diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json new file mode 100644 index 000000000000..aaff726062c7 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json @@ -0,0 +1,1123 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules": { + "get": { + "x-ms-examples": { + "Get all automation rules.": { + "$ref": "./examples/automationRules/GetAllAutomationRules.json" + } + }, + "tags": [ + "Automation Rules" + ], + "description": "Gets all automation rules.", + "operationId": "AutomationRules_List", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutomationRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}": { + "get": { + "x-ms-examples": { + "Get an automation rule.": { + "$ref": "./examples/automationRules/GetAutomationRule.json" + } + }, + "tags": [ + "Automation Rules" + ], + "description": "Gets the automation rule.", + "operationId": "AutomationRules_Get", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an automation rule.": { + "$ref": "./examples/automationRules/CreateAutomationRule.json" + } + }, + "tags": [ + "Automation Rules" + ], + "description": "Creates or updates the automation rule.", + "operationId": "AutomationRules_CreateOrUpdate", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + }, + { + "$ref": "#/parameters/AutomationRule" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an automation rule.": { + "$ref": "./examples/automationRules/DeleteAutomationRule.json" + } + }, + "tags": [ + "Automation Rule" + ], + "description": "Delete the automation rule.", + "operationId": "AutomationRules_Delete", + "parameters": [ + { + "$ref": "SecurityInsights.json#/parameters/ApiVersion" + }, + { + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" + }, + { + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" + }, + { + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "SecurityInsights.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "AutomationRule": { + "description": "The automation rule", + "in": "body", + "name": "automationRule", + "required": true, + "schema": { + "$ref": "#/definitions/AutomationRule" + }, + "x-ms-parameter-location": "method" + }, + "AutomationRuleId": { + "description": "Automation rule ID", + "in": "path", + "name": "automationRuleId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "AutomationRule": { + "allOf": [ + { + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents an automation rule.", + "properties": { + "properties": { + "$ref": "#/definitions/AutomationRuleProperties", + "description": "Automation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "AutomationRuleAction": { + "description": "Describes an automation rule action", + "discriminator": "actionType", + "properties": { + "order": { + "description": "The order of execution of the automation rule action", + "type": "integer", + "format": "int32" + }, + "actionType": { + "description": "The type of the automation rule action", + "enum": [ + "ModifyProperties", + "RunPlaybook" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRuleActionType", + "values": [ + { + "description": "Modify an object's properties", + "value": "ModifyProperties" + }, + { + "description": "Run a playbook on an object", + "value": "RunPlaybook" + } + ] + } + } + }, + "required": [ + "order", + "actionType" + ], + "type": "object" + }, + "AutomationRuleCondition": { + "description": "Describes an automation rule condition", + "discriminator": "conditionType", + "properties": { + "conditionType": { + "description": "The type of the automation rule condition", + "enum": [ + "Property" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRuleConditionType", + "values": [ + { + "description": "Evaluate an object property value", + "value": "Property" + } + ] + } + } + }, + "required": [ + "conditionType" + ], + "type": "object" + }, + "AutomationRuleProperties": { + "description": "Describes automation rule properties", + "properties": { + "displayName": { + "description": "The display name of the automation rule", + "type": "string" + }, + "order": { + "description": "The order of execution of the automation rule", + "type": "integer", + "format": "int32" + }, + "triggeringLogic": { + "$ref": "#/definitions/AutomationRuleTriggeringLogic", + "description": "The triggering logic of the automation rule", + "type": "object" + }, + "actions": { + "description": "The actions to execute when the automation rule is triggered", + "items": { + "$ref": "#/definitions/AutomationRuleAction" + }, + "type": "array" + }, + "createdTimeUtc": { + "description": "The time the automation rule was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "lastModifiedTimeUtc": { + "description": "The last time the automation rule was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that created the automation rule", + "readOnly": true, + "type": "object" + }, + "lastModifiedBy": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that last updated the automation rule", + "readOnly": true, + "type": "object" + } + }, + "required": [ + "displayName", + "order", + "triggeringLogic", + "actions" + ], + "type": "object" + }, + "AutomationRulesList": { + "description": "List all the automation rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of automation rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of automation rules.", + "items": { + "$ref": "#/definitions/AutomationRule" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AutomationRuleRunPlaybookAction": { + "description": "Describes an automation rule action to run a playbook", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } + ], + "properties": { + "actionConfiguration": { + "description": "The configuration of the run playbook automation rule action", + "properties": { + "logicAppResourceId": { + "description": "The resource id of the playbook resource", + "type": "string" + }, + "tenantId": { + "description": "The tenant id of the playbook resource", + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "actionConfiguration" + ], + "x-ms-client-flatten": true, + "type": "object", + "x-ms-discriminator-value": "RunPlaybook" + }, + "AutomationRuleModifyPropertiesAction": { + "description": "Describes an automation rule action to modify an object's properties", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } + ], + "properties": { + "actionConfiguration": { + "description": "The configuration of the modify properties automation rule action", + "properties": { + "classification": { + "$ref": "#/definitions/IncidentClassification", + "description": "The reason the incident was closed" + }, + "classificationComment": { + "description": "Describes the reason the incident was closed", + "type": "string" + }, + "classificationReason": { + "$ref": "#/definitions/IncidentClassificationReason", + "description": "The classification reason to close the incident with" + }, + "labels": { + "description": "List of labels to add to the incident", + "items": { + "$ref": "#/definitions/IncidentLabel" + }, + "type": "array" + }, + "owner": { + "$ref": "#/definitions/IncidentOwnerInfo", + "description": "Describes a user that the incident is assigned to", + "type": "object" + }, + "severity": { + "$ref": "#/definitions/IncidentSeverity", + "description": "The severity of the incident" + }, + "status": { + "$ref": "#/definitions/IncidentStatus", + "description": "The status of the incident" + } + }, + "type": "object" + } + }, + "required": [ + "actionConfiguration" + ], + "x-ms-client-flatten": true, + "type": "object", + "x-ms-discriminator-value": "ModifyProperties" + }, + "AutomationRulePropertyConditionSupportedProperty": { + "description": "The property to evaluate in an automation rule property condition", + "enum": [ + "IncidentTitle", + "IncidentDescription", + "IncidentSeverity", + "IncidentStatus", + "IncidentTactics", + "IncidentRelatedAnalyticRuleIds", + "IncidentProviderName", + "AccountAadTenantId", + "AccountAadUserId", + "AccountName", + "AccountNTDomain", + "AccountPUID", + "AccountSid", + "AccountObjectGuid", + "AccountUPNSuffix", + "AzureResourceResourceId", + "AzureResourceSubscriptionId", + "CloudApplicationAppId", + "CloudApplicationAppName", + "DNSDomainName", + "FileDirectory", + "FileName", + "FileHashValue", + "HostAzureID", + "HostName", + "HostNetBiosName", + "HostNTDomain", + "HostOSVersion", + "IoTDeviceId", + "IoTDeviceName", + "IoTDeviceType", + "IoTDeviceVendor", + "IoTDeviceModel", + "IoTDeviceOperatingSystem", + "IPAddress", + "MailboxDisplayName", + "MailboxPrimaryAddress", + "MailboxUPN", + "MailMessageDeliveryAction", + "MailMessageDeliveryLocation", + "MailMessageRecipient", + "MailMessageSenderIP", + "MailMessageSubject", + "MailMessageP1Sender", + "MailMessageP2Sender", + "MalwareCategory", + "MalwareName", + "ProcessCommandLine", + "ProcessId", + "RegistryKey", + "RegistryValueData", + "Url" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRulePropertyConditionSupportedProperty", + "values": [ + { + "description": "The title of the incident", + "value": "IncidentTitle" + }, + { + "description": "The description of the incident", + "value": "IncidentDescription" + }, + { + "description": "The severity of the incident", + "value": "IncidentSeverity" + }, + { + "description": "The status of the incident", + "value": "IncidentStatus" + }, + { + "description": "The tactics of the incident", + "value": "IncidentTactics" + }, + { + "description": "The related Analytic rule ids of the incident", + "value": "IncidentRelatedAnalyticRuleIds" + }, + { + "description": "The provider name of the incident", + "value": "IncidentProviderName" + }, + { + "description": "The account Azure Active Directory tenant id", + "value": "AccountAadTenantId" + }, + { + "description": "The account Azure Active Directory user id.", + "value": "AccountAadUserId" + }, + { + "description": "The account name", + "value": "AccountName" + }, + { + "description": "The account NetBIOS domain name", + "value": "AccountNTDomain" + }, + { + "description": "The account Azure Active Directory Passport User ID", + "value": "AccountPUID" + }, + { + "description": "The account security identifier", + "value": "AccountSid" + }, + { + "description": "The account unique identifier", + "value": "AccountObjectGuid" + }, + { + "description": "The account user principal name suffix", + "value": "AccountUPNSuffix" + }, + { + "description": "The Azure resource id", + "value": "AzureResourceResourceId" + }, + { + "description": "The Azure resource subscription id", + "value": "AzureResourceSubscriptionId" + }, + { + "description": "The cloud application identifier", + "value": "CloudApplicationAppId" + }, + { + "description": "The cloud application name", + "value": "CloudApplicationAppName" + }, + { + "description": "The dns record domain name", + "value": "DNSDomainName" + }, + { + "description": "The file directory full path", + "value": "FileDirectory" + }, + { + "description": "The file name without path", + "value": "FileName" + }, + { + "description": "The file hash value", + "value": "FileHashValue" + }, + { + "description": "The host Azure resource id", + "value": "HostAzureID" + }, + { + "description": "The host name without domain", + "value": "HostName" + }, + { + "description": "The host NetBIOS name", + "value": "HostNetBiosName" + }, + { + "description": "The host NT domain", + "value": "HostNTDomain" + }, + { + "description": "The host operating system", + "value": "HostOSVersion" + }, + { + "description": "The IoT device id", + "value": "IoTDeviceId" + }, + { + "description": "The IoT device name", + "value": "IoTDeviceName" + }, + { + "description": "The IoT device type", + "value": "IoTDeviceType" + }, + { + "description": "The IoT device vendor", + "value": "IoTDeviceVendor" + }, + { + "description": "The IoT device model", + "value": "IoTDeviceModel" + }, + { + "description": "The IoT device operating system", + "value": "IoTDeviceOperatingSystem" + }, + { + "description": "The IP address", + "value": "IPAddress" + }, + { + "description": "The mailbox display name", + "value": "MailboxDisplayName" + }, + { + "description": "The mailbox primary address", + "value": "MailboxPrimaryAddress" + }, + { + "description": "The mailbox user principal name", + "value": "MailboxUPN" + }, + { + "description": "The mail message delivery action", + "value": "MailMessageDeliveryAction" + }, + { + "description": "The mail message delivery location", + "value": "MailMessageDeliveryLocation" + }, + { + "description": "The mail message recipient", + "value": "MailMessageRecipient" + }, + { + "description": "The mail message sender IP address", + "value": "MailMessageSenderIP" + }, + { + "description": "The mail message subject", + "value": "MailMessageSubject" + }, + { + "description": "The mail message P1 sender", + "value": "MailMessageP1Sender" + }, + { + "description": "The mail message P2 sender", + "value": "MailMessageP2Sender" + }, + { + "description": "The malware category", + "value": "MalwareCategory" + }, + { + "description": "The malware name", + "value": "MalwareName" + }, + { + "description": "The process execution command line", + "value": "ProcessCommandLine" + }, + { + "description": "The process id", + "value": "ProcessId" + }, + { + "description": "The registry key path", + "value": "RegistryKey" + }, + { + "description": "The registry key value in string formatted representation", + "value": "RegistryValueData" + }, + { + "description": "The url", + "value": "Url" + } + ] + } + }, + "AutomationRulePropertyValuesCondition": { + "description": "Describes an automation rule condition that evaluates a property's value", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "description": "The configuration of the automation rule condition", + "properties": { + "propertyName": { + "$ref": "#/definitions/AutomationRulePropertyConditionSupportedProperty", + "description": "The property to evaluate" + }, + "operator": { + "description": "The operator to use for evaluation the condition", + "enum": [ + "Equals", + "NotEquals", + "Contains", + "NotContains", + "StartsWith", + "NotStartsWith", + "EndsWith", + "NotEndsWith" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRulePropertyConditionSupportedOperator", + "values": [ + { + "description": "Evaluates if the property equals at least one of the condition values", + "value": "Equals" + }, + { + "description": "Evaluates if the property does not equal any of the condition values", + "value": "NotEquals" + }, + { + "description": "Evaluates if the property contains at least one of the condition values", + "value": "Contains" + }, + { + "description": "Evaluates if the property does not contain any of the condition values", + "value": "NotContains" + }, + { + "description": "Evaluates if the property starts with any of the condition values", + "value": "StartsWith" + }, + { + "description": "Evaluates if the property does not start with any of the condition values", + "value": "NotStartsWith" + }, + { + "description": "Evaluates if the property ends with any of the condition values", + "value": "EndsWith" + }, + { + "description": "Evaluates if the property does not end with any of the condition values", + "value": "NotEndsWith" + } + ] + } + }, + "propertyValues": { + "description": "The values to use for evaluating the condition", + "items": { + "description": "A value to use for evaluating the condition", + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "required": [ + "conditionProperties" + ], + "x-ms-client-flatten": true, + "type": "object", + "x-ms-discriminator-value": "Property" + }, + "AutomationRuleTriggeringLogic": { + "description": "Describes automation rule triggering logic", + "properties": { + "isEnabled": { + "description": "Determines whether the automation rule is enabled or disabled.", + "type": "boolean" + }, + "expirationTimeUtc": { + "description": "Determines when the automation rule should automatically expire and be disabled.", + "format": "date-time", + "type": "string" + }, + "triggersOn": { + "description": "The type of object the automation rule triggers on", + "enum": [ + "Incidents" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TriggersOn", + "values": [ + { + "description": "Trigger on Incidents", + "value": "Incidents" + } + ] + } + }, + "triggersWhen": { + "description": "The type of event the automation rule triggers on", + "enum": [ + "Created" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TriggersWhen", + "values": [ + { + "description": "Trigger on created objects", + "value": "Created" + } + ] + } + }, + "conditions": { + "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object", + "items": { + "$ref": "#/definitions/AutomationRuleCondition" + }, + "type": "array" + } + }, + "required": [ + "isEnabled", + "triggersOn", + "triggersWhen" + ], + "type": "object" + }, + "ClientInfo": { + "description": "Information on the client (user or application) that made some action", + "properties": { + "email": { + "description": "The email of the client.", + "type": "string" + }, + "name": { + "description": "The name of the client.", + "type": "string" + }, + "objectId": { + "description": "The object id of the client.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the client.", + "type": "string" + } + }, + "type": "object" + }, + "IncidentClassification": { + "description": "The reason the incident was closed", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassification", + "values": [ + { + "description": "Incident classification was undetermined", + "value": "Undetermined" + }, + { + "description": "Incident was true positive", + "value": "TruePositive" + }, + { + "description": "Incident was benign positive", + "value": "BenignPositive" + }, + { + "description": "Incident was false positive", + "value": "FalsePositive" + } + ] + } + }, + "IncidentClassificationReason": { + "description": "The classification reason the incident was closed with", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassificationReason", + "values": [ + { + "description": "Classification reason was suspicious activity", + "value": "SuspiciousActivity" + }, + { + "description": "Classification reason was suspicious but expected", + "value": "SuspiciousButExpected" + }, + { + "description": "Classification reason was incorrect alert logic", + "value": "IncorrectAlertLogic" + }, + { + "description": "Classification reason was inaccurate data", + "value": "InaccurateData" + } + ] + } + }, + "IncidentLabel": { + "description": "Represents an incident label", + "properties": { + "labelName": { + "description": "The name of the label", + "type": "string" + }, + "labelType": { + "description": "The type of the label", + "enum": [ + "User", + "System" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentLabelType", + "values": [ + { + "description": "Label manually created by a user", + "value": "User" + }, + { + "description": "Label automatically created by the system", + "value": "System" + } + ] + } + } + }, + "required": [ + "labelName" + ], + "type": "object" + }, + "IncidentOwnerInfo": { + "description": "Information on the user an incident is assigned to", + "properties": { + "email": { + "description": "The email of the user the incident is assigned to.", + "type": "string" + }, + "assignedTo": { + "description": "The name of the user the incident is assigned to.", + "type": "string" + }, + "objectId": { + "description": "The object id of the user the incident is assigned to.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the user the incident is assigned to.", + "type": "string" + } + }, + "type": "object" + }, + "IncidentSeverity": { + "description": "The severity of the incident", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "IncidentStatus": { + "description": "The status of the incident", + "enum": [ + "New", + "Active", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentStatus", + "values": [ + { + "description": "An active incident which isn't being handled currently", + "value": "New" + }, + { + "description": "An active incident which is being handled", + "value": "Active" + }, + { + "description": "A non-active incident", + "value": "Closed" + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index f7a1d2656d01..2870b982fb0f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -573,203 +573,6 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules": { - "get": { - "x-ms-examples": { - "Get all automation rules.": { - "$ref": "./examples/automationRules/GetAllAutomationRules.json" - } - }, - "tags": [ - "Automation Rules" - ], - "description": "Gets all automation rules.", - "operationId": "AutomationRules_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/AutomationRulesList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}": { - "get": { - "x-ms-examples": { - "Get an automation rule.": { - "$ref": "./examples/automationRules/GetAutomationRule.json" - } - }, - "tags": [ - "Automation Rules" - ], - "description": "Gets the automation rule.", - "operationId": "AutomationRules_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/AutomationRuleId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/AutomationRule" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates or updates an automation rule.": { - "$ref": "./examples/automationRules/CreateAutomationRule.json" - } - }, - "tags": [ - "Automation Rules" - ], - "description": "Creates or updates the automation rule.", - "operationId": "AutomationRules_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/AutomationRuleId" - }, - { - "$ref": "#/parameters/AutomationRule" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/AutomationRule" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/AutomationRule" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "delete": { - "x-ms-examples": { - "Delete an automation rule.": { - "$ref": "./examples/automationRules/DeleteAutomationRule.json" - } - }, - "tags": [ - "Automation Rule" - ], - "description": "Delete the automation rule.", - "operationId": "AutomationRules_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/AutomationRuleId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases": { "get": { "x-ms-examples": { @@ -5592,907 +5395,246 @@ "value": "MicrosoftSecurityIncidentCreation" }, { - "value": "Fusion" - }, - { - "value": "MLBehaviorAnalytics" - }, - { - "value": "ThreatIntelligence" - } - ] - } - } - }, - "required": [ - "kind" - ], - "type": "object" - }, - "AlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - }, - { - "$ref": "#/definitions/AlertRuleKind" - } - ], - "description": "Alert rule template.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "AlertRuleTemplateDataSource": { - "description": "alert rule template data sources", - "properties": { - "connectorId": { - "description": "The connector id that provides the following data types", - "type": "string" - }, - "dataTypes": { - "description": "The data types used by the alert rule template", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, - "AlertRuleTemplatePropertiesBase": { - "description": "Base alert rule template property bag.", - "properties": { - "alertRulesCreatedByTemplateCount": { - "description": "the number of alert rules that were created by this template", - "type": "integer" - }, - "lastUpdatedDateUTC": { - "description": "The last time that this alert rule template has been updated.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "createdDateUTC": { - "description": "The time that this alert rule template has been added.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the alert rule template.", - "type": "string" - }, - "displayName": { - "description": "The display name for alert rule template.", - "type": "string" - }, - "requiredDataConnectors": { - "description": "The required data sources for this template", - "items": { - "$ref": "#/definitions/AlertRuleTemplateDataSource" - }, - "type": "array" - }, - "status": { - "description": "The alert rule template status.", - "enum": [ - "Installed", - "Available", - "NotAvailable" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TemplateStatus", - "values": [ - { - "description": "Alert rule template installed. and can not use more then once", - "value": "Installed" - }, - { - "description": "Alert rule template is available.", - "value": "Available" - }, - { - "description": "Alert rule template is not available", - "value": "NotAvailable" - } - ] - } - } - }, - "type": "object" - }, - "AlertRuleTemplatesList": { - "description": "List all the alert rule templates.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rule templates.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rule templates.", - "items": { - "$ref": "#/definitions/AlertRuleTemplate" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertRuleTriggerOperator": { - "description": "The operation against the threshold that triggers alert rule.", - "enum": [ - "GreaterThan", - "LessThan", - "Equal", - "NotEqual" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "TriggerOperator" - } - }, - "AlertRulesList": { - "description": "List all the alert rules.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rules.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rules.", - "items": { - "$ref": "#/definitions/AlertRule" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertSeverity": { - "description": "The severity of the alert", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "AlertsDataTypeOfDataConnector": { - "description": "Alerts data type for data connectors.", - "properties": { - "alerts": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Alerts data type connection.", - "type": "object" - } - }, - "type": "object", - "required": [ - "alerts" - ] - }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact", - "PreAttack" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, - "AutomationRule": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an automation rule.", - "properties": { - "properties": { - "$ref": "#/definitions/AutomationRuleProperties", - "description": "Automation rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "AutomationRuleAction": { - "description": "Describes an automation rule action", - "discriminator": "actionType", - "properties": { - "order": { - "description": "The order of execution of the automation rule action", - "type": "integer", - "format": "int32" - }, - "actionType": { - "description": "The type of the automation rule action", - "enum": [ - "ModifyProperties", - "RunPlaybook" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRuleActionType", - "values": [ - { - "description": "Modify an object's properties", - "value": "ModifyProperties" - }, - { - "description": "Run a playbook on an object", - "value": "RunPlaybook" - } - ] - } - } - }, - "required": [ - "order", - "actionType" - ], - "type": "object" - }, - "AutomationRuleCondition": { - "description": "Describes an automation rule condition", - "discriminator": "conditionType", - "properties": { - "conditionType": { - "description": "The type of the automation rule condition", - "enum": [ - "Property" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRuleConditionType", - "values": [ - { - "description": "Evaluate an object property value", - "value": "Property" - } - ] - } - } - }, - "required": [ - "conditionType" - ], - "type": "object" - }, - "AutomationRuleRunPlaybookAction": { - "description": "Describes an automation rule action to run a playbook", - "allOf": [ - { - "$ref": "#/definitions/AutomationRuleAction" - } - ], - "properties": { - "actionConfiguration": { - "description": "The configuration of the run playbook automation rule action", - "properties": { - "logicAppResourceId": { - "description": "The resource id of the playbook resource", - "type": "string" - }, - "tenantId": { - "description": "The tenant id of the playbook resource", - "type": "string" - } - }, - "type": "object" - } - }, - "required": [ - "actionConfiguration" - ], - "x-ms-client-flatten": true, - "type": "object", - "x-ms-discriminator-value": "RunPlaybook" - }, - "AutomationRuleModifyPropertiesAction": { - "description": "Describes an automation rule action to modify an object's properties", - "allOf": [ - { - "$ref": "#/definitions/AutomationRuleAction" - } - ], - "properties": { - "actionConfiguration": { - "description": "The configuration of the modify properties automation rule action", - "properties": { - "classification": { - "$ref": "#/definitions/IncidentClassification", - "description": "The reason the incident was closed" - }, - "classificationComment": { - "description": "Describes the reason the incident was closed", - "type": "string" - }, - "classificationReason": { - "$ref": "#/definitions/IncidentClassificationReason", - "description": "The classification reason to close the incident with" - }, - "labels": { - "description": "List of labels to add to the incident", - "items": { - "$ref": "#/definitions/IncidentLabel" - }, - "type": "array" - }, - "owner": { - "$ref": "#/definitions/IncidentOwnerInfo", - "description": "Describes a user that the incident is assigned to", - "type": "object" - }, - "severity": { - "$ref": "#/definitions/IncidentSeverity", - "description": "The severity of the incident" - }, - "status": { - "$ref": "#/definitions/IncidentStatus", - "description": "The status of the incident" - } - }, - "type": "object" - } - }, - "required": [ - "actionConfiguration" - ], - "x-ms-client-flatten": true, - "type": "object", - "x-ms-discriminator-value": "ModifyProperties" - }, - "AutomationRulePropertyConditionSupportedProperty": { - "description": "The property to evaluate in an automation rule property condition", - "enum": [ - "IncidentTitle", - "IncidentDescription", - "IncidentSeverity", - "IncidentStatus", - "IncidentTactics", - "IncidentRelatedAnalyticRuleIds", - "IncidentProviderName", - "AccountAadTenantId", - "AccountAadUserId", - "AccountName", - "AccountNTDomain", - "AccountPUID", - "AccountSid", - "AccountObjectGuid", - "AccountUPNSuffix", - "AzureResourceResourceId", - "AzureResourceSubscriptionId", - "CloudApplicationAppId", - "CloudApplicationAppName", - "DNSDomainName", - "FileDirectory", - "FileName", - "FileHashValue", - "HostAzureID", - "HostName", - "HostNetBiosName", - "HostNTDomain", - "HostOSVersion", - "IoTDeviceId", - "IoTDeviceName", - "IoTDeviceType", - "IoTDeviceVendor", - "IoTDeviceModel", - "IoTDeviceOperatingSystem", - "IPAddress", - "MailboxDisplayName", - "MailboxPrimaryAddress", - "MailboxUPN", - "MailMessageDeliveryAction", - "MailMessageDeliveryLocation", - "MailMessageRecipient", - "MailMessageSenderIP", - "MailMessageSubject", - "MailMessageP1Sender", - "MailMessageP2Sender", - "MalwareCategory", - "MalwareName", - "ProcessCommandLine", - "ProcessId", - "RegistryKey", - "RegistryValueData", - "Url" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRulePropertyConditionSupportedProperty", - "values": [ - { - "description": "The title of the incident", - "value": "IncidentTitle" - }, - { - "description": "The description of the incident", - "value": "IncidentDescription" - }, - { - "description": "The severity of the incident", - "value": "IncidentSeverity" - }, - { - "description": "The status of the incident", - "value": "IncidentStatus" - }, - { - "description": "The tactics of the incident", - "value": "IncidentTactics" - }, - { - "description": "The related Analytic rule ids of the incident", - "value": "IncidentRelatedAnalyticRuleIds" - }, - { - "description": "The provider name of the incident", - "value": "IncidentProviderName" - }, - { - "description": "The account Azure Active Directory tenant id", - "value": "AccountAadTenantId" - }, - { - "description": "The account Azure Active Directory user id.", - "value": "AccountAadUserId" - }, - { - "description": "The account name", - "value": "AccountName" - }, - { - "description": "The account NetBIOS domain name", - "value": "AccountNTDomain" - }, - { - "description": "The account Azure Active Directory Passport User ID", - "value": "AccountPUID" - }, - { - "description": "The account security identifier", - "value": "AccountSid" - }, - { - "description": "The account unique identifier", - "value": "AccountObjectGuid" - }, - { - "description": "The account user principal name suffix", - "value": "AccountUPNSuffix" - }, - { - "description": "The Azure resource id", - "value": "AzureResourceResourceId" - }, - { - "description": "The Azure resource subscription id", - "value": "AzureResourceSubscriptionId" - }, - { - "description": "The cloud application identifier", - "value": "CloudApplicationAppId" - }, - { - "description": "The cloud application name", - "value": "CloudApplicationAppName" - }, - { - "description": "The dns record domain name", - "value": "DNSDomainName" - }, - { - "description": "The file directory full path", - "value": "FileDirectory" - }, - { - "description": "The file name without path", - "value": "FileName" - }, - { - "description": "The file hash value", - "value": "FileHashValue" - }, - { - "description": "The host Azure resource id", - "value": "HostAzureID" - }, - { - "description": "The host name without domain", - "value": "HostName" - }, - { - "description": "The host NetBIOS name", - "value": "HostNetBiosName" - }, - { - "description": "The host NT domain", - "value": "HostNTDomain" - }, - { - "description": "The host operating system", - "value": "HostOSVersion" - }, - { - "description": "The IoT device id", - "value": "IoTDeviceId" - }, - { - "description": "The IoT device name", - "value": "IoTDeviceName" - }, - { - "description": "The IoT device type", - "value": "IoTDeviceType" - }, - { - "description": "The IoT device vendor", - "value": "IoTDeviceVendor" - }, - { - "description": "The IoT device model", - "value": "IoTDeviceModel" - }, - { - "description": "The IoT device operating system", - "value": "IoTDeviceOperatingSystem" - }, - { - "description": "The IP address", - "value": "IPAddress" - }, - { - "description": "The mailbox display name", - "value": "MailboxDisplayName" - }, - { - "description": "The mailbox primary address", - "value": "MailboxPrimaryAddress" - }, - { - "description": "The mailbox user principal name", - "value": "MailboxUPN" - }, - { - "description": "The mail message delivery action", - "value": "MailMessageDeliveryAction" - }, - { - "description": "The mail message delivery location", - "value": "MailMessageDeliveryLocation" - }, - { - "description": "The mail message recipient", - "value": "MailMessageRecipient" - }, - { - "description": "The mail message sender IP address", - "value": "MailMessageSenderIP" - }, - { - "description": "The mail message subject", - "value": "MailMessageSubject" - }, - { - "description": "The mail message P1 sender", - "value": "MailMessageP1Sender" - }, - { - "description": "The mail message P2 sender", - "value": "MailMessageP2Sender" - }, - { - "description": "The malware category", - "value": "MalwareCategory" - }, - { - "description": "The malware name", - "value": "MalwareName" - }, - { - "description": "The process execution command line", - "value": "ProcessCommandLine" - }, - { - "description": "The process id", - "value": "ProcessId" - }, - { - "description": "The registry key path", - "value": "RegistryKey" - }, - { - "description": "The registry key value in string formatted representation", - "value": "RegistryValueData" - }, - { - "description": "The url", - "value": "Url" - } - ] - } - }, - "AutomationRulePropertyValuesCondition": { - "description": "Describes an automation rule condition that evaluates a property's value", - "allOf": [ - { - "$ref": "#/definitions/AutomationRuleCondition" - } - ], - "properties": { - "conditionProperties": { - "description": "The configuration of the automation rule condition", - "properties": { - "propertyName": { - "$ref": "#/definitions/AutomationRulePropertyConditionSupportedProperty", - "description": "The property to evaluate" - }, - "operator": { - "description": "The operator to use for evaluation the condition", - "enum": [ - "Equals", - "NotEquals", - "Contains", - "NotContains", - "StartsWith", - "NotStartsWith", - "EndsWith", - "NotEndsWith" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRulePropertyConditionSupportedOperator", - "values": [ - { - "description": "Evaluates if the property equals at least one of the condition values", - "value": "Equals" - }, - { - "description": "Evaluates if the property does not equal any of the condition values", - "value": "NotEquals" - }, - { - "description": "Evaluates if the property contains at least one of the condition values", - "value": "Contains" - }, - { - "description": "Evaluates if the property does not contain any of the condition values", - "value": "NotContains" - }, - { - "description": "Evaluates if the property starts with any of the condition values", - "value": "StartsWith" - }, - { - "description": "Evaluates if the property does not start with any of the condition values", - "value": "NotStartsWith" - }, - { - "description": "Evaluates if the property ends with any of the condition values", - "value": "EndsWith" - }, - { - "description": "Evaluates if the property does not end with any of the condition values", - "value": "NotEndsWith" - } - ] - } - }, - "propertyValues": { - "description": "The values to use for evaluating the condition", - "items": { - "description": "A value to use for evaluating the condition", - "type": "string" + "value": "Fusion" }, - "type": "array" - } - }, - "type": "object" + { + "value": "MLBehaviorAnalytics" + }, + { + "value": "ThreatIntelligence" + } + ] + } } }, "required": [ - "conditionProperties" + "kind" ], - "x-ms-client-flatten": true, - "type": "object", - "x-ms-discriminator-value": "Property" + "type": "object" }, - "AutomationRulesList": { - "description": "List all the automation rules.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of automation rules.", - "readOnly": true, - "type": "string" + "AlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/Resource" }, - "value": { - "description": "Array of automation rules.", - "items": { - "$ref": "#/definitions/AutomationRule" - }, - "type": "array" + { + "$ref": "#/definitions/AlertRuleKind" } - }, + ], + "description": "Alert rule template.", + "discriminator": "kind", + "type": "object", "required": [ - "value" + "kind" ] }, - "AutomationRuleProperties": { - "description": "Describes automation rule properties", + "AlertRuleTemplateDataSource": { + "description": "alert rule template data sources", "properties": { - "displayName": { - "description": "The display name of the automation rule", + "connectorId": { + "description": "The connector id that provides the following data types", "type": "string" }, - "order": { - "description": "The order of execution of the automation rule", - "type": "integer", - "format": "int32" - }, - "triggeringLogic": { - "$ref": "#/definitions/AutomationRuleTriggeringLogic", - "description": "The triggering logic of the automation rule", - "type": "object" - }, - "actions": { - "description": "The actions to execute when the automation rule is triggered", + "dataTypes": { + "description": "The data types used by the alert rule template", "items": { - "$ref": "#/definitions/AutomationRuleAction" + "type": "string" }, "type": "array" + } + }, + "type": "object" + }, + "AlertRuleTemplatePropertiesBase": { + "description": "Base alert rule template property bag.", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "type": "integer" }, - "createdTimeUtc": { - "description": "The time the automation rule was created", + "lastUpdatedDateUTC": { + "description": "The last time that this alert rule template has been updated.", "format": "date-time", "readOnly": true, "type": "string" }, - "lastModifiedTimeUtc": { - "description": "The last time the automation rule was updated", + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", "format": "date-time", "readOnly": true, "type": "string" }, - "createdBy": { - "$ref": "#/definitions/ClientInfo", - "description": "Describes the client that created the automation rule", - "readOnly": true, - "type": "object" - }, - "lastModifiedBy": { - "$ref": "#/definitions/ClientInfo", - "description": "Describes the client that last updated the automation rule", - "readOnly": true, - "type": "object" - } - }, - "required": [ - "displayName", - "order", - "triggeringLogic", - "actions" - ], - "type": "object" - }, - "AutomationRuleTriggeringLogic": { - "description": "Describes automation rule triggering logic", - "properties": { - "isEnabled": { - "description": "Determines whether the automation rule is enabled or disabled.", - "type": "boolean" + "description": { + "description": "The description of the alert rule template.", + "type": "string" }, - "expirationTimeUtc": { - "description": "Determines when the automation rule should automatically expire and be disabled.", - "format": "date-time", + "displayName": { + "description": "The display name for alert rule template.", "type": "string" }, - "triggersOn": { - "description": "The type of object the automation rule triggers on", - "enum": [ - "Incidents" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TriggersOn", - "values": [ - { - "description": "Trigger on Incidents", - "value": "Incidents" - } - ] - } + "requiredDataConnectors": { + "description": "The required data sources for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" }, - "triggersWhen": { - "description": "The type of event the automation rule triggers on", + "status": { + "description": "The alert rule template status.", "enum": [ - "Created" + "Installed", + "Available", + "NotAvailable" ], "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "TriggersWhen", + "name": "TemplateStatus", "values": [ { - "description": "Trigger on created objects", - "value": "Created" + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" } ] } + } + }, + "type": "object" + }, + "AlertRuleTemplatesList": { + "description": "List all the alert rule templates.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rule templates.", + "readOnly": true, + "type": "string" }, - "conditions": { - "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object", + "value": { + "description": "Array of alert rule templates.", "items": { - "$ref": "#/definitions/AutomationRuleCondition" + "$ref": "#/definitions/AlertRuleTemplate" }, "type": "array" } }, "required": [ - "isEnabled", - "triggersOn", - "triggersWhen" + "value" + ] + }, + "AlertRuleTriggerOperator": { + "description": "The operation against the threshold that triggers alert rule.", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" ], - "type": "object" + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "TriggerOperator" + } + }, + "AlertRulesList": { + "description": "List all the alert rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rules.", + "items": { + "$ref": "#/definitions/AlertRule" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Alerts data type connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "alerts" + ] + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } }, "AwsCloudTrailDataConnector": { "allOf": [ @@ -14091,24 +13233,6 @@ "type": "string", "x-ms-parameter-location": "method" }, - "AutomationRule": { - "description": "The automation rule", - "in": "body", - "name": "automationRule", - "required": true, - "schema": { - "$ref": "#/definitions/AutomationRule" - }, - "x-ms-parameter-location": "method" - }, - "AutomationRuleId": { - "description": "Automation rule ID", - "in": "path", - "name": "automationRuleId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, "ApiVersion": { "description": "API version for the operation", "enum": [ diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 057fd5b8b202..d7ae6e200511 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -136,6 +136,7 @@ These settings apply only when `--tag=package-2019-01-preview` is specified on t ```yaml $(tag) == 'package-2019-01-preview' input-file: - Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +- Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json directive: - suppress: R4017 from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -150,6 +151,10 @@ directive: from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json where: $.definitions.AutomationRule reason: The AutomationRule does not support list by subscription. It's not a top-level resource. To get the AutomationRule, we should have a subscription as well as a resource group and Log Analytics workspace. + - suppress: R4017 + from: Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json + where: $.definitions.AutomationRule + reason: The AutomationRule does not support list by subscription. It's not a top-level resource. To get the AutomationRule, we should have a subscription as well as a resource group and Log Analytics workspace. ``` ---