOnSettingsProperties": { + "description": "EyesOn property bag.", "properties": { - "watchlistItemType": { - "description": "The type of the watchlist item", - "type": "string" - }, - "watchlistItemId": { - "description": "The id (a Guid) of the watchlist item", - "type": "string" - }, - "tenantId": { - "description": "The tenantId to which the watchlist item belongs to", - "type": "string" - }, - "isDeleted": { - "description": "A flag that indicates if the watchlist item is deleted or not", + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, "type": "boolean" - }, - "created": { - "description": "The time the watchlist item was created", - "format": "date-time", - "type": "string" - }, - "updated": { - "description": "The last time the watchlist item was updated", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the watchlist item", - "type": "object" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the watchlist item", - "type": "object" - }, - "itemsKeyValue": { - "description": "key-value pairs for a watchlist item", - "type": "object" - }, - "entityMapping": { - "description": "key-value pairs for a watchlist item entity mapping", - "type": "object" } }, - "required": [ - "itemsKeyValue" - ], "type": "object" }, - "ThreatIntelligenceInformationList": { - "description": "List of all the threat intelligence information objects.", + "EntityAnalytics": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", "properties": { - "nextLink": { - "description": "URL to fetch the next set of information objects.", + "properties": { + "$ref": "#/definitions/EntityAnalyticsProperties", + "description": "EntityAnalytics properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "EntityAnalytics" + }, + "EntityAnalyticsProperties": { + "description": "EntityAnalytics property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of threat intelligence information objects.", - "items": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - }, - "type": "array" + "type": "boolean" } }, - "required": [ - "value" - ] + "type": "object" }, - "ThreatIntelligenceInformation": { + "Ueba": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" - }, - { - "$ref": "#/definitions/ThreatIntelligenceResourceKind" + "$ref": "#/definitions/Settings" } ], - "description": "Threat intelligence information object.", - "discriminator": "kind", + "description": "Settings with single toggle.", + "properties": { + "properties": { + "$ref": "#/definitions/UebaProperties", + "description": "Ueba properties", + "x-ms-client-flatten": true + } + }, "type": "object", - "required": [ - "kind" - ] + "x-ms-discriminator-value": "Ueba" + }, + "UebaProperties": { + "description": "Ueba property bag.", + "properties": { + "dataSources": { + "description": "The relevant data sources that enriched by ueba", + "items": { + "$ref": "#/definitions/UebaDataSources" + }, + "type": "array" + } + }, + "type": "object" + }, + "UebaDataSources": { + "description": "The data source that enriched by ueba.", + "enum": [ + "AuditLogs", + "AzureActivity", + "SecurityEvent", + "SigninLogs" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "UebaDataSources" + } }, - "ThreatIntelligenceIndicatorModel": { + "UrlEntity": { "allOf": [ { - "$ref": "#/definitions/ThreatIntelligenceInformation" + "$ref": "#/definitions/Entity" } ], - "description": "Threat intelligence indicator entity.", + "description": "Represents a url entity.", "properties": { "properties": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", - "description": "Threat Intelligence Entity properties", + "$ref": "#/definitions/UrlEntityProperties", + "description": "Url entity properties", "x-ms-client-flatten": true } }, "type": "object", - "x-ms-discriminator-value": "indicator" + "x-ms-discriminator-value": "Url" }, - "ThreatIntelligenceIndicatorModelForRequestBody": { + "UrlEntityProperties": { "allOf": [ { - "$ref": "#/definitions/ThreatIntelligenceResourceKind" + "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "Threat intelligence indicator entity used in request body.", + "description": "Url entity property bag.", "properties": { - "etag": { - "description": "Etag of the azure resource", + "url": { + "description": "A full URL the entity points to", + "readOnly": true, "type": "string" - }, - "properties": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", - "description": "Threat Intelligence Entity properties", - "x-ms-client-flatten": true } }, - "type": "object", - "x-ms-discriminator-value": "indicator" + "type": "object" }, - "ThreatIntelligenceResourceKind": { - "description": "Describes an entity with kind.", + "IoTDeviceEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an IoT device entity.", "properties": { - "kind": { - "$ref": "#/definitions/ThreatIntelligenceResourceInnerKind", - "description": "The kind of the entity." + "properties": { + "$ref": "#/definitions/IoTDeviceEntityProperties", + "description": "IoTDevice entity properties", + "x-ms-client-flatten": true } }, - "required": [ - "kind" - ], - "type": "object" - }, - "ThreatIntelligenceResourceInnerKind": { - "description": "The kind of the threat intelligence entity", - "enum": [ - "indicator" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ThreatIntelligenceResourceKind", - "values": [ - { - "description": "Entity represents threat intelligence indicator in the system.", - "value": "indicator" - } - ] - } + "type": "object", + "x-ms-discriminator-value": "IoTDevice" }, - "ThreatIntelligenceIndicatorProperties": { + "IoTDeviceEntityProperties": { "allOf": [ { "$ref": "#/definitions/EntityCommonProperties" } ], - "description": "Describes threat intelligence entity properties", + "description": "IoTDevice entity property bag.", "properties": { - "threatIntelligenceTags": { - "description": "List of tags", - "items": { - "description": "tag", - "type": "string" - }, - "type": "array" - }, - "lastUpdatedTimeUtc": { - "description": "Last updated time in UTC", - "type": "string" - }, - "source": { - "description": "Source of a threat intelligence entity", - "type": "string" - }, - "displayName": { - "description": "Display name of a threat intelligence entity", - "type": "string" - }, - "description": { - "description": "Description of a threat intelligence entity", - "type": "string" - }, - "indicatorTypes": { - "description": "Indicator types of threat intelligence entities", - "items": { - "description": "Indicator type of a threat intelligence entity", - "type": "string" - }, - "type": "array" - }, - "pattern": { - "description": "Pattern of a threat intelligence entity", - "type": "string" - }, - "patternType": { - "description": "Pattern type of a threat intelligence entity", - "type": "string" - }, - "patternVersion": { - "description": "Pattern version of a threat intelligence entity", - "type": "string" - }, - "killChainPhases": { - "description": "Kill chain phases", - "items": { - "description": "Kill chain phase", - "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" - }, - "type": "array" - }, - "parsedPattern": { - "description": "Parsed patterns", - "items": { - "description": "Parsed pattern", - "$ref": "#/definitions/ThreatIntelligenceParsedPattern" - }, - "type": "array" - }, - "externalId": { - "description": "External ID of threat intelligence entity", - "type": "string" - }, - "createdByRef": { - "description": "Created by reference of threat intelligence entity", - "type": "string" - }, - "defanged": { - "description": "Is threat intelligence entity defanged", - "type": "boolean" - }, - "externalLastUpdatedTimeUtc": { - "description": "External last updated time in UTC", - "type": "string" - }, - "externalReferences": { - "description": "External References", - "items": { - "description": "external_reference", - "$ref": "#/definitions/ThreatIntelligenceExternalReference" - }, - "type": "array" - }, - "granularMarkings": { - "description": "Granular Markings", - "items": { - "description": "Granular marking", - "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" - }, - "type": "array" - }, - "labels": { - "description": "Labels of threat intelligence entity", - "items": { - "description": "label", - "type": "string" - }, - "type": "array" - }, - "revoked": { - "description": "Is threat intelligence entity revoked", - "type": "boolean" - }, - "confidence": { - "description": "Confidence of threat intelligence entity", - "type": "integer", - "format": "int32" - }, - "objectMarkingRefs": { - "description": "Threat intelligence entity object marking references", - "items": { - "description": "Threat intelligence entity object marking reference", - "type": "string" - }, - "type": "array" - }, - "language": { - "description": "Language of threat intelligence entity", + "deviceId": { + "description": "The ID of the IoT Device in the IoT Hub", + "readOnly": true, "type": "string" }, - "threatTypes": { - "description": "Threat types", - "items": { - "description": "Threat type", - "type": "string" - }, - "type": "array" - }, - "validFrom": { - "description": "Valid from", + "deviceName": { + "description": "The friendly name of the device", + "readOnly": true, "type": "string" }, - "validUntil": { - "description": "Valid until", + "source": { + "description": "The source of the device", + "readOnly": true, "type": "string" }, - "created": { - "description": "Created by", + "iotSecurityAgentId": { + "description": "The ID of the security agent running on the device", + "format": "uuid", + "readOnly": true, "type": "string" }, - "modified": { - "description": "Modified by", + "deviceType": { + "description": "The type of the device", + "readOnly": true, "type": "string" }, - "extensions": { - "description": "Extensions map", - "type": "object", - "additionalProperties": {} - } - }, - "type": "object" - }, - "ThreatIntelligenceKillChainPhase": { - "description": "Describes threat kill chain phase entity", - "properties": { - "killChainName": { - "description": "Kill chainName name", + "vendor": { + "description": "The vendor of the device", + "readOnly": true, "type": "string" }, - "phaseName": { - "description": "Phase name", - "type": "string" - } - }, - "type": "object" - }, - "ThreatIntelligenceParsedPattern": { - "description": "Describes parsed pattern entity", - "properties": { - "patternTypeKey": { - "description": "Pattern type key", + "edgeId": { + "description": "The ID of the edge device", + "readOnly": true, "type": "string" }, - "patternTypeValues": { - "description": "Pattern type keys", - "items": { - "description": "Pattern type key", - "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" - }, - "type": "array" - } - }, - "type": "object" - }, - "ThreatIntelligenceParsedPatternTypeValue": { - "description": "Describes threat kill chain phase entity", - "properties": { - "valueType": { - "description": "Type of the value", + "macAddress": { + "description": "The MAC address of the device", + "readOnly": true, "type": "string" }, - "value": { - "description": "Value of parsed pattern", - "type": "string" - } - }, - "type": "object" - }, - "ThreatIntelligenceGranularMarkingModel": { - "description": "Describes threat granular marking model entity", - "properties": { - "language": { - "description": "Language granular marking model", + "model": { + "description": "The model of the device", + "readOnly": true, "type": "string" }, - "markingRef": { - "description": "marking reference granular marking model", - "type": "integer", - "format": "int32" - }, - "selectors": { - "description": "granular marking model selectors", - "items": { - "description": "granular marking model selector", - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, - "ThreatIntelligenceExternalReference": { - "description": "Describes external reference", - "properties": { - "description": { - "description": "External reference description", + "serialNumber": { + "description": "The serial number of the device", + "readOnly": true, "type": "string" }, - "externalId": { - "description": "External reference ID", + "firmwareVersion": { + "description": "The firmware version of the device", + "readOnly": true, "type": "string" }, - "sourceName": { - "description": "External reference source name", + "operatingSystem": { + "description": "The operating system of the device", + "readOnly": true, "type": "string" }, - "url": { - "description": "External reference URL", + "iotHubEntityId": { + "description": "The AzureResource entity id of the IoT Hub", + "readOnly": true, "type": "string" }, - "hashes": { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "description": "External reference hashes" - } - }, - "type": "object" - }, - "ThreatIntelligenceFilteringCriteria": { - "description": "Filtering criteria for querying threat intelligence indicators.", - "properties": { - "pageSize": { - "description": "Page size", - "type": "integer", - "format": "int32" - }, - "minConfidence": { - "description": "Minimum confidence.", - "type": "integer", - "format": "int32" - }, - "maxConfidence": { - "description": "Maximum confidence.", - "type": "integer", - "format": "int32" - }, - "minValidUntil": { - "description": "Start time for ValidUntil filter.", + "hostEntityId": { + "description": "The Host entity id of this device", + "readOnly": true, "type": "string" }, - "maxValidUntil": { - "description": "End time for ValidUntil filter.", + "ipAddressEntityId": { + "description": "The IP entity if of this device", + "readOnly": true, "type": "string" }, - "includeDisabled": { - "description": "Parameter to include/exclude disabled indicators.", - "type": "boolean" - }, - "sortBy": { - "description": "Columns to sort by and sorting order", - "items": { - "description": "Sort By", - "$ref": "#/definitions/ThreatIntelligenceSortingCriteria" - }, - "type": "array" - }, - "sources": { - "description": "Sources of threat intelligence indicators", - "items": { - "description": "Source", - "type": "string" - }, - "type": "array" - }, - "patternTypes": { - "description": "Pattern types", - "items": { - "description": "Pattern type", - "type": "string" - }, - "type": "array" - }, - "threatTypes": { - "description": "Threat types of threat intelligence indicators", - "items": { - "description": "Threat type of a threat intelligence indicator", - "type": "string" - }, - "type": "array" - }, - "ids": { - "description": "Ids of threat intelligence indicators", + "threatIntelligence": { + "description": "A list of TI contexts attached to the IoTDevice entity.", "items": { - "description": "Id of a threat intelligence indicator", - "type": "string" + "$ref": "#/definitions/ThreatIntelligence" }, + "readOnly": true, "type": "array" }, - "keywords": { - "description": "Keywords for searching threat intelligence indicators", + "protocols": { + "description": "A list of protocols of the IoTDevice entity.", "items": { - "description": "keyword for searching threat intelligence indicators", "type": "string" }, + "readOnly": true, "type": "array" - }, - "skipToken": { - "description": "Skip token.", - "type": "string" } }, "type": "object" }, - "ThreatIntelligenceSortingCriteria": { - "description": "List of available columns for sorting", + "UserInfo": { + "description": "User information that made some action", "properties": { - "itemKey": { - "description": "Column name", + "email": { + "description": "The email of the user.", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "The name of the user.", + "readOnly": true, "type": "string" }, - "sortOrder": { - "$ref": "#/definitions/ThreatIntelligenceSortingOrder", - "description": "Sorting order (ascending/descending/unsorted)." + "objectId": { + "description": "The object id of the user.", + "format": "uuid", + "type": "string", + "x-nullable": true } }, "type": "object" }, - "ThreatIntelligenceSortingOrder": { - "description": "Sorting order (ascending/descending/unsorted).", - "enum": [ - "unsorted", - "ascending", - "descending" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ThreatIntelligenceSortingCriteria", - "values": [ - { - "value": "unsorted" - }, - { - "value": "ascending" - }, - { - "value": "descending" - } - ] - } - }, - "ThreatIntelligenceAppendTags": { - "description": "Array of tags to be appended to the threat intelligence indicator.", + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", "properties": { - "threatIntelligenceTags": { - "description": "List of tags to be appended.", - "items": { - "description": "parameter", - "type": "string" - }, - "type": "array" + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "title": { + "description": "The title of the incident", + "type": "string" + }, + "relationName": { + "description": "Relation Name", + "type": "string" } }, "type": "object" }, - "ThreatIntelligenceMetricsList": { - "description": "List of all the threat intelligence metric fields (type/threat type/source).", + "WatchlistList": { + "description": "List all the watchlists.", "properties": { + "nextLink": { + "description": "URL to fetch the next set of watchlists.", + "readOnly": true, + "type": "string" + }, "value": { - "description": "Array of threat intelligence metric fields (type/threat type/source).", + "description": "Array of watchlist.", "items": { - "$ref": "#/definitions/ThreatIntelligenceMetrics" + "$ref": "#/definitions/Watchlist" }, "type": "array" } @@ -12898,294 +8379,219 @@ "value" ] }, - "ThreatIntelligenceMetrics": { - "description": "Threat intelligence metrics.", + "Watchlist": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Watchlist in Azure Security Insights.", "properties": { "properties": { - "description": "Threat intelligence metrics.", - "$ref": "#/definitions/ThreatIntelligenceMetric" + "$ref": "#/definitions/WatchlistProperties", + "description": "Watchlist properties", + "x-ms-client-flatten": true } - } + }, + "type": "object" }, - "ThreatIntelligenceMetric": { - "description": "Describes threat intelligence metric", + "WatchlistProperties": { + "description": "Describes watchlist properties", "properties": { - "lastUpdatedTimeUtc": { - "description": "Last updated indicator metric", + "watchlistId": { + "description": "The id (a Guid) of the watchlist", "type": "string" }, - "threatTypeMetrics": { - "description": "Threat type metrics", - "items": { - "description": "parameter", - "$ref": "#/definitions/ThreatIntelligenceMetricEntity" - }, - "type": "array" - }, - "patternTypeMetrics": { - "description": "Pattern type metrics", - "items": { - "description": "parameter", - "$ref": "#/definitions/ThreatIntelligenceMetricEntity" - }, - "type": "array" + "displayName": { + "description": "The display name of the watchlist", + "type": "string" }, - "sourceMetrics": { - "description": "Source metrics", - "items": { - "description": "parameter", - "$ref": "#/definitions/ThreatIntelligenceMetricEntity" - }, - "type": "array" - } - }, - "type": "object" - }, - "ThreatIntelligenceMetricEntity": { - "description": "Describes threat intelligence metric entity", - "properties": { - "metricName": { - "description": "Metric name", + "provider": { + "description": "The provider of the watchlist", "type": "string" }, - "metricValue": { - "description": "Metric value", - "type": "integer", - "format": "int32" - } - }, - "type": "object" - }, - "EntityGetInsightsParameters": { - "description": "The parameters required to execute insights operation on the given entity.", - "type": "object", - "properties": { - "startTime": { - "description": "The start timeline date, so the results returned are after this date.", + "source": { + "description": "The source of the watchlist", + "enum": [ + "Local file", + "Remote storage" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "source" + } + }, + "created": { + "description": "The time the watchlist was created", "format": "date-time", "type": "string" }, - "endTime": { - "description": "The end timeline date, so the results returned are before this date.", + "updated": { + "description": "The last time the watchlist was updated", "format": "date-time", "type": "string" }, - "addDefaultExtendedTimeRange": { - "description": "Indicates if query time range should be extended with default time range of the query. Default value is false", - "type": "boolean" + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist", + "type": "object" }, - "insightQueryIds": { - "description": "List of Insights Query Id. If empty, default value is all insights of this entity", - "type": "array", - "items": { - "description": "Insight Query Id (GUID)", - "format": "uuid", - "type": "string" - } - } - }, - "required": [ - "startTime", - "endTime" - ] - }, - "EntityGetInsightsResponse": { - "description": "The Get Insights result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/GetInsightsResultsMetadata", - "description": "The metadata from the get insights operation results." + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist", + "type": "object" }, - "value": { - "description": "The insights result values.", + "description": { + "description": "A description of the watchlist", + "type": "string" + }, + "watchlistType": { + "description": "The type of the watchlist", + "type": "string" + }, + "watchlistAlias": { + "description": "The alias of the watchlist", + "type": "string" + }, + "isDeleted": { + "description": "A flag that indicates if the watchlist is deleted or not", + "type": "boolean" + }, + "labels": { + "description": "List of labels relevant to this watchlist", "items": { - "$ref": "#/definitions/EntityInsightItem" + "$ref": "#/definitions/Label" }, "type": "array" - } - } - }, - "GetInsightsResultsMetadata": { - "description": "Get Insights result metadata.", - "properties": { - "totalCount": { - "description": "the total items found for the insights request", + }, + "defaultDuration": { + "description": "The default duration of a watchlist (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "tenantId": { + "description": "The tenantId where the watchlist belongs to", + "type": "string" + }, + "numberOfLinesToSkip": { + "description": "The number of lines in a csv/tsv content to skip before the header", "type": "integer", "format": "int32" }, - "errors": { - "description": "information about the failed queries", - "items": { - "$ref": "#/definitions/GetInsightsError" - }, - "type": "array" + "rawContent": { + "description": "The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint", + "type": "string" + }, + "contentType": { + "description": "The content type of the raw content. Example : text/csv or text/tsv ", + "type": "string" + }, + "uploadStatus": { + "description": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted", + "type": "string" + }, + "watchlistItemsCount": { + "description": "The number of Watchlist Items in the Watchlist", + "type": "integer", + "format": "int32" } }, "required": [ - "totalCount" + "displayName", + "source", + "provider" ], "type": "object" }, - "GetInsightsError": { - "description": "GetInsights Query Errors.", + "WatchlistItemList": { + "description": "List all the watchlist items.", "properties": { - "kind": { - "description": "the query kind", - "type": "string", - "enum": [ - "Insight" - ] - }, - "queryId": { - "description": "the query id", + "nextLink": { + "description": "URL to fetch the next set of watchlist item.", + "readOnly": true, "type": "string" }, - "errorMessage": { - "description": "the error message", - "type": "string" + "value": { + "description": "Array of watchlist items.", + "items": { + "$ref": "#/definitions/WatchlistItem" + }, + "type": "array" } }, "required": [ - "kind", - "errorMessage" - ], - "type": "object" + "value" + ] }, - "EntityQueryItem": { - "description": "An abstract Query item for entity", - "type": "object", - "discriminator": "kind", + "WatchlistItem": { "allOf": [ { - "$ref": "#/definitions/EntityQueryKind" + "$ref": "#/definitions/ResourceWithEtag" } ], + "description": "Represents a Watchlist item in Azure Security Insights.", "properties": { - "id": { - "description": "Query Template ARM ID", - "type": "string", - "readOnly": true - }, - "name": { - "description": "Query Template ARM Name", - "type": "string" - }, - "type": { - "description": "ARM Type", - "type": "string" + "properties": { + "$ref": "#/definitions/WatchlistItemProperties", + "description": "Watchlist Item properties", + "x-ms-client-flatten": true } }, - "required": [ - "kind" - ] + "type": "object" }, - "EntityQueryItemProperties": { - "description": "An properties abstract Query item for entity", - "type": "object", + "WatchlistItemProperties": { + "description": "Describes watchlist item properties", "properties": { - "dataTypes": { - "description": "Data types for template", - "type": "array", - "items": { - "properties": { - "dataType": { - "description": "Data type name", - "type": "string" - } - } - } + "watchlistItemType": { + "description": "The type of the watchlist item", + "type": "string" }, - "inputEntityType": { - "description": "The type of the entity", - "$ref": "#/definitions/EntityInnerType" + "watchlistItemId": { + "description": "The id (a Guid) of the watchlist item", + "type": "string" }, - "requiredInputFieldsSets": { - "description": "Data types for template", - "type": "array", - "items": { - "type": "array", - "items": { - "type": "string" - } - } + "tenantId": { + "description": "The tenantId to which the watchlist item belongs to", + "type": "string" }, - "entitiesFilter": { - "description": "The query applied only to entities matching to all filters", - "type": "object" - } - } - }, - "EntityInsightItem": { - "description": "Entity insight Item.", - "type": "object", - "properties": { - "queryId": { - "type": "string", - "description": "The query id of the insight" + "isDeleted": { + "description": "A flag that indicates if the watchlist item is deleted or not", + "type": "boolean" }, - "queryTimeInterval": { - "type": "object", - "description": "The Time interval that the query actually executed on.", - "properties": { - "startTime": { - "format": "date-time", - "type": "string", - "description": "Insight query start time" - }, - "endTime": { - "format": "date-time", - "type": "string", - "description": "Insight query end time" - } - } + "created": { + "description": "The time the watchlist item was created", + "format": "date-time", + "type": "string" }, - "tableQueryResults": { - "$ref": "#/definitions/InsightsTableResult", - "description": "Query results for table insights query." + "updated": { + "description": "The last time the watchlist item was updated", + "format": "date-time", + "type": "string" }, - "chartQueryResults": { - "type": "array", - "description": "Query results for table insights query.", - "items": { - "$ref": "#/definitions/InsightsTableResult", - "description": "Query results for table insights query." - } - } - } - }, - "InsightsTableResult": { - "type": "object", - "description": "Query results for table insights query.", - "properties": { - "columns": { - "type": "array", - "description": "Columns Metadata of the table", - "items": { - "properties": { - "type": { - "type": "string", - "description": "the type of the colum" - }, - "name": { - "type": "string", - "description": "the name of the colum" - } - } - } + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist item", + "type": "object" }, - "rows": { - "type": "array", - "description": "Rows data of the table", - "items": { - "type": "array", - "description": "Single row of data", - "items": { - "type": "string", - "description": "Cell in the table" - } - } + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist item", + "type": "object" + }, + "itemsKeyValue": { + "description": "key-value pairs for a watchlist item", + "type": "object" + }, + "entityMapping": { + "description": "key-value pairs for a watchlist item entity mapping", + "type": "object" } - } + }, + "required": [ + "itemsKeyValue" + ], + "type": "object" } }, "parameters": { @@ -13207,14 +8613,6 @@ "type": "string", "x-ms-parameter-location": "method" }, - "AggregationsName": { - "description": "The aggregation name. Supports - Cases", - "in": "path", - "name": "aggregationsName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, "AlertRule": { "description": "The alert rule", "in": "body", @@ -13243,16 +8641,6 @@ "required": true, "type": "string" }, - "Bookmark": { - "description": "The bookmark", - "in": "body", - "name": "bookmark", - "required": true, - "schema": { - "$ref": "#/definitions/Bookmark" - }, - "x-ms-parameter-location": "method" - }, "RelationName": { "name": "relationName", "in": "path", @@ -13261,68 +8649,6 @@ "description": "Relation Name", "x-ms-parameter-location": "method" }, - "RelationInputModel": { - "name": "relationInputModel", - "in": "body", - "description": "The relation input model", - "required": true, - "schema": { - "$ref": "#/definitions/RelationsModelInput" - }, - "x-ms-parameter-location": "method" - }, - "BookmarkId": { - "description": "Bookmark ID", - "in": "path", - "name": "bookmarkId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Case": { - "description": "The case", - "in": "body", - "name": "case", - "required": true, - "schema": { - "$ref": "#/definitions/Case" - }, - "x-ms-parameter-location": "method" - }, - "CaseComment": { - "description": "The case comment", - "in": "body", - "name": "caseComment", - "required": true, - "schema": { - "$ref": "#/definitions/CaseComment" - }, - "x-ms-parameter-location": "method" - }, - "CaseCommentId": { - "description": "Case comment ID", - "in": "path", - "name": "caseCommentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "CaseId": { - "description": "Case ID", - "in": "path", - "name": "caseId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ConsentId": { - "description": "consent ID", - "in": "path", - "name": "consentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, "DataConnector": { "description": "The data connector", "in": "body", @@ -13351,70 +8677,6 @@ }, "x-ms-parameter-location": "method" }, - "EnrichmentDomain": { - "description": "Domain name to be enriched", - "in": "query", - "name": "domain", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EnrichmentIpAddress": { - "description": "IP address (v4 or v6) to be enriched", - "in": "query", - "name": "ipAddress", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityExpandRequestBody": { - "description": "The parameters required to execute an expand operation on the given entity.", - "in": "body", - "name": "parameters", - "required": true, - "schema": { - "$ref": "#/definitions/EntityExpandParameters" - }, - "x-ms-parameter-location": "method" - }, - "BookmarkExpandRequestBody": { - "description": "The parameters required to execute an expand operation on the given bookmark.", - "in": "body", - "name": "parameters", - "required": true, - "schema": { - "$ref": "#/definitions/BookmarkExpandParameters" - }, - "x-ms-parameter-location": "method" - }, - "EntityTimelineRequestBody": { - "description": "The parameters required to execute an timeline operation on the given entity.", - "in": "body", - "name": "parameters", - "required": true, - "schema": { - "$ref": "#/definitions/EntityTimelineParameters" - }, - "x-ms-parameter-location": "method" - }, - "GetInsightsEntityQueriesRequestBody": { - "description": "The parameters required to execute insights on the given entity.", - "name": "parameters", - "in": "body", - "required": true, - "schema": { - "$ref": "#/definitions/EntityGetInsightsParameters" - }, - "x-ms-parameter-location": "method" - }, - "EntityId": { - "description": "entity ID", - "in": "path", - "name": "entityId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, "EntityQueryId": { "description": "entity query ID", "in": "path", @@ -13459,27 +8721,6 @@ "type": "string", "x-ms-parameter-location": "method" }, - "EntityQueryKindParam": { - "description": "The Kind parameter for queries", - "in": "query", - "name": "kind", - "required": true, - "type": "string", - "enum": [ - "Insight" - ], - "x-ms-enum": { - "modelAsString": true, - "name": "EntityItemQueryKind", - "values": [ - { - "description": "insight", - "value": "Insight" - } - ] - }, - "x-ms-parameter-location": "method" - }, "ODataFilter": { "description": "Filters the results, based on a Boolean condition. Optional.", "in": "query", @@ -13621,62 +8862,6 @@ "required": true, "type": "string", "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceName": { - "description": "Threat intelligence indicator name field.", - "in": "path", - "name": "name", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceProperties": { - "description": "Properties of threat intelligence indicators to create and update.", - "in": "body", - "name": "ThreatIntelligenceProperties", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" - }, - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceReplaceTags": { - "description": "Tags in the threat intelligence indicator to be replaced.", - "in": "body", - "name": "ThreatIntelligenceReplaceTags", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" - }, - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceFilteringCriteria": { - "description": "Filtering criteria for querying threat intelligence indicators.", - "in": "body", - "name": "ThreatIntelligenceFilteringCriteria", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceFilteringCriteria" - }, - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceIndicatorEntityKind": { - "description": "The threat intelligence entity kind", - "in": "query", - "name": "ctiEntityKind", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceAppendTags": { - "description": "The threat intelligence append tags request body", - "in": "body", - "name": "ThreatIntelligenceAppendTags", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceAppendTags" - }, - "x-ms-parameter-location": "method" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/ThreatIntelligence.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/ThreatIntelligence.json new file mode 100644 index 000000000000..a860224c3c83 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/ThreatIntelligence.json @@ -0,0 +1,1129 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator": { + "post": { + "x-ms-examples": { + "Create a new Threat Intelligence": { + "$ref": "./examples/threatintelligence/CreateThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Create a new threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_CreateIndicator", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceProperties" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to create indicators.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators": { + "get": { + "x-ms-examples": { + "Get all threat intelligence indicators": { + "$ref": "./examples/threatintelligence/GetThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Get all threat intelligence indicators.", + "operationId": "ThreatIntelligenceIndicators_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataFilter" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataOrderBy" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataTop" + }, + { + "$ref": "SecurityInsights.json#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformationList" + } + }, + "default": { + "description": "Error response describing why the operation failed to get indicators.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}": { + "get": { + "x-ms-examples": { + "View a threat intelligence indicator by name": { + "$ref": "./examples/threatintelligence/GetThreatIntelligenceById.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "View a threat intelligence indicator by name.", + "operationId": "ThreatIntelligenceIndicator_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to view an indicator.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Update a threat Intelligence indicator": { + "$ref": "./examples/threatintelligence/UpdateThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Update a threat Intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_Create", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceProperties" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to update an indicator.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a threat intelligence indicator": { + "$ref": "./examples/threatintelligence/DeleteThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Delete a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed to delete an indicator.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators": { + "post": { + "x-ms-examples": { + "Query threat intelligence indicators as per filtering criteria": { + "$ref": "./examples/threatintelligence/QueryThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Query threat intelligence indicators as per filtering criteria.", + "operationId": "ThreatIntelligenceIndicator_QueryIndicators", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceFilteringCriteria" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics": { + "get": { + "x-ms-examples": { + "Get threat intelligence indicators metrics.": { + "$ref": "./examples/threatintelligence/CollectThreatIntelligenceMetrics.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source).", + "operationId": "ThreatIntelligenceIndicatorMetrics_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceMetricsList" + } + }, + "default": { + "description": "Error response describing why the operation failed to get metrics.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags": { + "post": { + "x-ms-examples": { + "Append tags to a threat intelligence indicator": { + "$ref": "./examples/threatintelligence/AppendTagsThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Append tags to a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_AppendTags", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceAppendTags" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "default": { + "description": "Error response describing why the operation failed to append tags.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags": { + "post": { + "x-ms-examples": { + "Replace tags to a Threat Intelligence": { + "$ref": "./examples/threatintelligence/ReplaceTagsThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Replace tags added to a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_ReplaceTags", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceReplaceTags" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to replace tags.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "ThreatIntelligenceName": { + "description": "Threat intelligence indicator name field.", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceProperties": { + "description": "Properties of threat intelligence indicators to create and update.", + "in": "body", + "name": "ThreatIntelligenceProperties", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceReplaceTags": { + "description": "Tags in the threat intelligence indicator to be replaced.", + "in": "body", + "name": "ThreatIntelligenceReplaceTags", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceFilteringCriteria": { + "description": "Filtering criteria for querying threat intelligence indicators.", + "in": "body", + "name": "ThreatIntelligenceFilteringCriteria", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceFilteringCriteria" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceIndicatorEntityKind": { + "description": "The threat intelligence entity kind", + "in": "query", + "name": "ctiEntityKind", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceAppendTags": { + "description": "The threat intelligence append tags request body", + "in": "body", + "name": "ThreatIntelligenceAppendTags", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceAppendTags" + }, + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "ThreatIntelligenceInformationList": { + "description": "List of all the threat intelligence information objects.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of information objects.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of threat intelligence information objects.", + "items": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "ThreatIntelligenceInformation": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/ThreatIntelligenceResourceKind" + } + ], + "description": "Threat intelligence information object.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "ThreatIntelligenceIndicatorModel": { + "allOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + ], + "description": "Threat intelligence indicator entity.", + "properties": { + "properties": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", + "description": "Threat Intelligence Entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "indicator" + }, + "ThreatIntelligenceIndicatorModelForRequestBody": { + "allOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceResourceKind" + } + ], + "description": "Threat intelligence indicator entity used in request body.", + "properties": { + "etag": { + "description": "Etag of the azure resource", + "type": "string" + }, + "properties": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", + "description": "Threat Intelligence Entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "indicator" + }, + "ThreatIntelligenceResourceKind": { + "description": "Describes an entity with kind.", + "properties": { + "kind": { + "$ref": "#/definitions/ThreatIntelligenceResourceInnerKind", + "description": "The kind of the entity." + } + }, + "required": [ + "kind" + ], + "type": "object" + }, + "ThreatIntelligenceResourceInnerKind": { + "description": "The kind of the threat intelligence entity", + "enum": [ + "indicator" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ThreatIntelligenceResourceKind", + "values": [ + { + "description": "Entity represents threat intelligence indicator in the system.", + "value": "indicator" + } + ] + } + }, + "ThreatIntelligenceIndicatorProperties": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/EntityCommonProperties" + } + ], + "description": "Describes threat intelligence entity properties", + "properties": { + "threatIntelligenceTags": { + "description": "List of tags", + "items": { + "description": "tag", + "type": "string" + }, + "type": "array" + }, + "lastUpdatedTimeUtc": { + "description": "Last updated time in UTC", + "type": "string" + }, + "source": { + "description": "Source of a threat intelligence entity", + "type": "string" + }, + "displayName": { + "description": "Display name of a threat intelligence entity", + "type": "string" + }, + "description": { + "description": "Description of a threat intelligence entity", + "type": "string" + }, + "indicatorTypes": { + "description": "Indicator types of threat intelligence entities", + "items": { + "description": "Indicator type of a threat intelligence entity", + "type": "string" + }, + "type": "array" + }, + "pattern": { + "description": "Pattern of a threat intelligence entity", + "type": "string" + }, + "patternType": { + "description": "Pattern type of a threat intelligence entity", + "type": "string" + }, + "patternVersion": { + "description": "Pattern version of a threat intelligence entity", + "type": "string" + }, + "killChainPhases": { + "description": "Kill chain phases", + "items": { + "description": "Kill chain phase", + "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" + }, + "type": "array" + }, + "parsedPattern": { + "description": "Parsed patterns", + "items": { + "description": "Parsed pattern", + "$ref": "#/definitions/ThreatIntelligenceParsedPattern" + }, + "type": "array" + }, + "externalId": { + "description": "External ID of threat intelligence entity", + "type": "string" + }, + "createdByRef": { + "description": "Created by reference of threat intelligence entity", + "type": "string" + }, + "defanged": { + "description": "Is threat intelligence entity defanged", + "type": "boolean" + }, + "externalLastUpdatedTimeUtc": { + "description": "External last updated time in UTC", + "type": "string" + }, + "externalReferences": { + "description": "External References", + "items": { + "description": "external_reference", + "$ref": "#/definitions/ThreatIntelligenceExternalReference" + }, + "type": "array" + }, + "granularMarkings": { + "description": "Granular Markings", + "items": { + "description": "Granular marking", + "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" + }, + "type": "array" + }, + "labels": { + "description": "Labels of threat intelligence entity", + "items": { + "description": "label", + "type": "string" + }, + "type": "array" + }, + "revoked": { + "description": "Is threat intelligence entity revoked", + "type": "boolean" + }, + "confidence": { + "description": "Confidence of threat intelligence entity", + "type": "integer", + "format": "int32" + }, + "objectMarkingRefs": { + "description": "Threat intelligence entity object marking references", + "items": { + "description": "Threat intelligence entity object marking reference", + "type": "string" + }, + "type": "array" + }, + "language": { + "description": "Language of threat intelligence entity", + "type": "string" + }, + "threatTypes": { + "description": "Threat types", + "items": { + "description": "Threat type", + "type": "string" + }, + "type": "array" + }, + "validFrom": { + "description": "Valid from", + "type": "string" + }, + "validUntil": { + "description": "Valid until", + "type": "string" + }, + "created": { + "description": "Created by", + "type": "string" + }, + "modified": { + "description": "Modified by", + "type": "string" + }, + "extensions": { + "description": "Extensions map", + "type": "object", + "additionalProperties": {} + } + }, + "type": "object" + }, + "ThreatIntelligenceKillChainPhase": { + "description": "Describes threat kill chain phase entity", + "properties": { + "killChainName": { + "description": "Kill chainName name", + "type": "string" + }, + "phaseName": { + "description": "Phase name", + "type": "string" + } + }, + "type": "object" + }, + "ThreatIntelligenceParsedPattern": { + "description": "Describes parsed pattern entity", + "properties": { + "patternTypeKey": { + "description": "Pattern type key", + "type": "string" + }, + "patternTypeValues": { + "description": "Pattern type keys", + "items": { + "description": "Pattern type key", + "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" + }, + "type": "array" + } + }, + "type": "object" + }, + "ThreatIntelligenceParsedPatternTypeValue": { + "description": "Describes threat kill chain phase entity", + "properties": { + "valueType": { + "description": "Type of the value", + "type": "string" + }, + "value": { + "description": "Value of parsed pattern", + "type": "string" + } + }, + "type": "object" + }, + "ThreatIntelligenceGranularMarkingModel": { + "description": "Describes threat granular marking model entity", + "properties": { + "language": { + "description": "Language granular marking model", + "type": "string" + }, + "markingRef": { + "description": "marking reference granular marking model", + "type": "integer", + "format": "int32" + }, + "selectors": { + "description": "granular marking model selectors", + "items": { + "description": "granular marking model selector", + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "ThreatIntelligenceExternalReference": { + "description": "Describes external reference", + "properties": { + "description": { + "description": "External reference description", + "type": "string" + }, + "externalId": { + "description": "External reference ID", + "type": "string" + }, + "sourceName": { + "description": "External reference source name", + "type": "string" + }, + "url": { + "description": "External reference URL", + "type": "string" + }, + "hashes": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "External reference hashes" + } + }, + "type": "object" + }, + "ThreatIntelligenceFilteringCriteria": { + "description": "Filtering criteria for querying threat intelligence indicators.", + "properties": { + "pageSize": { + "description": "Page size", + "type": "integer", + "format": "int32" + }, + "minConfidence": { + "description": "Minimum confidence.", + "type": "integer", + "format": "int32" + }, + "maxConfidence": { + "description": "Maximum confidence.", + "type": "integer", + "format": "int32" + }, + "minValidUntil": { + "description": "Start time for ValidUntil filter.", + "type": "string" + }, + "maxValidUntil": { + "description": "End time for ValidUntil filter.", + "type": "string" + }, + "includeDisabled": { + "description": "Parameter to include/exclude disabled indicators.", + "type": "boolean" + }, + "sortBy": { + "description": "Columns to sort by and sorting order", + "items": { + "description": "Sort By", + "$ref": "#/definitions/ThreatIntelligenceSortingCriteria" + }, + "type": "array" + }, + "sources": { + "description": "Sources of threat intelligence indicators", + "items": { + "description": "Source", + "type": "string" + }, + "type": "array" + }, + "patternTypes": { + "description": "Pattern types", + "items": { + "description": "Pattern type", + "type": "string" + }, + "type": "array" + }, + "threatTypes": { + "description": "Threat types of threat intelligence indicators", + "items": { + "description": "Threat type of a threat intelligence indicator", + "type": "string" + }, + "type": "array" + }, + "ids": { + "description": "Ids of threat intelligence indicators", + "items": { + "description": "Id of a threat intelligence indicator", + "type": "string" + }, + "type": "array" + }, + "keywords": { + "description": "Keywords for searching threat intelligence indicators", + "items": { + "description": "keyword for searching threat intelligence indicators", + "type": "string" + }, + "type": "array" + }, + "skipToken": { + "description": "Skip token.", + "type": "string" + } + }, + "type": "object" + }, + "ThreatIntelligenceSortingCriteria": { + "description": "List of available columns for sorting", + "properties": { + "itemKey": { + "description": "Column name", + "type": "string" + }, + "sortOrder": { + "$ref": "#/definitions/ThreatIntelligenceSortingOrder", + "description": "Sorting order (ascending/descending/unsorted)." + } + }, + "type": "object" + }, + "ThreatIntelligenceSortingOrder": { + "description": "Sorting order (ascending/descending/unsorted).", + "enum": [ + "unsorted", + "ascending", + "descending" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ThreatIntelligenceSortingCriteria", + "values": [ + { + "value": "unsorted" + }, + { + "value": "ascending" + }, + { + "value": "descending" + } + ] + } + }, + "ThreatIntelligenceAppendTags": { + "description": "Array of tags to be appended to the threat intelligence indicator.", + "properties": { + "threatIntelligenceTags": { + "description": "List of tags to be appended.", + "items": { + "description": "parameter", + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "ThreatIntelligenceMetricsList": { + "description": "List of all the threat intelligence metric fields (type/threat type/source).", + "properties": { + "value": { + "description": "Array of threat intelligence metric fields (type/threat type/source).", + "items": { + "$ref": "#/definitions/ThreatIntelligenceMetrics" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "ThreatIntelligenceMetrics": { + "description": "Threat intelligence metrics.", + "properties": { + "properties": { + "description": "Threat intelligence metrics.", + "$ref": "#/definitions/ThreatIntelligenceMetric" + } + } + }, + "ThreatIntelligenceMetric": { + "description": "Describes threat intelligence metric", + "properties": { + "lastUpdatedTimeUtc": { + "description": "Last updated indicator metric", + "type": "string" + }, + "threatTypeMetrics": { + "description": "Threat type metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" + }, + "patternTypeMetrics": { + "description": "Pattern type metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" + }, + "sourceMetrics": { + "description": "Source metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" + } + }, + "type": "object" + }, + "ThreatIntelligenceMetricEntity": { + "description": "Describes threat intelligence metric entity", + "properties": { + "metricName": { + "description": "Metric name", + "type": "string" + }, + "metricValue": { + "description": "Metric value", + "type": "integer", + "format": "int32" + } + }, + "type": "object" + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 5c706e04f486..9a9053697c51 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -144,8 +144,15 @@ These settings apply only when `--tag=package-2019-01-preview` is specified on t ```yaml $(tag) == 'package-2019-01-preview' input-file: -- Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +- Microsoft.SecurityInsights/preview/2019-01-01-preview/Aggregations.json - Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json +- Microsoft.SecurityInsights/preview/2019-01-01-preview/Bookmarks.json +- Microsoft.SecurityInsights/preview/2019-01-01-preview/Cases.json +- Microsoft.SecurityInsights/preview/2019-01-01-preview/Enrichment.json +- Microsoft.SecurityInsights/preview/2019-01-01-preview/Entities.json +- Microsoft.SecurityInsights/preview/2019-01-01-preview/OfficeConsents.json +- Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +- Microsoft.SecurityInsights/preview/2019-01-01-preview/ThreatIntelligence.json directive: - suppress: R4017 from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json