From 5b352b40b5d85a84fe3042f42b7267190b67e90d Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Sun, 4 Jul 2021 18:23:44 +0300 Subject: [PATCH 01/11] extract AutomationRules to new file --- .../2019-01-01-preview/AutomationRules.json | 499 ++++++++++++++++++ 1 file changed, 499 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json new file mode 100644 index 000000000000..499b22d1b031 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json @@ -0,0 +1,499 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Insights", + "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules": { + "get": { + "x-ms-examples": { + "Get all automation rules.": { + "$ref": "./examples/automationRules/GetAllAutomationRules.json" + } + }, + "tags": [ + "Automation Rules" + ], + "description": "Gets all automation rules.", + "operationId": "AutomationRules_List", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutomationRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}": { + "get": { + "x-ms-examples": { + "Get an automation rule.": { + "$ref": "./examples/automationRules/GetAutomationRule.json" + } + }, + "tags": [ + "Automation Rules" + ], + "description": "Gets the automation rule.", + "operationId": "AutomationRules_Get", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an automation rule.": { + "$ref": "./examples/automationRules/CreateAutomationRule.json" + } + }, + "tags": [ + "Automation Rules" + ], + "description": "Creates or updates the automation rule.", + "operationId": "AutomationRules_CreateOrUpdate", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + }, + { + "$ref": "#/parameters/AutomationRule" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an automation rule.": { + "$ref": "./examples/automationRules/DeleteAutomationRule.json" + } + }, + "tags": [ + "Automation Rule" + ], + "description": "Delete the automation rule.", + "operationId": "AutomationRules_Delete", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "parameters": { + "AutomationRule": { + "description": "The automation rule", + "in": "body", + "name": "automationRule", + "required": true, + "schema": { + "$ref": "#/definitions/AutomationRule" + }, + "x-ms-parameter-location": "method" + }, + "AutomationRuleId": { + "description": "Automation rule ID", + "in": "path", + "name": "automationRuleId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + } + }, + "definitions": { + "AutomationRule": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents an automation rule.", + "properties": { + "properties": { + "$ref": "#/definitions/AutomationRuleProperties", + "description": "Automation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "AutomationRuleAction": { + "description": "Describes an automation rule action", + "discriminator": "actionType", + "properties": { + "order": { + "description": "The order of execution of the automation rule action", + "type": "integer", + "format": "int32" + }, + "actionType": { + "description": "The type of the automation rule action", + "enum": [ + "ModifyProperties", + "RunPlaybook" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRuleActionType", + "values": [ + { + "description": "Modify an object's properties", + "value": "ModifyProperties" + }, + { + "description": "Run a playbook on an object", + "value": "RunPlaybook" + } + ] + } + } + }, + "required": [ + "order", + "actionType" + ], + "type": "object" + }, + "AutomationRuleCondition": { + "description": "Describes an automation rule condition", + "discriminator": "conditionType", + "properties": { + "conditionType": { + "description": "The type of the automation rule condition", + "enum": [ + "Property" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRuleConditionType", + "values": [ + { + "description": "Evaluate an object property value", + "value": "Property" + } + ] + } + } + }, + "required": [ + "conditionType" + ], + "type": "object" + }, + "AutomationRuleProperties": { + "description": "Describes automation rule properties", + "properties": { + "displayName": { + "description": "The display name of the automation rule", + "type": "string" + }, + "order": { + "description": "The order of execution of the automation rule", + "type": "integer", + "format": "int32" + }, + "triggeringLogic": { + "$ref": "#/definitions/AutomationRuleTriggeringLogic", + "description": "The triggering logic of the automation rule", + "type": "object" + }, + "actions": { + "description": "The actions to execute when the automation rule is triggered", + "items": { + "$ref": "#/definitions/AutomationRuleAction" + }, + "type": "array" + }, + "createdTimeUtc": { + "description": "The time the automation rule was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "lastModifiedTimeUtc": { + "description": "The last time the automation rule was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that created the automation rule", + "readOnly": true, + "type": "object" + }, + "lastModifiedBy": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that last updated the automation rule", + "readOnly": true, + "type": "object" + } + }, + "required": [ + "displayName", + "order", + "triggeringLogic", + "actions" + ], + "type": "object" + }, + "AutomationRulesList": { + "description": "List all the automation rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of automation rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of automation rules.", + "items": { + "$ref": "#/definitions/AutomationRule" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AutomationRuleTriggeringLogic": { + "description": "Describes automation rule triggering logic", + "properties": { + "isEnabled": { + "description": "Determines whether the automation rule is enabled or disabled.", + "type": "boolean" + }, + "expirationTimeUtc": { + "description": "Determines when the automation rule should automatically expire and be disabled.", + "format": "date-time", + "type": "string" + }, + "triggersOn": { + "description": "The type of object the automation rule triggers on", + "enum": [ + "Incidents" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TriggersOn", + "values": [ + { + "description": "Trigger on Incidents", + "value": "Incidents" + } + ] + } + }, + "triggersWhen": { + "description": "The type of event the automation rule triggers on", + "enum": [ + "Created" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TriggersWhen", + "values": [ + { + "description": "Trigger on created objects", + "value": "Created" + } + ] + } + }, + "conditions": { + "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object", + "items": { + "$ref": "#/definitions/AutomationRuleCondition" + }, + "type": "array" + } + }, + "required": [ + "isEnabled", + "triggersOn", + "triggersWhen" + ], + "type": "object" + }, + "ClientInfo": { + "description": "Information on the client (user or application) that made some action", + "properties": { + "email": { + "description": "The email of the client.", + "type": "string" + }, + "name": { + "description": "The name of the client.", + "type": "string" + }, + "objectId": { + "description": "The object id of the client.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the client.", + "type": "string" + } + }, + "type": "object" + } + } +} From debd1a904355cb2726a35c4cc5b1908c6bdd9c8a Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Sun, 4 Jul 2021 19:36:43 +0300 Subject: [PATCH 02/11] fix errors --- .../2019-01-01-preview/AutomationRules.json | 701 ++++++++- .../2019-01-01-preview/SecurityInsights.json | 1260 +++-------------- .../resource-manager/readme.md | 1 + 3 files changed, 879 insertions(+), 1083 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json index 499b22d1b031..bf06da7fded4 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json @@ -48,19 +48,19 @@ "operationId": "AutomationRules_List", "parameters": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + "$ref": "#/parameters/ResourceGroupName" }, { - "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + "$ref": "#/parameters/WorkspaceName" } ], "responses": { @@ -96,19 +96,19 @@ "operationId": "AutomationRules_Get", "parameters": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + "$ref": "#/parameters/ResourceGroupName" }, { - "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + "$ref": "#/parameters/WorkspaceName" }, { "$ref": "#/parameters/AutomationRuleId" @@ -142,19 +142,19 @@ "operationId": "AutomationRules_CreateOrUpdate", "parameters": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + "$ref": "#/parameters/ResourceGroupName" }, { - "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + "$ref": "#/parameters/WorkspaceName" }, { "$ref": "#/parameters/AutomationRuleId" @@ -233,6 +233,16 @@ } }, "parameters": { + "ApiVersion": { + "description": "API version for the operation", + "enum": [ + "2019-01-01-preview" + ], + "in": "query", + "name": "api-version", + "required": true, + "type": "string" + }, "AutomationRule": { "description": "The automation rule", "in": "body", @@ -250,6 +260,43 @@ "required": true, "type": "string", "x-ms-parameter-location": "method" + }, + "OperationalInsightsResourceProvider": { + "description": "The namespace of workspaces resource provider- Microsoft.OperationalInsights.", + "in": "path", + "name": "operationalInsightsResourceProvider", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ResourceGroupName": { + "description": "The name of the resource group within the user's subscription. The name is case insensitive.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "resourceGroupName", + "pattern": "^[-\\w\\._\\(\\)]+$", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "SubscriptionId": { + "description": "Azure subscription ID", + "in": "path", + "name": "subscriptionId", + "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", + "required": true, + "type": "string" + }, + "WorkspaceName": { + "description": "The name of the workspace.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "workspaceName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" } }, "definitions": { @@ -411,6 +458,448 @@ "value" ] }, + "AutomationRuleRunPlaybookAction": { + "description": "Describes an automation rule action to run a playbook", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } + ], + "properties": { + "actionConfiguration": { + "description": "The configuration of the run playbook automation rule action", + "properties": { + "logicAppResourceId": { + "description": "The resource id of the playbook resource", + "type": "string" + }, + "tenantId": { + "description": "The tenant id of the playbook resource", + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "actionConfiguration" + ], + "x-ms-client-flatten": true, + "type": "object", + "x-ms-discriminator-value": "RunPlaybook" + }, + "AutomationRuleModifyPropertiesAction": { + "description": "Describes an automation rule action to modify an object's properties", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } + ], + "properties": { + "actionConfiguration": { + "description": "The configuration of the modify properties automation rule action", + "properties": { + "classification": { + "$ref": "#/definitions/IncidentClassification", + "description": "The reason the incident was closed" + }, + "classificationComment": { + "description": "Describes the reason the incident was closed", + "type": "string" + }, + "classificationReason": { + "$ref": "#/definitions/IncidentClassificationReason", + "description": "The classification reason to close the incident with" + }, + "labels": { + "description": "List of labels to add to the incident", + "items": { + "$ref": "#/definitions/IncidentLabel" + }, + "type": "array" + }, + "owner": { + "$ref": "#/definitions/IncidentOwnerInfo", + "description": "Describes a user that the incident is assigned to", + "type": "object" + }, + "severity": { + "$ref": "#/definitions/IncidentSeverity", + "description": "The severity of the incident" + }, + "status": { + "$ref": "#/definitions/IncidentStatus", + "description": "The status of the incident" + } + }, + "type": "object" + } + }, + "required": [ + "actionConfiguration" + ], + "x-ms-client-flatten": true, + "type": "object", + "x-ms-discriminator-value": "ModifyProperties" + }, + "AutomationRulePropertyConditionSupportedProperty": { + "description": "The property to evaluate in an automation rule property condition", + "enum": [ + "IncidentTitle", + "IncidentDescription", + "IncidentSeverity", + "IncidentStatus", + "IncidentTactics", + "IncidentRelatedAnalyticRuleIds", + "IncidentProviderName", + "AccountAadTenantId", + "AccountAadUserId", + "AccountName", + "AccountNTDomain", + "AccountPUID", + "AccountSid", + "AccountObjectGuid", + "AccountUPNSuffix", + "AzureResourceResourceId", + "AzureResourceSubscriptionId", + "CloudApplicationAppId", + "CloudApplicationAppName", + "DNSDomainName", + "FileDirectory", + "FileName", + "FileHashValue", + "HostAzureID", + "HostName", + "HostNetBiosName", + "HostNTDomain", + "HostOSVersion", + "IoTDeviceId", + "IoTDeviceName", + "IoTDeviceType", + "IoTDeviceVendor", + "IoTDeviceModel", + "IoTDeviceOperatingSystem", + "IPAddress", + "MailboxDisplayName", + "MailboxPrimaryAddress", + "MailboxUPN", + "MailMessageDeliveryAction", + "MailMessageDeliveryLocation", + "MailMessageRecipient", + "MailMessageSenderIP", + "MailMessageSubject", + "MailMessageP1Sender", + "MailMessageP2Sender", + "MalwareCategory", + "MalwareName", + "ProcessCommandLine", + "ProcessId", + "RegistryKey", + "RegistryValueData", + "Url" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRulePropertyConditionSupportedProperty", + "values": [ + { + "description": "The title of the incident", + "value": "IncidentTitle" + }, + { + "description": "The description of the incident", + "value": "IncidentDescription" + }, + { + "description": "The severity of the incident", + "value": "IncidentSeverity" + }, + { + "description": "The status of the incident", + "value": "IncidentStatus" + }, + { + "description": "The tactics of the incident", + "value": "IncidentTactics" + }, + { + "description": "The related Analytic rule ids of the incident", + "value": "IncidentRelatedAnalyticRuleIds" + }, + { + "description": "The provider name of the incident", + "value": "IncidentProviderName" + }, + { + "description": "The account Azure Active Directory tenant id", + "value": "AccountAadTenantId" + }, + { + "description": "The account Azure Active Directory user id.", + "value": "AccountAadUserId" + }, + { + "description": "The account name", + "value": "AccountName" + }, + { + "description": "The account NetBIOS domain name", + "value": "AccountNTDomain" + }, + { + "description": "The account Azure Active Directory Passport User ID", + "value": "AccountPUID" + }, + { + "description": "The account security identifier", + "value": "AccountSid" + }, + { + "description": "The account unique identifier", + "value": "AccountObjectGuid" + }, + { + "description": "The account user principal name suffix", + "value": "AccountUPNSuffix" + }, + { + "description": "The Azure resource id", + "value": "AzureResourceResourceId" + }, + { + "description": "The Azure resource subscription id", + "value": "AzureResourceSubscriptionId" + }, + { + "description": "The cloud application identifier", + "value": "CloudApplicationAppId" + }, + { + "description": "The cloud application name", + "value": "CloudApplicationAppName" + }, + { + "description": "The dns record domain name", + "value": "DNSDomainName" + }, + { + "description": "The file directory full path", + "value": "FileDirectory" + }, + { + "description": "The file name without path", + "value": "FileName" + }, + { + "description": "The file hash value", + "value": "FileHashValue" + }, + { + "description": "The host Azure resource id", + "value": "HostAzureID" + }, + { + "description": "The host name without domain", + "value": "HostName" + }, + { + "description": "The host NetBIOS name", + "value": "HostNetBiosName" + }, + { + "description": "The host NT domain", + "value": "HostNTDomain" + }, + { + "description": "The host operating system", + "value": "HostOSVersion" + }, + { + "description": "The IoT device id", + "value": "IoTDeviceId" + }, + { + "description": "The IoT device name", + "value": "IoTDeviceName" + }, + { + "description": "The IoT device type", + "value": "IoTDeviceType" + }, + { + "description": "The IoT device vendor", + "value": "IoTDeviceVendor" + }, + { + "description": "The IoT device model", + "value": "IoTDeviceModel" + }, + { + "description": "The IoT device operating system", + "value": "IoTDeviceOperatingSystem" + }, + { + "description": "The IP address", + "value": "IPAddress" + }, + { + "description": "The mailbox display name", + "value": "MailboxDisplayName" + }, + { + "description": "The mailbox primary address", + "value": "MailboxPrimaryAddress" + }, + { + "description": "The mailbox user principal name", + "value": "MailboxUPN" + }, + { + "description": "The mail message delivery action", + "value": "MailMessageDeliveryAction" + }, + { + "description": "The mail message delivery location", + "value": "MailMessageDeliveryLocation" + }, + { + "description": "The mail message recipient", + "value": "MailMessageRecipient" + }, + { + "description": "The mail message sender IP address", + "value": "MailMessageSenderIP" + }, + { + "description": "The mail message subject", + "value": "MailMessageSubject" + }, + { + "description": "The mail message P1 sender", + "value": "MailMessageP1Sender" + }, + { + "description": "The mail message P2 sender", + "value": "MailMessageP2Sender" + }, + { + "description": "The malware category", + "value": "MalwareCategory" + }, + { + "description": "The malware name", + "value": "MalwareName" + }, + { + "description": "The process execution command line", + "value": "ProcessCommandLine" + }, + { + "description": "The process id", + "value": "ProcessId" + }, + { + "description": "The registry key path", + "value": "RegistryKey" + }, + { + "description": "The registry key value in string formatted representation", + "value": "RegistryValueData" + }, + { + "description": "The url", + "value": "Url" + } + ] + } + }, + "AutomationRulePropertyValuesCondition": { + "description": "Describes an automation rule condition that evaluates a property's value", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "description": "The configuration of the automation rule condition", + "properties": { + "propertyName": { + "$ref": "#/definitions/AutomationRulePropertyConditionSupportedProperty", + "description": "The property to evaluate" + }, + "operator": { + "description": "The operator to use for evaluation the condition", + "enum": [ + "Equals", + "NotEquals", + "Contains", + "NotContains", + "StartsWith", + "NotStartsWith", + "EndsWith", + "NotEndsWith" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRulePropertyConditionSupportedOperator", + "values": [ + { + "description": "Evaluates if the property equals at least one of the condition values", + "value": "Equals" + }, + { + "description": "Evaluates if the property does not equal any of the condition values", + "value": "NotEquals" + }, + { + "description": "Evaluates if the property contains at least one of the condition values", + "value": "Contains" + }, + { + "description": "Evaluates if the property does not contain any of the condition values", + "value": "NotContains" + }, + { + "description": "Evaluates if the property starts with any of the condition values", + "value": "StartsWith" + }, + { + "description": "Evaluates if the property does not start with any of the condition values", + "value": "NotStartsWith" + }, + { + "description": "Evaluates if the property ends with any of the condition values", + "value": "EndsWith" + }, + { + "description": "Evaluates if the property does not end with any of the condition values", + "value": "NotEndsWith" + } + ] + } + }, + "propertyValues": { + "description": "The values to use for evaluating the condition", + "items": { + "description": "A value to use for evaluating the condition", + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "required": [ + "conditionProperties" + ], + "x-ms-client-flatten": true, + "type": "object", + "x-ms-discriminator-value": "Property" + }, "AutomationRuleTriggeringLogic": { "description": "Describes automation rule triggering logic", "properties": { @@ -494,6 +983,188 @@ } }, "type": "object" + }, + "IncidentClassification": { + "description": "The reason the incident was closed", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassification", + "values": [ + { + "description": "Incident classification was undetermined", + "value": "Undetermined" + }, + { + "description": "Incident was true positive", + "value": "TruePositive" + }, + { + "description": "Incident was benign positive", + "value": "BenignPositive" + }, + { + "description": "Incident was false positive", + "value": "FalsePositive" + } + ] + } + }, + "IncidentClassificationReason": { + "description": "The classification reason the incident was closed with", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassificationReason", + "values": [ + { + "description": "Classification reason was suspicious activity", + "value": "SuspiciousActivity" + }, + { + "description": "Classification reason was suspicious but expected", + "value": "SuspiciousButExpected" + }, + { + "description": "Classification reason was incorrect alert logic", + "value": "IncorrectAlertLogic" + }, + { + "description": "Classification reason was inaccurate data", + "value": "InaccurateData" + } + ] + } + }, + "IncidentLabel": { + "description": "Represents an incident label", + "properties": { + "labelName": { + "description": "The name of the label", + "type": "string" + }, + "labelType": { + "description": "The type of the label", + "enum": [ + "User", + "System" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentLabelType", + "values": [ + { + "description": "Label manually created by a user", + "value": "User" + }, + { + "description": "Label automatically created by the system", + "value": "System" + } + ] + } + } + }, + "required": [ + "labelName" + ], + "type": "object" + }, + "IncidentOwnerInfo": { + "description": "Information on the user an incident is assigned to", + "properties": { + "email": { + "description": "The email of the user the incident is assigned to.", + "type": "string" + }, + "assignedTo": { + "description": "The name of the user the incident is assigned to.", + "type": "string" + }, + "objectId": { + "description": "The object id of the user the incident is assigned to.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the user the incident is assigned to.", + "type": "string" + } + }, + "type": "object" + }, + "IncidentSeverity": { + "description": "The severity of the incident", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "IncidentStatus": { + "description": "The status of the incident", + "enum": [ + "New", + "Active", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentStatus", + "values": [ + { + "description": "An active incident which isn't being handled currently", + "value": "New" + }, + { + "description": "An active incident which is being handled", + "value": "Active" + }, + { + "description": "A non-active incident", + "value": "Closed" + } + ] + } } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index f7a1d2656d01..2870b982fb0f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -573,203 +573,6 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules": { - "get": { - "x-ms-examples": { - "Get all automation rules.": { - "$ref": "./examples/automationRules/GetAllAutomationRules.json" - } - }, - "tags": [ - "Automation Rules" - ], - "description": "Gets all automation rules.", - "operationId": "AutomationRules_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/AutomationRulesList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}": { - "get": { - "x-ms-examples": { - "Get an automation rule.": { - "$ref": "./examples/automationRules/GetAutomationRule.json" - } - }, - "tags": [ - "Automation Rules" - ], - "description": "Gets the automation rule.", - "operationId": "AutomationRules_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/AutomationRuleId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/AutomationRule" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates or updates an automation rule.": { - "$ref": "./examples/automationRules/CreateAutomationRule.json" - } - }, - "tags": [ - "Automation Rules" - ], - "description": "Creates or updates the automation rule.", - "operationId": "AutomationRules_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/AutomationRuleId" - }, - { - "$ref": "#/parameters/AutomationRule" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/AutomationRule" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/AutomationRule" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "delete": { - "x-ms-examples": { - "Delete an automation rule.": { - "$ref": "./examples/automationRules/DeleteAutomationRule.json" - } - }, - "tags": [ - "Automation Rule" - ], - "description": "Delete the automation rule.", - "operationId": "AutomationRules_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/AutomationRuleId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases": { "get": { "x-ms-examples": { @@ -5592,907 +5395,246 @@ "value": "MicrosoftSecurityIncidentCreation" }, { - "value": "Fusion" - }, - { - "value": "MLBehaviorAnalytics" - }, - { - "value": "ThreatIntelligence" - } - ] - } - } - }, - "required": [ - "kind" - ], - "type": "object" - }, - "AlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/Resource" - }, - { - "$ref": "#/definitions/AlertRuleKind" - } - ], - "description": "Alert rule template.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "AlertRuleTemplateDataSource": { - "description": "alert rule template data sources", - "properties": { - "connectorId": { - "description": "The connector id that provides the following data types", - "type": "string" - }, - "dataTypes": { - "description": "The data types used by the alert rule template", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, - "AlertRuleTemplatePropertiesBase": { - "description": "Base alert rule template property bag.", - "properties": { - "alertRulesCreatedByTemplateCount": { - "description": "the number of alert rules that were created by this template", - "type": "integer" - }, - "lastUpdatedDateUTC": { - "description": "The last time that this alert rule template has been updated.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "createdDateUTC": { - "description": "The time that this alert rule template has been added.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the alert rule template.", - "type": "string" - }, - "displayName": { - "description": "The display name for alert rule template.", - "type": "string" - }, - "requiredDataConnectors": { - "description": "The required data sources for this template", - "items": { - "$ref": "#/definitions/AlertRuleTemplateDataSource" - }, - "type": "array" - }, - "status": { - "description": "The alert rule template status.", - "enum": [ - "Installed", - "Available", - "NotAvailable" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TemplateStatus", - "values": [ - { - "description": "Alert rule template installed. and can not use more then once", - "value": "Installed" - }, - { - "description": "Alert rule template is available.", - "value": "Available" - }, - { - "description": "Alert rule template is not available", - "value": "NotAvailable" - } - ] - } - } - }, - "type": "object" - }, - "AlertRuleTemplatesList": { - "description": "List all the alert rule templates.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rule templates.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rule templates.", - "items": { - "$ref": "#/definitions/AlertRuleTemplate" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertRuleTriggerOperator": { - "description": "The operation against the threshold that triggers alert rule.", - "enum": [ - "GreaterThan", - "LessThan", - "Equal", - "NotEqual" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "TriggerOperator" - } - }, - "AlertRulesList": { - "description": "List all the alert rules.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rules.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rules.", - "items": { - "$ref": "#/definitions/AlertRule" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertSeverity": { - "description": "The severity of the alert", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "AlertsDataTypeOfDataConnector": { - "description": "Alerts data type for data connectors.", - "properties": { - "alerts": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Alerts data type connection.", - "type": "object" - } - }, - "type": "object", - "required": [ - "alerts" - ] - }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact", - "PreAttack" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, - "AutomationRule": { - "allOf": [ - { - "$ref": "#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an automation rule.", - "properties": { - "properties": { - "$ref": "#/definitions/AutomationRuleProperties", - "description": "Automation rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "AutomationRuleAction": { - "description": "Describes an automation rule action", - "discriminator": "actionType", - "properties": { - "order": { - "description": "The order of execution of the automation rule action", - "type": "integer", - "format": "int32" - }, - "actionType": { - "description": "The type of the automation rule action", - "enum": [ - "ModifyProperties", - "RunPlaybook" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRuleActionType", - "values": [ - { - "description": "Modify an object's properties", - "value": "ModifyProperties" - }, - { - "description": "Run a playbook on an object", - "value": "RunPlaybook" - } - ] - } - } - }, - "required": [ - "order", - "actionType" - ], - "type": "object" - }, - "AutomationRuleCondition": { - "description": "Describes an automation rule condition", - "discriminator": "conditionType", - "properties": { - "conditionType": { - "description": "The type of the automation rule condition", - "enum": [ - "Property" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRuleConditionType", - "values": [ - { - "description": "Evaluate an object property value", - "value": "Property" - } - ] - } - } - }, - "required": [ - "conditionType" - ], - "type": "object" - }, - "AutomationRuleRunPlaybookAction": { - "description": "Describes an automation rule action to run a playbook", - "allOf": [ - { - "$ref": "#/definitions/AutomationRuleAction" - } - ], - "properties": { - "actionConfiguration": { - "description": "The configuration of the run playbook automation rule action", - "properties": { - "logicAppResourceId": { - "description": "The resource id of the playbook resource", - "type": "string" - }, - "tenantId": { - "description": "The tenant id of the playbook resource", - "type": "string" - } - }, - "type": "object" - } - }, - "required": [ - "actionConfiguration" - ], - "x-ms-client-flatten": true, - "type": "object", - "x-ms-discriminator-value": "RunPlaybook" - }, - "AutomationRuleModifyPropertiesAction": { - "description": "Describes an automation rule action to modify an object's properties", - "allOf": [ - { - "$ref": "#/definitions/AutomationRuleAction" - } - ], - "properties": { - "actionConfiguration": { - "description": "The configuration of the modify properties automation rule action", - "properties": { - "classification": { - "$ref": "#/definitions/IncidentClassification", - "description": "The reason the incident was closed" - }, - "classificationComment": { - "description": "Describes the reason the incident was closed", - "type": "string" - }, - "classificationReason": { - "$ref": "#/definitions/IncidentClassificationReason", - "description": "The classification reason to close the incident with" - }, - "labels": { - "description": "List of labels to add to the incident", - "items": { - "$ref": "#/definitions/IncidentLabel" - }, - "type": "array" - }, - "owner": { - "$ref": "#/definitions/IncidentOwnerInfo", - "description": "Describes a user that the incident is assigned to", - "type": "object" - }, - "severity": { - "$ref": "#/definitions/IncidentSeverity", - "description": "The severity of the incident" - }, - "status": { - "$ref": "#/definitions/IncidentStatus", - "description": "The status of the incident" - } - }, - "type": "object" - } - }, - "required": [ - "actionConfiguration" - ], - "x-ms-client-flatten": true, - "type": "object", - "x-ms-discriminator-value": "ModifyProperties" - }, - "AutomationRulePropertyConditionSupportedProperty": { - "description": "The property to evaluate in an automation rule property condition", - "enum": [ - "IncidentTitle", - "IncidentDescription", - "IncidentSeverity", - "IncidentStatus", - "IncidentTactics", - "IncidentRelatedAnalyticRuleIds", - "IncidentProviderName", - "AccountAadTenantId", - "AccountAadUserId", - "AccountName", - "AccountNTDomain", - "AccountPUID", - "AccountSid", - "AccountObjectGuid", - "AccountUPNSuffix", - "AzureResourceResourceId", - "AzureResourceSubscriptionId", - "CloudApplicationAppId", - "CloudApplicationAppName", - "DNSDomainName", - "FileDirectory", - "FileName", - "FileHashValue", - "HostAzureID", - "HostName", - "HostNetBiosName", - "HostNTDomain", - "HostOSVersion", - "IoTDeviceId", - "IoTDeviceName", - "IoTDeviceType", - "IoTDeviceVendor", - "IoTDeviceModel", - "IoTDeviceOperatingSystem", - "IPAddress", - "MailboxDisplayName", - "MailboxPrimaryAddress", - "MailboxUPN", - "MailMessageDeliveryAction", - "MailMessageDeliveryLocation", - "MailMessageRecipient", - "MailMessageSenderIP", - "MailMessageSubject", - "MailMessageP1Sender", - "MailMessageP2Sender", - "MalwareCategory", - "MalwareName", - "ProcessCommandLine", - "ProcessId", - "RegistryKey", - "RegistryValueData", - "Url" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRulePropertyConditionSupportedProperty", - "values": [ - { - "description": "The title of the incident", - "value": "IncidentTitle" - }, - { - "description": "The description of the incident", - "value": "IncidentDescription" - }, - { - "description": "The severity of the incident", - "value": "IncidentSeverity" - }, - { - "description": "The status of the incident", - "value": "IncidentStatus" - }, - { - "description": "The tactics of the incident", - "value": "IncidentTactics" - }, - { - "description": "The related Analytic rule ids of the incident", - "value": "IncidentRelatedAnalyticRuleIds" - }, - { - "description": "The provider name of the incident", - "value": "IncidentProviderName" - }, - { - "description": "The account Azure Active Directory tenant id", - "value": "AccountAadTenantId" - }, - { - "description": "The account Azure Active Directory user id.", - "value": "AccountAadUserId" - }, - { - "description": "The account name", - "value": "AccountName" - }, - { - "description": "The account NetBIOS domain name", - "value": "AccountNTDomain" - }, - { - "description": "The account Azure Active Directory Passport User ID", - "value": "AccountPUID" - }, - { - "description": "The account security identifier", - "value": "AccountSid" - }, - { - "description": "The account unique identifier", - "value": "AccountObjectGuid" - }, - { - "description": "The account user principal name suffix", - "value": "AccountUPNSuffix" - }, - { - "description": "The Azure resource id", - "value": "AzureResourceResourceId" - }, - { - "description": "The Azure resource subscription id", - "value": "AzureResourceSubscriptionId" - }, - { - "description": "The cloud application identifier", - "value": "CloudApplicationAppId" - }, - { - "description": "The cloud application name", - "value": "CloudApplicationAppName" - }, - { - "description": "The dns record domain name", - "value": "DNSDomainName" - }, - { - "description": "The file directory full path", - "value": "FileDirectory" - }, - { - "description": "The file name without path", - "value": "FileName" - }, - { - "description": "The file hash value", - "value": "FileHashValue" - }, - { - "description": "The host Azure resource id", - "value": "HostAzureID" - }, - { - "description": "The host name without domain", - "value": "HostName" - }, - { - "description": "The host NetBIOS name", - "value": "HostNetBiosName" - }, - { - "description": "The host NT domain", - "value": "HostNTDomain" - }, - { - "description": "The host operating system", - "value": "HostOSVersion" - }, - { - "description": "The IoT device id", - "value": "IoTDeviceId" - }, - { - "description": "The IoT device name", - "value": "IoTDeviceName" - }, - { - "description": "The IoT device type", - "value": "IoTDeviceType" - }, - { - "description": "The IoT device vendor", - "value": "IoTDeviceVendor" - }, - { - "description": "The IoT device model", - "value": "IoTDeviceModel" - }, - { - "description": "The IoT device operating system", - "value": "IoTDeviceOperatingSystem" - }, - { - "description": "The IP address", - "value": "IPAddress" - }, - { - "description": "The mailbox display name", - "value": "MailboxDisplayName" - }, - { - "description": "The mailbox primary address", - "value": "MailboxPrimaryAddress" - }, - { - "description": "The mailbox user principal name", - "value": "MailboxUPN" - }, - { - "description": "The mail message delivery action", - "value": "MailMessageDeliveryAction" - }, - { - "description": "The mail message delivery location", - "value": "MailMessageDeliveryLocation" - }, - { - "description": "The mail message recipient", - "value": "MailMessageRecipient" - }, - { - "description": "The mail message sender IP address", - "value": "MailMessageSenderIP" - }, - { - "description": "The mail message subject", - "value": "MailMessageSubject" - }, - { - "description": "The mail message P1 sender", - "value": "MailMessageP1Sender" - }, - { - "description": "The mail message P2 sender", - "value": "MailMessageP2Sender" - }, - { - "description": "The malware category", - "value": "MalwareCategory" - }, - { - "description": "The malware name", - "value": "MalwareName" - }, - { - "description": "The process execution command line", - "value": "ProcessCommandLine" - }, - { - "description": "The process id", - "value": "ProcessId" - }, - { - "description": "The registry key path", - "value": "RegistryKey" - }, - { - "description": "The registry key value in string formatted representation", - "value": "RegistryValueData" - }, - { - "description": "The url", - "value": "Url" - } - ] - } - }, - "AutomationRulePropertyValuesCondition": { - "description": "Describes an automation rule condition that evaluates a property's value", - "allOf": [ - { - "$ref": "#/definitions/AutomationRuleCondition" - } - ], - "properties": { - "conditionProperties": { - "description": "The configuration of the automation rule condition", - "properties": { - "propertyName": { - "$ref": "#/definitions/AutomationRulePropertyConditionSupportedProperty", - "description": "The property to evaluate" - }, - "operator": { - "description": "The operator to use for evaluation the condition", - "enum": [ - "Equals", - "NotEquals", - "Contains", - "NotContains", - "StartsWith", - "NotStartsWith", - "EndsWith", - "NotEndsWith" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRulePropertyConditionSupportedOperator", - "values": [ - { - "description": "Evaluates if the property equals at least one of the condition values", - "value": "Equals" - }, - { - "description": "Evaluates if the property does not equal any of the condition values", - "value": "NotEquals" - }, - { - "description": "Evaluates if the property contains at least one of the condition values", - "value": "Contains" - }, - { - "description": "Evaluates if the property does not contain any of the condition values", - "value": "NotContains" - }, - { - "description": "Evaluates if the property starts with any of the condition values", - "value": "StartsWith" - }, - { - "description": "Evaluates if the property does not start with any of the condition values", - "value": "NotStartsWith" - }, - { - "description": "Evaluates if the property ends with any of the condition values", - "value": "EndsWith" - }, - { - "description": "Evaluates if the property does not end with any of the condition values", - "value": "NotEndsWith" - } - ] - } - }, - "propertyValues": { - "description": "The values to use for evaluating the condition", - "items": { - "description": "A value to use for evaluating the condition", - "type": "string" + "value": "Fusion" }, - "type": "array" - } - }, - "type": "object" + { + "value": "MLBehaviorAnalytics" + }, + { + "value": "ThreatIntelligence" + } + ] + } } }, "required": [ - "conditionProperties" + "kind" ], - "x-ms-client-flatten": true, - "type": "object", - "x-ms-discriminator-value": "Property" + "type": "object" }, - "AutomationRulesList": { - "description": "List all the automation rules.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of automation rules.", - "readOnly": true, - "type": "string" + "AlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/Resource" }, - "value": { - "description": "Array of automation rules.", - "items": { - "$ref": "#/definitions/AutomationRule" - }, - "type": "array" + { + "$ref": "#/definitions/AlertRuleKind" } - }, + ], + "description": "Alert rule template.", + "discriminator": "kind", + "type": "object", "required": [ - "value" + "kind" ] }, - "AutomationRuleProperties": { - "description": "Describes automation rule properties", + "AlertRuleTemplateDataSource": { + "description": "alert rule template data sources", "properties": { - "displayName": { - "description": "The display name of the automation rule", + "connectorId": { + "description": "The connector id that provides the following data types", "type": "string" }, - "order": { - "description": "The order of execution of the automation rule", - "type": "integer", - "format": "int32" - }, - "triggeringLogic": { - "$ref": "#/definitions/AutomationRuleTriggeringLogic", - "description": "The triggering logic of the automation rule", - "type": "object" - }, - "actions": { - "description": "The actions to execute when the automation rule is triggered", + "dataTypes": { + "description": "The data types used by the alert rule template", "items": { - "$ref": "#/definitions/AutomationRuleAction" + "type": "string" }, "type": "array" + } + }, + "type": "object" + }, + "AlertRuleTemplatePropertiesBase": { + "description": "Base alert rule template property bag.", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "type": "integer" }, - "createdTimeUtc": { - "description": "The time the automation rule was created", + "lastUpdatedDateUTC": { + "description": "The last time that this alert rule template has been updated.", "format": "date-time", "readOnly": true, "type": "string" }, - "lastModifiedTimeUtc": { - "description": "The last time the automation rule was updated", + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", "format": "date-time", "readOnly": true, "type": "string" }, - "createdBy": { - "$ref": "#/definitions/ClientInfo", - "description": "Describes the client that created the automation rule", - "readOnly": true, - "type": "object" - }, - "lastModifiedBy": { - "$ref": "#/definitions/ClientInfo", - "description": "Describes the client that last updated the automation rule", - "readOnly": true, - "type": "object" - } - }, - "required": [ - "displayName", - "order", - "triggeringLogic", - "actions" - ], - "type": "object" - }, - "AutomationRuleTriggeringLogic": { - "description": "Describes automation rule triggering logic", - "properties": { - "isEnabled": { - "description": "Determines whether the automation rule is enabled or disabled.", - "type": "boolean" + "description": { + "description": "The description of the alert rule template.", + "type": "string" }, - "expirationTimeUtc": { - "description": "Determines when the automation rule should automatically expire and be disabled.", - "format": "date-time", + "displayName": { + "description": "The display name for alert rule template.", "type": "string" }, - "triggersOn": { - "description": "The type of object the automation rule triggers on", - "enum": [ - "Incidents" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TriggersOn", - "values": [ - { - "description": "Trigger on Incidents", - "value": "Incidents" - } - ] - } + "requiredDataConnectors": { + "description": "The required data sources for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" }, - "triggersWhen": { - "description": "The type of event the automation rule triggers on", + "status": { + "description": "The alert rule template status.", "enum": [ - "Created" + "Installed", + "Available", + "NotAvailable" ], "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "TriggersWhen", + "name": "TemplateStatus", "values": [ { - "description": "Trigger on created objects", - "value": "Created" + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" } ] } + } + }, + "type": "object" + }, + "AlertRuleTemplatesList": { + "description": "List all the alert rule templates.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rule templates.", + "readOnly": true, + "type": "string" }, - "conditions": { - "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object", + "value": { + "description": "Array of alert rule templates.", "items": { - "$ref": "#/definitions/AutomationRuleCondition" + "$ref": "#/definitions/AlertRuleTemplate" }, "type": "array" } }, "required": [ - "isEnabled", - "triggersOn", - "triggersWhen" + "value" + ] + }, + "AlertRuleTriggerOperator": { + "description": "The operation against the threshold that triggers alert rule.", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" ], - "type": "object" + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "TriggerOperator" + } + }, + "AlertRulesList": { + "description": "List all the alert rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rules.", + "items": { + "$ref": "#/definitions/AlertRule" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Alerts data type connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "alerts" + ] + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } }, "AwsCloudTrailDataConnector": { "allOf": [ @@ -14091,24 +13233,6 @@ "type": "string", "x-ms-parameter-location": "method" }, - "AutomationRule": { - "description": "The automation rule", - "in": "body", - "name": "automationRule", - "required": true, - "schema": { - "$ref": "#/definitions/AutomationRule" - }, - "x-ms-parameter-location": "method" - }, - "AutomationRuleId": { - "description": "Automation rule ID", - "in": "path", - "name": "automationRuleId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, "ApiVersion": { "description": "API version for the operation", "enum": [ diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 057fd5b8b202..a9f2e5970aac 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -136,6 +136,7 @@ These settings apply only when `--tag=package-2019-01-preview` is specified on t ```yaml $(tag) == 'package-2019-01-preview' input-file: - Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +- Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json directive: - suppress: R4017 from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json From 50437ed966a2347332875bc45b82fe3bc2ec3485 Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Sun, 4 Jul 2021 21:12:11 +0300 Subject: [PATCH 03/11] change ResourceWithEtag --- .../2019-01-01-preview/SecurityInsights.json | 51 +++++-------------- 1 file changed, 13 insertions(+), 38 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 2870b982fb0f..723e4b932c67 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -5220,7 +5220,7 @@ "ActionRequest": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Action for alert rule.", @@ -5358,7 +5358,7 @@ "AlertRule": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/AlertRuleKind" @@ -5918,7 +5918,7 @@ "Bookmark": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Represents a bookmark in Azure Security Insights.", @@ -6076,7 +6076,7 @@ "Case": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Represents a case in Azure Security Insights.", @@ -6581,7 +6581,7 @@ "DataConnector": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/DataConnectorKind" @@ -7626,7 +7626,7 @@ "EntityQuery": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/EntityQueryKind" @@ -8687,7 +8687,7 @@ "Incident": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Represents an incident in Azure Security Insights.", @@ -8856,7 +8856,7 @@ "IncidentComment": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Represents an incident comment", @@ -10713,7 +10713,7 @@ "description": "Represents a relation between two resources", "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], "properties": { @@ -10773,31 +10773,6 @@ }, "x-ms-azure-resource": true }, - "ResourceWithEtag": { - "description": "An azure resource object with an Etag property", - "properties": { - "id": { - "description": "Azure resource Id", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "Azure resource name", - "readOnly": true, - "type": "string" - }, - "type": { - "description": "Azure resource type", - "readOnly": true, - "type": "string" - }, - "etag": { - "description": "Etag of the azure resource", - "type": "string" - } - }, - "x-ms-azure-resource": true - }, "ScheduledAlertRule": { "allOf": [ { @@ -11498,7 +11473,7 @@ "Settings": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/SettingsKind" @@ -12172,7 +12147,7 @@ "Watchlist": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Represents a Watchlist in Azure Security Insights.", @@ -12317,7 +12292,7 @@ "WatchlistItem": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], "description": "Represents a Watchlist item in Azure Security Insights.", @@ -12406,7 +12381,7 @@ "ThreatIntelligenceInformation": { "allOf": [ { - "$ref": "#/definitions/ResourceWithEtag" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/ThreatIntelligenceResourceKind" From 5e63d2c4b8572d004820222e263e36c9461e8824 Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Mon, 5 Jul 2021 16:10:06 +0300 Subject: [PATCH 04/11] update readme --- .../2019-01-01-preview/AutomationRules.json | 14 +++----------- .../securityinsights/resource-manager/readme.md | 4 ++++ 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json index bf06da7fded4..110c82be86c9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json @@ -51,7 +51,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -99,7 +99,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -145,7 +145,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -280,14 +280,6 @@ "type": "string", "x-ms-parameter-location": "method" }, - "SubscriptionId": { - "description": "Azure subscription ID", - "in": "path", - "name": "subscriptionId", - "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", - "required": true, - "type": "string" - }, "WorkspaceName": { "description": "The name of the workspace.", "in": "path", diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index a9f2e5970aac..d7ae6e200511 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -151,6 +151,10 @@ directive: from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json where: $.definitions.AutomationRule reason: The AutomationRule does not support list by subscription. It's not a top-level resource. To get the AutomationRule, we should have a subscription as well as a resource group and Log Analytics workspace. + - suppress: R4017 + from: Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json + where: $.definitions.AutomationRule + reason: The AutomationRule does not support list by subscription. It's not a top-level resource. To get the AutomationRule, we should have a subscription as well as a resource group and Log Analytics workspace. ``` --- From 9f04a23288305eac709732071f458447423df310 Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Mon, 5 Jul 2021 16:29:26 +0300 Subject: [PATCH 05/11] change resource and subscriptionId --- .../2019-01-01-preview/SecurityInsights.json | 261 +++++++++--------- 1 file changed, 126 insertions(+), 135 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 723e4b932c67..d51c4c20dde0 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -76,7 +76,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -130,7 +130,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -182,7 +182,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -237,7 +237,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -285,7 +285,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -336,7 +336,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -385,7 +385,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -443,7 +443,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -494,7 +494,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -542,7 +542,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -591,7 +591,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -652,7 +652,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -699,7 +699,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -755,7 +755,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -804,7 +804,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -869,7 +869,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -919,42 +919,41 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/CaseCommentId" - }, - { - "$ref": "#/parameters/CaseComment" - } - ], - "responses": { - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/CaseComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter", + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/CaseCommentId" + }, + { + "$ref": "#/parameters/CaseComment" + }, + + "responses": { + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/CaseComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } } - } - } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { "get": { @@ -973,7 +972,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1021,7 +1020,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1067,7 +1066,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1122,7 +1121,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1171,7 +1170,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1236,7 +1235,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1286,7 +1285,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1345,7 +1344,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1396,7 +1395,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1457,7 +1456,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1511,7 +1510,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1560,7 +1559,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1618,7 +1617,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1669,7 +1668,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1711,7 +1710,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1753,7 +1752,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1837,7 +1836,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1892,7 +1891,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1947,7 +1946,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2028,7 +2027,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2076,7 +2075,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2181,7 +2180,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2229,7 +2228,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2280,7 +2279,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2331,7 +2330,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2382,7 +2381,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2433,7 +2432,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2497,7 +2496,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2548,7 +2547,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2596,7 +2595,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2642,7 +2641,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2690,7 +2689,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2735,7 +2734,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2781,7 +2780,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2827,7 +2826,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2878,7 +2877,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2926,7 +2925,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2974,7 +2973,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3022,7 +3021,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3082,7 +3081,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3128,7 +3127,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3183,7 +3182,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3231,7 +3230,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3279,7 +3278,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3327,7 +3326,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3391,7 +3390,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3440,7 +3439,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3498,7 +3497,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3549,7 +3548,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3597,7 +3596,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3661,7 +3660,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3710,7 +3709,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3768,7 +3767,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3819,7 +3818,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3867,7 +3866,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3913,7 +3912,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3959,7 +3958,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4016,7 +4015,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4067,7 +4066,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4116,7 +4115,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4165,7 +4164,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4225,7 +4224,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4279,7 +4278,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4339,7 +4338,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4385,7 +4384,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4440,7 +4439,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4488,7 +4487,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4539,7 +4538,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4584,7 +4583,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4632,7 +4631,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/parameters/SubscriptionId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, { "$ref": "#/parameters/ResourceGroupName" @@ -5267,7 +5266,7 @@ "ActionResponse": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" } ], "description": "Action for alert rule.", @@ -5322,7 +5321,7 @@ "Aggregations": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" }, { "$ref": "#/definitions/AggregationsKind" @@ -5415,7 +5414,7 @@ "AlertRuleTemplate": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" }, { "$ref": "#/definitions/AlertRuleKind" @@ -5741,7 +5740,7 @@ "description": "Represents a relation", "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" }, { "type": "object", @@ -6092,7 +6091,7 @@ "CaseComment": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" } ], "description": "Represents a case comment", @@ -7170,7 +7169,7 @@ "Entity": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" }, { "$ref": "#/definitions/EntityKind" @@ -10226,7 +10225,7 @@ "OfficeConsent": { "allOf": [ { - "$ref": "#/definitions/Resource" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" } ], "description": "Consent for Office365 tenant that already made.", @@ -13543,14 +13542,6 @@ "type": "string", "x-ms-parameter-location": "method" }, - "SubscriptionId": { - "description": "Azure subscription ID", - "in": "path", - "name": "subscriptionId", - "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", - "required": true, - "type": "string" - }, "WorkspaceName": { "description": "The name of the workspace.", "in": "path", From 1dd207975787bc56957d8a921b7e92c7df640c76 Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Mon, 5 Jul 2021 16:33:20 +0300 Subject: [PATCH 06/11] add bracket --- .../2019-01-01-preview/SecurityInsights.json | 23207 ++++++++-------- 1 file changed, 11604 insertions(+), 11603 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index d51c4c20dde0..640f116ce263 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -954,12695 +954,12696 @@ } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { - "get": { - "x-ms-examples": { - "Get all bookmarks.": { - "$ref": "./examples/bookmarks/GetBookmarks.json" - } - }, - "tags": [ - "Bookmarks" - ], - "description": "Gets all bookmarks.", - "operationId": "Bookmarks_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { + "get": { + "x-ms-examples": { + "Get all bookmarks.": { + "$ref": "./examples/bookmarks/GetBookmarks.json" + } }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "tags": [ + "Bookmarks" + ], + "description": "Gets all bookmarks.", + "operationId": "Bookmarks_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/BookmarkList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/WorkspaceName" + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/BookmarkList" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}": { + "get": { + "x-ms-examples": { + "Get a bookmark.": { + "$ref": "./examples/bookmarks/GetBookmarkById.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Bookmarks" + ], + "description": "Gets a bookmark.", + "operationId": "Bookmarks_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}": { - "get": { - "x-ms-examples": { - "Get a bookmark.": { - "$ref": "./examples/bookmarks/GetBookmarkById.json" - } - }, - "tags": [ - "Bookmarks" - ], - "description": "Gets a bookmark.", - "operationId": "Bookmarks_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + "put": { + "x-ms-examples": { + "Creates or updates a bookmark.": { + "$ref": "./examples/bookmarks/CreateBookmark.json" + } }, - { - "$ref": "#/parameters/BookmarkId" + "tags": [ + "Bookmarks" + ], + "description": "Creates or updates the bookmark.", + "operationId": "Bookmarks_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/Bookmark" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Bookmark" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Bookmark" + }, + "delete": { + "x-ms-examples": { + "Delete a bookmark.": { + "$ref": "./examples/bookmarks/DeleteBookmark.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Bookmarks" + ], + "description": "Delete the bookmark.", + "operationId": "Bookmarks_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } }, - "put": { - "x-ms-examples": { - "Creates or updates a bookmark.": { - "$ref": "./examples/bookmarks/CreateBookmark.json" - } - }, - "tags": [ - "Bookmarks" - ], - "description": "Creates or updates the bookmark.", - "operationId": "Bookmarks_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/Bookmark" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Bookmark" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations": { + "get": { + "x-ms-examples": { + "Get all case relations.": { + "$ref": "./examples/cases/relations/GetAllCaseRelations.json" } }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Bookmark" + "tags": [ + "CaseRelations" + ], + "description": "Gets all case relations.", + "deprecated": true, + "operationId": "CaseRelations_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseRelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } + }, + "x-ms-odata": "#/definitions/CaseRelation", + "x-ms-pageable": { + "nextLinkName": "nextLink" } } }, - "delete": { - "x-ms-examples": { - "Delete a bookmark.": { - "$ref": "./examples/bookmarks/DeleteBookmark.json" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get a case relation.": { + "$ref": "./examples/cases/relations/GetCaseRelationByName.json" + } + }, + "tags": [ + "CaseRelations" + ], + "description": "Gets a case relation.", + "deprecated": true, + "operationId": "CaseRelations_GetRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseRelation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } }, - "tags": [ - "Bookmarks" - ], - "description": "Delete the bookmark.", - "operationId": "Bookmarks_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations": { - "get": { - "x-ms-examples": { - "Get all case relations.": { - "$ref": "./examples/cases/relations/GetAllCaseRelations.json" - } - }, - "tags": [ - "CaseRelations" - ], - "description": "Gets all case relations.", - "deprecated": true, - "operationId": "CaseRelations_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/CaseRelationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-odata": "#/definitions/CaseRelation", - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations/{relationName}": { - "get": { - "x-ms-examples": { - "Get a case relation.": { - "$ref": "./examples/cases/relations/GetCaseRelationByName.json" - } - }, - "tags": [ - "CaseRelations" - ], - "description": "Gets a case relation.", - "deprecated": true, - "operationId": "CaseRelations_GetRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/CaseRelation" + "put": { + "x-ms-examples": { + "Creates or updates a case relation.": { + "$ref": "./examples/cases/relations/CreateCaseRelation.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates or updates a case relation.": { - "$ref": "./examples/cases/relations/CreateCaseRelation.json" - } - }, - "tags": [ - "CaseRelations" - ], - "description": "Creates or updates the case relation.", - "deprecated": true, - "operationId": "CaseRelations_CreateOrUpdateRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/RelationName" - }, - { - "$ref": "#/parameters/RelationInputModel" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/CaseRelation" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/CaseRelation" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "delete": { - "x-ms-examples": { - "Delete the case relation.": { - "$ref": "./examples/cases/relations/DeleteCaseRelation.json" - } - }, - "tags": [ - "CaseRelations" - ], - "description": "Delete the case relation.", - "deprecated": true, - "operationId": "CaseRelations_DeleteRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations": { - "get": { - "x-ms-examples": { - "Get all bookmark relations.": { - "$ref": "./examples/bookmarks/relations/GetAllBookmarkRelations.json" - } - }, - "tags": [ - "BookmarkRelations" - ], - "description": "Gets all bookmark relations.", - "operationId": "BookmarkRelations_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/RelationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - }, - "x-ms-odata": "#/definitions/Relation", - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/expand": { - "post": { - "x-ms-examples": { - "Expand an bookmark": { - "$ref": "./examples/bookmarks/expand/PostExpandBookmark.json" - } - }, - "description": "Expand an bookmark", - "operationId": "Bookmark_Expand", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/BookmarkExpandRequestBody" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/BookmarkExpandResponse" + "tags": [ + "CaseRelations" + ], + "description": "Creates or updates the case relation.", + "deprecated": true, + "operationId": "CaseRelations_CreateOrUpdateRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/RelationName" + }, + { + "$ref": "#/parameters/RelationInputModel" } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseRelation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/CaseRelation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } }, - "tags": [ - "Bookmark" - ] - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}": { - "get": { - "x-ms-examples": { - "Get a bookmark relation.": { - "$ref": "./examples/bookmarks/relations/GetBookmarkRelationByName.json" - } - }, - "tags": [ - "BookmarkRelations" - ], - "description": "Gets a bookmark relation.", - "operationId": "BookmarkRelations_GetRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" + "delete": { + "x-ms-examples": { + "Delete the case relation.": { + "$ref": "./examples/cases/relations/DeleteCaseRelation.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "CaseRelations" + ], + "description": "Delete the case relation.", + "deprecated": true, + "operationId": "CaseRelations_DeleteRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } }, - "put": { - "x-ms-examples": { - "Creates or updates a bookmark relation.": { - "$ref": "./examples/bookmarks/relations/CreateBookmarkRelation.json" - } - }, - "tags": [ - "BookmarkRelations" - ], - "description": "Creates the bookmark relation.", - "operationId": "BookmarkRelations_CreateOrUpdateRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/RelationName" - }, - { - "$ref": "#/parameters/Relation" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations": { + "get": { + "x-ms-examples": { + "Get all bookmark relations.": { + "$ref": "./examples/bookmarks/relations/GetAllBookmarkRelations.json" } }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Relation" + "tags": [ + "BookmarkRelations" + ], + "description": "Gets all bookmark relations.", + "operationId": "BookmarkRelations_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/RelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } + }, + "x-ms-odata": "#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" } } }, - "delete": { - "x-ms-examples": { - "Delete the bookmark relation.": { - "$ref": "./examples/bookmarks/relations/DeleteBookmarkRelation.json" - } - }, - "tags": [ - "BookmarkRelations" - ], - "description": "Delete the bookmark relation.", - "operationId": "BookmarkRelations_DeleteRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/expand": { + "post": { + "x-ms-examples": { + "Expand an bookmark": { + "$ref": "./examples/bookmarks/expand/PostExpandBookmark.json" + } }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK" + "description": "Expand an bookmark", + "operationId": "Bookmark_Expand", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/BookmarkExpandRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/BookmarkExpandResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - "204": { - "description": "No Content" + "tags": [ + "Bookmark" + ] + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get a bookmark relation.": { + "$ref": "./examples/bookmarks/relations/GetBookmarkRelationByName.json" + } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "BookmarkRelations" + ], + "description": "Gets a bookmark relation.", + "operationId": "BookmarkRelations_GetRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/": { - "get": { - "x-ms-examples": { - "Get geodata for a single IP address": { - "$ref": "./examples/enrichment/GetGeodataByIp.json" } }, - "tags": [ - "Enrichment" - ], - "description": "Get geodata for a single IP address", - "operationId": "IPGeodata_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" + "put": { + "x-ms-examples": { + "Creates or updates a bookmark relation.": { + "$ref": "./examples/bookmarks/relations/CreateBookmarkRelation.json" + } }, - { - "$ref": "#/parameters/EnrichmentIpAddress" + "tags": [ + "BookmarkRelations" + ], + "description": "Creates the bookmark relation.", + "operationId": "BookmarkRelations_CreateOrUpdateRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/RelationName" + }, + { + "$ref": "#/parameters/Relation" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Relation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EnrichmentIpGeodata" + }, + "delete": { + "x-ms-examples": { + "Delete the bookmark relation.": { + "$ref": "./examples/bookmarks/relations/DeleteBookmarkRelation.json" } }, - "default": { - "description": "Error response describing why the operation failed to enrich this ip.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "BookmarkRelations" + ], + "description": "Delete the bookmark relation.", + "operationId": "BookmarkRelations_DeleteRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/domain/whois/": { - "get": { - "x-ms-examples": { - "Get whois information for a single domain name": { - "$ref": "./examples/enrichment/GetWhoisByDomainName.json" - } - }, - "tags": [ - "Enrichment" - ], - "description": "Get whois information for a single domain name", - "operationId": "DomainWhois_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/": { + "get": { + "x-ms-examples": { + "Get geodata for a single IP address": { + "$ref": "./examples/enrichment/GetGeodataByIp.json" + } }, - { - "$ref": "#/parameters/EnrichmentDomain" + "tags": [ + "Enrichment" + ], + "description": "Get geodata for a single IP address", + "operationId": "IPGeodata_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/EnrichmentIpAddress" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EnrichmentIpGeodata" + } + }, + "default": { + "description": "Error response describing why the operation failed to enrich this ip.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EnrichmentDomainWhois" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/domain/whois/": { + "get": { + "x-ms-examples": { + "Get whois information for a single domain name": { + "$ref": "./examples/enrichment/GetWhoisByDomainName.json" } }, - "default": { - "description": "Error response describing why the operation failed to enrich this domain.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Enrichment" + ], + "description": "Get whois information for a single domain name", + "operationId": "DomainWhois_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/EnrichmentDomain" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EnrichmentDomainWhois" + } + }, + "default": { + "description": "Error response describing why the operation failed to enrich this domain.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { - "get": { - "x-ms-examples": { - "Get all data connectors.": { - "$ref": "./examples/dataConnectors/GetDataConnectors.json" - } - }, - "tags": [ - "Data Connectors" - ], - "description": "Gets all data connectors.", - "operationId": "DataConnectors_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { + "get": { + "x-ms-examples": { + "Get all data connectors.": { + "$ref": "./examples/dataConnectors/GetDataConnectors.json" + } }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "tags": [ + "Data Connectors" + ], + "description": "Gets all data connectors.", + "operationId": "DataConnectors_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnectorList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/WorkspaceName" + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/DataConnectorList" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { + "get": { + "x-ms-examples": { + "Get an Office365 data connector.": { + "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" + }, + "Get a TI data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" + }, + "Get a TI Taxii data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceTaxiiById.json" + }, + "Get a MCAS data connector.": { + "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" + }, + "Get a ASC data connector.": { + "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" + }, + "Get an AAD data connector.": { + "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" + }, + "Get an AwsCloudTrail data connector.": { + "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" + }, + "Get an AATP data connector.": { + "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" + }, + "Get a MDATP data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" + }, + "Get a Office ATP data connector": { + "$ref": "./examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json" + }, + "Get a Dynamics365 data connector": { + "$ref": "./examples/dataConnectors/GetDynamics365DataConnectorById.json" + }, + "Get a MicrosoftThreatProtection data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftThreatProtectionById.json" + }, + "Get a MicrosoftThreatIntelligence data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Data Connectors" + ], + "description": "Gets a data connector.", + "operationId": "DataConnectors_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { - "get": { - "x-ms-examples": { - "Get an Office365 data connector.": { - "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" - }, - "Get a TI data connector.": { - "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" - }, - "Get a TI Taxii data connector.": { - "$ref": "./examples/dataConnectors/GetThreatIntelligenceTaxiiById.json" - }, - "Get a MCAS data connector.": { - "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" - }, - "Get a ASC data connector.": { - "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" - }, - "Get an AAD data connector.": { - "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" - }, - "Get an AwsCloudTrail data connector.": { - "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" - }, - "Get an AATP data connector.": { - "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" - }, - "Get a MDATP data connector": { - "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" - }, - "Get a Office ATP data connector": { - "$ref": "./examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json" - }, - "Get a Dynamics365 data connector": { - "$ref": "./examples/dataConnectors/GetDynamics365DataConnectorById.json" - }, - "Get a MicrosoftThreatProtection data connector": { - "$ref": "./examples/dataConnectors/GetMicrosoftThreatProtectionById.json" + "put": { + "x-ms-examples": { + "Creates or updates an Office365 data connector.": { + "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" + }, + "Creates or updates a Threat Intelligence Taxii data connector.": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json" + }, + "Creates or updates an Threat Intelligence Platform data connector.": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" + }, + "Creates or updates a Dynamics365 data connector.": { + "$ref": "./examples/dataConnectors/CreateDynamics365DataConnetor.json" + } }, - "Get a MicrosoftThreatIntelligence data connector": { - "$ref": "./examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json" + "tags": [ + "Data Connectors" + ], + "description": "Creates or updates the data connector.", + "operationId": "DataConnectors_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + }, + { + "$ref": "#/parameters/DataConnector" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/DataConnector" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } }, - "tags": [ - "Data Connectors" - ], - "description": "Gets a data connector.", - "operationId": "DataConnectors_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + "delete": { + "x-ms-examples": { + "Delete an Office365 data connector.": { + "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" + } }, - { - "$ref": "#/parameters/DataConnectorId" + "tags": [ + "Data Connectors" + ], + "description": "Delete the data connector.", + "operationId": "DataConnectors_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/DataConnector" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements": { + "post": { + "x-ms-examples": { + "Check requirements for TI.": { + "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligence.json" + }, + "Check requirements for TI Taxii.": { + "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json" + }, + "Check requirements for AAD.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json" + }, + "Check requirements for AAD - no license.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json" + }, + "Check requirements for AAD - no authorization.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json" + }, + "Check requirements for ASC.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json" + }, + "Check requirements for Mcas.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json" + }, + "Check requirements for Mdatp.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMdatp.json" + }, + "Check requirements for OfficeATP.": { + "$ref": "./examples/dataConnectors/CheckRequirementsOfficeATP.json" + }, + "Check requirements for Dynamics365.": { + "$ref": "./examples/dataConnectors/CheckRequirementsDynamics365.json" + }, + "Check requirements for MicrosoftThreatProtection.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json" + }, + "Check requirements for MicrosoftThreatIntelligence.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Check Data Connector Requirements" + ], + "description": "Get requirements state for a data connector type.", + "operationId": "DataConnectorsCheckRequirements_Post", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/DataConnectorsCheckRequirementsBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnectorRequirementsState" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } }, - "put": { - "x-ms-examples": { - "Creates or updates an Office365 data connector.": { - "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" - }, - "Creates or updates a Threat Intelligence Taxii data connector.": { - "$ref": "./examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json" - }, - "Creates or updates an Threat Intelligence Platform data connector.": { - "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" - }, - "Creates or updates a Dynamics365 data connector.": { - "$ref": "./examples/dataConnectors/CreateDynamics365DataConnetor.json" - } - }, - "tags": [ - "Data Connectors" - ], - "description": "Creates or updates the data connector.", - "operationId": "DataConnectors_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/DataConnectorId" - }, - { - "$ref": "#/parameters/DataConnector" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/DataConnector" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities": { + "get": { + "x-ms-examples": { + "Get all entities.": { + "$ref": "./examples/entities/GetEntities.json" } }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/DataConnector" + "tags": [ + "Entities" + ], + "description": "Gets all entities.", + "operationId": "Entities_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" } } }, - "delete": { - "x-ms-examples": { - "Delete an Office365 data connector.": { - "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" - } - }, - "tags": [ - "Data Connectors" - ], - "description": "Delete the data connector.", - "operationId": "DataConnectors_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/DataConnectorId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}": { + "get": { + "x-ms-examples": { + "Get an account entity.": { + "$ref": "./examples/entities/GetAccountEntityById.json" + }, + "Get a host entity.": { + "$ref": "./examples/entities/GetHostEntityById.json" + }, + "Get a file entity.": { + "$ref": "./examples/entities/GetFileEntityById.json" + }, + "Get a security alert entity.": { + "$ref": "./examples/entities/GetSecurityAlertEntityById.json" + }, + "Get a file hash entity.": { + "$ref": "./examples/entities/GetFileHashEntityById.json" + }, + "Get a malware entity.": { + "$ref": "./examples/entities/GetMalwareEntityById.json" + }, + "Get a security group entity.": { + "$ref": "./examples/entities/GetSecurityGroupEntityById.json" + }, + "Get an azure resource entity.": { + "$ref": "./examples/entities/GetAzureResourceEntityById.json" + }, + "Get a cloud application entity.": { + "$ref": "./examples/entities/GetCloudApplicationEntityById.json" + }, + "Get a process entity.": { + "$ref": "./examples/entities/GetProcessEntityById.json" + }, + "Get a dns entity.": { + "$ref": "./examples/entities/GetDnsEntityById.json" + }, + "Get an ip entity.": { + "$ref": "./examples/entities/GetIpEntityById.json" + }, + "Get a registry key entity.": { + "$ref": "./examples/entities/GetRegistryKeyEntityById.json" + }, + "Get a registry value entity.": { + "$ref": "./examples/entities/GetRegistryValueEntityById.json" + }, + "Get a url entity.": { + "$ref": "./examples/entities/GetUrlEntityById.json" + }, + "Get an IoT device entity.": { + "$ref": "./examples/entities/GetIoTDeviceEntityById.json" + }, + "Get a mailCluster entity.": { + "$ref": "./examples/entities/GetMailClusterEntityById.json" + }, + "Get a mailbox entity.": { + "$ref": "./examples/entities/GetMailboxEntityById.json" + }, + "Get a mailMessage entity.": { + "$ref": "./examples/entities/GetMailMessageEntityById.json" + }, + "Get a submissionMail entity.": { + "$ref": "./examples/entities/GetSubmissionMailEntityById.json" + } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Entities" + ], + "description": "Gets an entity.", + "operationId": "Entities_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Entity" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements": { - "post": { - "x-ms-examples": { - "Check requirements for TI.": { - "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligence.json" - }, - "Check requirements for TI Taxii.": { - "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json" - }, - "Check requirements for AAD.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json" - }, - "Check requirements for AAD - no license.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json" - }, - "Check requirements for AAD - no authorization.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json" - }, - "Check requirements for ASC.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json" - }, - "Check requirements for Mcas.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json" - }, - "Check requirements for Mdatp.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMdatp.json" - }, - "Check requirements for OfficeATP.": { - "$ref": "./examples/dataConnectors/CheckRequirementsOfficeATP.json" - }, - "Check requirements for Dynamics365.": { - "$ref": "./examples/dataConnectors/CheckRequirementsDynamics365.json" - }, - "Check requirements for MicrosoftThreatProtection.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json" - }, - "Check requirements for MicrosoftThreatIntelligence.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json" - } - }, - "tags": [ - "Check Data Connector Requirements" - ], - "description": "Get requirements state for a data connector type.", - "operationId": "DataConnectorsCheckRequirements_Post", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/DataConnectorsCheckRequirementsBody" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/DataConnectorRequirementsState" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/expand": { + "post": { + "x-ms-examples": { + "Expand an entity": { + "$ref": "./examples/entities/expand/PostExpandEntity.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Entities" + ], + "description": "Expands an entity.", + "operationId": "Entities_Expand", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityExpandRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityExpandResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities": { - "get": { - "x-ms-examples": { - "Get all entities.": { - "$ref": "./examples/entities/GetEntities.json" - } - }, - "tags": [ - "Entities" - ], - "description": "Gets all entities.", - "operationId": "Entities_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityList" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getTimeline": { + "post": { + "x-ms-examples": { + "Entity timeline": { + "$ref": "./examples/entities/timeline/PostTimelineEntity.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Entities" + ], + "description": "Timeline for an entity.", + "operationId": "EntitiesGetTimeline_list", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityTimelineRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityTimelineResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}": { - "get": { - "x-ms-examples": { - "Get an account entity.": { - "$ref": "./examples/entities/GetAccountEntityById.json" - }, - "Get a host entity.": { - "$ref": "./examples/entities/GetHostEntityById.json" - }, - "Get a file entity.": { - "$ref": "./examples/entities/GetFileEntityById.json" - }, - "Get a security alert entity.": { - "$ref": "./examples/entities/GetSecurityAlertEntityById.json" - }, - "Get a file hash entity.": { - "$ref": "./examples/entities/GetFileHashEntityById.json" - }, - "Get a malware entity.": { - "$ref": "./examples/entities/GetMalwareEntityById.json" - }, - "Get a security group entity.": { - "$ref": "./examples/entities/GetSecurityGroupEntityById.json" - }, - "Get an azure resource entity.": { - "$ref": "./examples/entities/GetAzureResourceEntityById.json" - }, - "Get a cloud application entity.": { - "$ref": "./examples/entities/GetCloudApplicationEntityById.json" - }, - "Get a process entity.": { - "$ref": "./examples/entities/GetProcessEntityById.json" - }, - "Get a dns entity.": { - "$ref": "./examples/entities/GetDnsEntityById.json" - }, - "Get an ip entity.": { - "$ref": "./examples/entities/GetIpEntityById.json" - }, - "Get a registry key entity.": { - "$ref": "./examples/entities/GetRegistryKeyEntityById.json" - }, - "Get a registry value entity.": { - "$ref": "./examples/entities/GetRegistryValueEntityById.json" - }, - "Get a url entity.": { - "$ref": "./examples/entities/GetUrlEntityById.json" - }, - "Get an IoT device entity.": { - "$ref": "./examples/entities/GetIoTDeviceEntityById.json" - }, - "Get a mailCluster entity.": { - "$ref": "./examples/entities/GetMailClusterEntityById.json" - }, - "Get a mailbox entity.": { - "$ref": "./examples/entities/GetMailboxEntityById.json" - }, - "Get a mailMessage entity.": { - "$ref": "./examples/entities/GetMailMessageEntityById.json" - }, - "Get a submissionMail entity.": { - "$ref": "./examples/entities/GetSubmissionMailEntityById.json" - } - }, - "tags": [ - "Entities" - ], - "description": "Gets an entity.", - "operationId": "Entities_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/queries": { + "get": { + "x-ms-examples": { + "Get Entity Query": { + "$ref": "./examples/entities/GetQueries.json" + } }, - { - "$ref": "#/parameters/EntityId" + "tags": [ + "Entities" + ], + "description": "Get Insights and Activities for an entity.", + "operationId": "Entities_Queries", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityQueryKindParam" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/GetQueriesResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Entity" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getInsights": { + "post": { + "x-ms-examples": { + "Entity Insight": { + "$ref": "./examples/entities/insights/PostGetInsights.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Entities" + ], + "description": "Execute Insights for an entity.", + "operationId": "Entities_GetInsights", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/GetInsightsEntityQueriesRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityGetInsightsResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/expand": { - "post": { - "x-ms-examples": { - "Expand an entity": { - "$ref": "./examples/entities/expand/PostExpandEntity.json" - } - }, - "tags": [ - "Entities" - ], - "description": "Expands an entity.", - "operationId": "Entities_Expand", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations": { + "get": { + "x-ms-examples": { + "Get all relations of an entity.": { + "$ref": "./examples/entities/relations/GetAllEntityRelations.json" + } }, - { - "$ref": "#/parameters/EntityId" + "tags": [ + "EntityRelations" + ], + "description": "Gets all relations of an entity.", + "operationId": "EntitiesRelations_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/RelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/EntityExpandRequestBody" + "x-ms-odata": "#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityExpandResponse" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get an entity relation.": { + "$ref": "./examples/entities/relations/GetEntityRelationByName.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "EntityRelations" + ], + "description": "Gets an entity relation.", + "operationId": "EntityRelations_GetRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getTimeline": { - "post": { - "x-ms-examples": { - "Entity timeline": { - "$ref": "./examples/entities/timeline/PostTimelineEntity.json" - } - }, - "tags": [ - "Entities" - ], - "description": "Timeline for an entity.", - "operationId": "EntitiesGetTimeline_list", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents": { + "get": { + "x-ms-examples": { + "Get all office consents.": { + "$ref": "./examples/officeConsents/GetOfficeConsents.json" + } }, - { - "$ref": "#/parameters/EntityId" + "tags": [ + "Office Consents" + ], + "description": "Gets all office365 consents.", + "operationId": "OfficeConsents_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/OfficeConsentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/EntityTimelineRequestBody" + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityTimelineResponse" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents/{consentId}": { + "get": { + "x-ms-examples": { + "Get an office consent.": { + "$ref": "./examples/officeConsents/GetOfficeConsentsById.json" + } + }, + "tags": [ + "Office Consents" + ], + "description": "Gets an office365 consent.", + "operationId": "OfficeConsents_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ConsentId" } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/OfficeConsent" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/queries": { - "get": { - "x-ms-examples": { - "Get Entity Query": { - "$ref": "./examples/entities/GetQueries.json" - } }, - "tags": [ - "Entities" - ], - "description": "Get Insights and Activities for an entity.", - "operationId": "Entities_Queries", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" + "delete": { + "x-ms-examples": { + "Delete an office consent.": { + "$ref": "./examples/officeConsents/DeleteOfficeConsents.json" + } }, - { - "$ref": "#/parameters/EntityQueryKindParam" + "tags": [ + "Office Consents" + ], + "description": "Delete the office365 consent.", + "operationId": "OfficeConsents_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ConsentId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/GetQueriesResponse" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings": { + "get": { + "x-ms-examples": { + "Get EyesOn settings.": { + "$ref": "./examples/settings/GetAllSettings.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Settings" + ], + "description": "List of all the settings", + "operationId": "ProductSettings_GetAll", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SettingList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getInsights": { - "post": { - "x-ms-examples": { - "Entity Insight": { - "$ref": "./examples/entities/insights/PostGetInsights.json" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}": { + "get": { + "x-ms-examples": { + "Get EyesOn settings.": { + "$ref": "./examples/settings/GetEyesOnSetting.json" + } + }, + "tags": [ + "Settings" + ], + "description": "Gets a setting.", + "operationId": "ProductSettings_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Settings" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } }, - "tags": [ - "Entities" - ], - "description": "Execute Insights for an entity.", - "operationId": "Entities_GetInsights", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" + "delete": { + "x-ms-examples": { + "Delete EyesOn settings.": { + "$ref": "./examples/settings/DeleteEyesOnSetting.json" + } }, - { - "$ref": "#/parameters/GetInsightsEntityQueriesRequestBody" + "tags": [ + "Settings" + ], + "description": "Delete setting of the product.", + "operationId": "ProductSettings_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityGetInsightsResponse" + }, + "put": { + "x-ms-examples": { + "Update EyesOn settings.": { + "$ref": "./examples/settings/UpdateEyesOnSetting.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Settings" + ], + "description": "Updates setting.", + "operationId": "ProductSettings_Update", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsName" + }, + { + "$ref": "#/parameters/Settings" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Settings" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations": { - "get": { - "x-ms-examples": { - "Get all relations of an entity.": { - "$ref": "./examples/entities/relations/GetAllEntityRelations.json" - } - }, - "tags": [ - "EntityRelations" - ], - "description": "Gets all relations of an entity.", - "operationId": "EntitiesRelations_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/aggregations/{aggregationsName}": { + "get": { + "x-ms-examples": { + "Get aggregative data for all cases under the defined workspace, between the time range if specified.": { + "$ref": "./examples/aggregations/GetCasesAggregations.json" + } }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/RelationList" + "tags": [ + "Aggregations" + ], + "description": "Get aggregative result for the given resources under the defined workspace", + "operationId": "CasesAggregations_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AggregationsName" } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Aggregations" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } - }, - "x-ms-odata": "#/definitions/Relation", - "x-ms-pageable": { - "nextLinkName": "nextLink" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations/{relationName}": { - "get": { - "x-ms-examples": { - "Get an entity relation.": { - "$ref": "./examples/entities/relations/GetEntityRelationByName.json" - } - }, - "tags": [ - "EntityRelations" - ], - "description": "Gets an entity relation.", - "operationId": "EntityRelations_GetRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries": { + "get": { + "x-ms-examples": { + "Get all entity queries.": { + "$ref": "./examples/entityQueries/GetEntityQueries.json" + } }, - { - "$ref": "#/parameters/EntityId" + "tags": [ + "EntityQueries" + ], + "description": "Gets all entity queries.", + "operationId": "EntityQueries_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityQueryList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/RelationName" + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}": { + "get": { + "x-ms-examples": { + "Get an entity query.": { + "$ref": "./examples/entityQueries/GetExpansionEntityQueryById.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "EntityQueries" + ], + "description": "Gets an entity query.", + "operationId": "EntityQueries_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityQueryId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityQuery" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents": { - "get": { - "x-ms-examples": { - "Get all office consents.": { - "$ref": "./examples/officeConsents/GetOfficeConsents.json" - } - }, - "tags": [ - "Office Consents" - ], - "description": "Gets all office365 consents.", - "operationId": "OfficeConsents_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { + "get": { + "x-ms-examples": { + "Get all incidents.": { + "$ref": "./examples/incidents/GetIncidents.json" + } }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "tags": [ + "Incidents" + ], + "description": "Gets all incidents.", + "operationId": "Incidents_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/WorkspaceName" + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/OfficeConsentList" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { + "get": { + "x-ms-examples": { + "Get an incident.": { + "$ref": "./examples/incidents/GetIncidentById.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Incidents" + ], + "description": "Gets an incident.", + "operationId": "Incidents_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents/{consentId}": { - "get": { - "x-ms-examples": { - "Get an office consent.": { - "$ref": "./examples/officeConsents/GetOfficeConsentsById.json" + "put": { + "x-ms-examples": { + "Creates or updates an incident.": { + "$ref": "./examples/incidents/CreateIncident.json" + } + }, + "tags": [ + "Incidents" + ], + "description": "Creates or updates the incident.", + "operationId": "Incidents_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/Incident" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } }, - "tags": [ - "Office Consents" - ], - "description": "Gets an office365 consent.", - "operationId": "OfficeConsents_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "delete": { + "x-ms-examples": { + "Delete an incident.": { + "$ref": "./examples/incidents/DeleteIncident.json" + } }, - { - "$ref": "#/parameters/WorkspaceName" + "tags": [ + "Incidents" + ], + "description": "Delete the incident.", + "operationId": "Incidents_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts": { + "post": { + "x-ms-examples": { + "Get all incident alerts.": { + "$ref": "./examples/incidents/GetAllIncidentAlerts.json" + } }, - { - "$ref": "#/parameters/ConsentId" + "tags": [ + "IncidentAlerts" + ], + "description": "Gets all incident alerts.", + "operationId": "Incidents_ListOfAlerts", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentAlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/OfficeConsent" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks": { + "post": { + "x-ms-examples": { + "Get all incident bookmarks.": { + "$ref": "./examples/incidents/GetAllIncidentBookmarks.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "IncidentBookmarks" + ], + "description": "Gets all incident bookmarks.", + "operationId": "Incidents_ListOfBookmarks", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentBookmarkList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } }, - "delete": { - "x-ms-examples": { - "Delete an office consent.": { - "$ref": "./examples/officeConsents/DeleteOfficeConsents.json" - } - }, - "tags": [ - "Office Consents" - ], - "description": "Delete the office365 consent.", - "operationId": "OfficeConsents_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { + "get": { + "x-ms-examples": { + "Get all incident comments.": { + "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" + } }, - { - "$ref": "#/parameters/WorkspaceName" + "tags": [ + "IncidentComments" + ], + "description": "Gets all incident comments.", + "operationId": "IncidentComments_ListByIncident", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentCommentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/ConsentId" + "x-ms-odata": "#/definitions/IncidentComment", + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { + "get": { + "x-ms-examples": { + "Get an incident comment.": { + "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" + } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "IncidentComments" + ], + "description": "Gets an incident comment.", + "operationId": "IncidentComments_GetComment", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings": { - "get": { - "x-ms-examples": { - "Get EyesOn settings.": { - "$ref": "./examples/settings/GetAllSettings.json" } }, - "tags": [ - "Settings" - ], - "description": "List of all the settings", - "operationId": "ProductSettings_GetAll", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "put": { + "x-ms-examples": { + "Creates or updates an incident comment.": { + "$ref": "./examples/incidents/comments/CreateIncidentComment.json" + } }, - { - "$ref": "#/parameters/WorkspaceName" + "tags": [ + "IncidentComments" + ], + "description": "Creates or updates the incident comment.", + "operationId": "IncidentComments_CreateComment", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" + }, + { + "$ref": "#/parameters/IncidentComment" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/SettingList" + }, + "delete": { + "x-ms-examples": { + "Delete the incident comment.": { + "$ref": "./examples/incidents/comments/DeleteIncidentComment.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "IncidentComments" + ], + "description": "Delete the incident comment.", + "operationId": "IncidentComments_DeleteComment", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}": { - "get": { - "x-ms-examples": { - "Get EyesOn settings.": { - "$ref": "./examples/settings/GetEyesOnSetting.json" - } - }, - "tags": [ - "Settings" - ], - "description": "Gets a setting.", - "operationId": "ProductSettings_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities": { + "post": { + "x-ms-examples": { + "Gets all incident related entities": { + "$ref": "./examples/incidents/entities/GetAllIncidentEntities.json" + } }, - { - "$ref": "#/parameters/SettingsName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Settings" + "tags": [ + "IncidentEntities" + ], + "description": "Gets all incident related entities.", + "operationId": "Incidents_ListOfEntities", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentEntitiesResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } }, - "delete": { - "x-ms-examples": { - "Delete EyesOn settings.": { - "$ref": "./examples/settings/DeleteEyesOnSetting.json" - } - }, - "tags": [ - "Settings" - ], - "description": "Delete setting of the product.", - "operationId": "ProductSettings_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/SettingsName" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations": { + "get": { + "x-ms-examples": { + "Get all incident relations.": { + "$ref": "./examples/incidents/relations/GetAllIncidentRelations.json" + } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "IncidentRelations" + ], + "description": "Gets all incident relations.", + "operationId": "IncidentRelations_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/RelationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } + }, + "x-ms-odata": "#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" } } }, - "put": { - "x-ms-examples": { - "Update EyesOn settings.": { - "$ref": "./examples/settings/UpdateEyesOnSetting.json" - } - }, - "tags": [ - "Settings" - ], - "description": "Updates setting.", - "operationId": "ProductSettings_Update", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/SettingsName" - }, - { - "$ref": "#/parameters/Settings" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Settings" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get an incident relation.": { + "$ref": "./examples/incidents/relations/GetIncidentRelationByName.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "IncidentRelations" + ], + "description": "Gets an incident relation.", + "operationId": "IncidentRelations_GetRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/aggregations/{aggregationsName}": { - "get": { - "x-ms-examples": { - "Get aggregative data for all cases under the defined workspace, between the time range if specified.": { - "$ref": "./examples/aggregations/GetCasesAggregations.json" } }, - "tags": [ - "Aggregations" - ], - "description": "Get aggregative result for the given resources under the defined workspace", - "operationId": "CasesAggregations_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + "put": { + "x-ms-examples": { + "Creates or updates an incident relation.": { + "$ref": "./examples/incidents/relations/CreateIncidentRelation.json" + } }, - { - "$ref": "#/parameters/AggregationsName" + "tags": [ + "IncidentRelations" + ], + "description": "Creates or updates the incident relation.", + "operationId": "IncidentRelations_CreateOrUpdateRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/RelationName" + }, + { + "$ref": "#/parameters/Relation" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Relation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Aggregations" + }, + "delete": { + "x-ms-examples": { + "Delete the incident relation.": { + "$ref": "./examples/incidents/relations/DeleteIncidentRelation.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "IncidentRelations" + ], + "description": "Delete the incident relation.", + "operationId": "IncidentRelations_DeleteRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries": { - "get": { - "x-ms-examples": { - "Get all entity queries.": { - "$ref": "./examples/entityQueries/GetEntityQueries.json" - } - }, - "tags": [ - "EntityQueries" - ], - "description": "Gets all entity queries.", - "operationId": "EntityQueries_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists": { + "get": { + "x-ms-examples": { + "Get all watchlists.": { + "$ref": "./examples/watchlists/GetWatchlists.json" + } }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "tags": [ + "Watchlists" + ], + "description": "Gets all watchlists, without watchlist items.", + "operationId": "Watchlists_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/WorkspaceName" + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityQueryList" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}": { + "get": { + "x-ms-examples": { + "Get a watchlist.": { + "$ref": "./examples/watchlists/GetWatchlistByAlias.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Watchlists" + ], + "description": "Gets a watchlist, without its watchlist items.", + "operationId": "Watchlists_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}": { - "get": { - "x-ms-examples": { - "Get an entity query.": { - "$ref": "./examples/entityQueries/GetExpansionEntityQueryById.json" - } - }, - "tags": [ - "EntityQueries" - ], - "description": "Gets an entity query.", - "operationId": "EntityQueries_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + "delete": { + "x-ms-examples": { + "Delete a watchlist.": { + "$ref": "./examples/watchlists/DeleteWatchlist.json" + } }, - { - "$ref": "#/parameters/EntityQueryId" + "tags": [ + "Watchlists" + ], + "description": "Delete a watchlist.", + "operationId": "Watchlists_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityQuery" + }, + "put": { + "x-ms-examples": { + "Creates a watchlist.": { + "$ref": "./examples/watchlists/CreateWatchlist.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "Watchlists" + ], + "description": "Creates a watchlist and its watchlist items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint twice : the first call will create an empty Watchlist, and the second one will create its Items.", + "operationId": "Watchlists_Create", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/Watchlist" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { - "get": { - "x-ms-examples": { - "Get all incidents.": { - "$ref": "./examples/incidents/GetIncidents.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Gets all incidents.", - "operationId": "Incidents_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems": { + "get": { + "x-ms-examples": { + "Get all watchlist Items.": { + "$ref": "./examples/watchlists/GetWatchlistItems.json" + } }, - { - "$ref": "#/parameters/ODataTop" + "tags": [ + "WatchlistItems" + ], + "description": "Gets all watchlist Items.", + "operationId": "WatchlistItems_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItemList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/ODataSkipToken" + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentList" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}": { + "get": { + "x-ms-examples": { + "Get a watchlist item.": { + "$ref": "./examples/watchlists/GetWatchlistItemById.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "WatchlistItems" + ], + "description": "Gets a watchlist, without its watchlist items.", + "operationId": "WatchlistItems_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/WatchlistItemId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { - "get": { - "x-ms-examples": { - "Get an incident.": { - "$ref": "./examples/incidents/GetIncidentById.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Gets an incident.", - "operationId": "Incidents_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + "delete": { + "x-ms-examples": { + "Delete a watchlist Item.": { + "$ref": "./examples/watchlists/DeleteWatchlistItem.json" + } }, - { - "$ref": "#/parameters/IncidentId" + "tags": [ + "WatchlistItems" + ], + "description": "Delete a watchlist item.", + "operationId": "WatchlistItems_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/WatchlistItemId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Incident" + }, + "put": { + "x-ms-examples": { + "Creates or updates a watchlist item.": { + "$ref": "./examples/watchlists/CreateWatchlistItem.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "WatchlistItems" + ], + "description": "Creates or updates a watchlist item.", + "operationId": "WatchlistItems_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/WatchlistItemId" + }, + { + "$ref": "#/parameters/WatchlistItem" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } }, - "put": { - "x-ms-examples": { - "Creates or updates an incident.": { - "$ref": "./examples/incidents/CreateIncident.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Creates or updates the incident.", - "operationId": "Incidents_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/Incident" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Incident" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator": { + "post": { + "x-ms-examples": { + "Create a new Threat Intelligence": { + "$ref": "./examples/threatintelligence/CreateThreatIntelligence.json" } }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Incident" + "tags": [ + "ThreatIntelligence" + ], + "description": "Create a new threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_CreateIndicator", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceProperties" } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to create indicators.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } }, - "delete": { - "x-ms-examples": { - "Delete an incident.": { - "$ref": "./examples/incidents/DeleteIncident.json" - } - }, - "tags": [ - "Incidents" - ], - "description": "Delete the incident.", - "operationId": "Incidents_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators": { + "get": { + "x-ms-examples": { + "Get all threat intelligence indicators": { + "$ref": "./examples/threatintelligence/GetThreatIntelligence.json" + } }, - { - "$ref": "#/parameters/WorkspaceName" + "tags": [ + "ThreatIntelligence" + ], + "description": "Get all threat intelligence indicators.", + "operationId": "ThreatIntelligenceIndicators_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + }, + { + "$ref": "#/parameters/ODataOrderBy" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformationList" + } + }, + "default": { + "description": "Error response describing why the operation failed to get indicators.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/IncidentId" + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}": { + "get": { + "x-ms-examples": { + "View a threat intelligence indicator by name": { + "$ref": "./examples/threatintelligence/GetThreatIntelligenceById.json" + } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "ThreatIntelligence" + ], + "description": "View a threat intelligence indicator by name.", + "operationId": "ThreatIntelligenceIndicator_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to view an indicator.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts": { - "post": { - "x-ms-examples": { - "Get all incident alerts.": { - "$ref": "./examples/incidents/GetAllIncidentAlerts.json" } }, - "tags": [ - "IncidentAlerts" - ], - "description": "Gets all incident alerts.", - "operationId": "Incidents_ListOfAlerts", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" + "put": { + "x-ms-examples": { + "Update a threat Intelligence indicator": { + "$ref": "./examples/threatintelligence/UpdateThreatIntelligence.json" + } }, - { - "$ref": "#/parameters/IncidentId" + "tags": [ + "ThreatIntelligence" + ], + "description": "Update a threat Intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_Create", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceProperties" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to update an indicator.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentAlertList" + }, + "delete": { + "x-ms-examples": { + "Delete a threat intelligence indicator": { + "$ref": "./examples/threatintelligence/DeleteThreatIntelligence.json" + } + }, + "tags": [ + "ThreatIntelligence" + ], + "description": "Delete a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed to delete an indicator.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks": { - "post": { - "x-ms-examples": { - "Get all incident bookmarks.": { - "$ref": "./examples/incidents/GetAllIncidentBookmarks.json" - } - }, - "tags": [ - "IncidentBookmarks" - ], - "description": "Gets all incident bookmarks.", - "operationId": "Incidents_ListOfBookmarks", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators": { + "post": { + "x-ms-examples": { + "Query threat intelligence indicators as per filtering criteria": { + "$ref": "./examples/threatintelligence/QueryThreatIntelligence.json" + } }, - { - "$ref": "#/parameters/WorkspaceName" + "tags": [ + "ThreatIntelligence" + ], + "description": "Query threat intelligence indicators as per filtering criteria.", + "operationId": "ThreatIntelligenceIndicator_QueryIndicators", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceFilteringCriteria" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } }, - { - "$ref": "#/parameters/IncidentId" + "x-ms-pageable": { + "nextLinkName": "nextLink" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentBookmarkList" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics": { + "get": { + "x-ms-examples": { + "Get threat intelligence indicators metrics.": { + "$ref": "./examples/threatintelligence/CollectThreatIntelligenceMetrics.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "ThreatIntelligence" + ], + "description": "Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source).", + "operationId": "ThreatIntelligenceIndicatorMetrics_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceMetricsList" + } + }, + "default": { + "description": "Error response describing why the operation failed to get metrics.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { - "get": { - "x-ms-examples": { - "Get all incident comments.": { - "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" - } - }, - "tags": [ - "IncidentComments" - ], - "description": "Gets all incident comments.", - "operationId": "IncidentComments_ListByIncident", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags": { + "post": { + "x-ms-examples": { + "Append tags to a threat intelligence indicator": { + "$ref": "./examples/threatintelligence/AppendTagsThreatIntelligence.json" + } }, - { - "$ref": "#/parameters/ODataSkipToken" + "tags": [ + "ThreatIntelligence" + ], + "description": "Append tags to a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_AppendTags", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceAppendTags" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "default": { + "description": "Error response describing why the operation failed to append tags.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentCommentList" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags": { + "post": { + "x-ms-examples": { + "Replace tags to a Threat Intelligence": { + "$ref": "./examples/threatintelligence/ReplaceTagsThreatIntelligence.json" } }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "tags": [ + "ThreatIntelligence" + ], + "description": "Replace tags added to a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_ReplaceTags", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceName" + }, + { + "$ref": "#/parameters/ThreatIntelligenceReplaceTags" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + }, + "default": { + "description": "Error response describing why the operation failed to replace tags.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } - }, - "x-ms-odata": "#/definitions/IncidentComment", - "x-ms-pageable": { - "nextLinkName": "nextLink" } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { - "get": { - "x-ms-examples": { - "Get an incident comment.": { - "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" + "definitions": { + "MLBehaviorAnalyticsAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" } - }, - "tags": [ - "IncidentComments" ], - "description": "Gets an incident comment.", - "operationId": "IncidentComments_GetComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + "description": "Represents MLBehaviorAnalytics alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/MLBehaviorAnalyticsAlertRuleProperties", + "description": "MLBehaviorAnalytics alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MLBehaviorAnalytics" + }, + "MLBehaviorAnalyticsAlertRuleProperties": { + "description": "MLBehaviorAnalytics alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" }, - { - "$ref": "#/parameters/WorkspaceName" + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/IncidentId" + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true }, - { - "$ref": "#/parameters/IncidentCommentId" + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" } + }, + "required": [ + "alertRuleTemplateName", + "enabled" ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } + "type": "object" }, - "put": { - "x-ms-examples": { - "Creates or updates an incident comment.": { - "$ref": "./examples/incidents/comments/CreateIncidentComment.json" + "MLBehaviorAnalyticsAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MLBehaviorAnalytics alert rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + } + ], + "description": "MLBehaviorAnalytics alert rule template properties.", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "tactics": { + "description": "The tactics of the alert rule template.", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true } }, - "tags": [ - "IncidentComments" + "type": "object", + "x-ms-discriminator-value": "MLBehaviorAnalytics" + }, + "AADDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } ], - "description": "Creates or updates the incident comment.", - "operationId": "IncidentComments_CreateComment", - "parameters": [ + "description": "Represents AAD (Azure Active Directory) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AADDataConnectorProperties", + "description": "AAD (Azure Active Directory) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADDataConnectorProperties": { + "allOf": [ { - "$ref": "#/parameters/ApiVersion" + "$ref": "#/definitions/DataConnectorTenantId" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "AAD (Azure Active Directory) data connector properties.", + "type": "object" + }, + "AADCheckRequirements": { + "allOf": [ { - "$ref": "#/parameters/ResourceGroupName" - }, + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents AAD (Azure Active Directory) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/AADCheckRequirementsProperties", + "description": "AAD (Azure Active Directory) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADCheckRequirementsProperties": { + "allOf": [ { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "AAD (Azure Active Directory) requirements check properties.", + "type": "object" + }, + "AATPDataConnector": { + "allOf": [ { - "$ref": "#/parameters/WorkspaceName" - }, + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPDataConnectorProperties", + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + }, + "AATPDataConnectorProperties": { + "allOf": [ { - "$ref": "#/parameters/IncidentId" + "$ref": "#/definitions/DataConnectorTenantId" }, { - "$ref": "#/parameters/IncidentCommentId" - }, + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "AATPCheckRequirements": { + "allOf": [ { - "$ref": "#/parameters/IncidentComment" + "$ref": "#/definitions/DataConnectorsCheckRequirements" } ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "description": "Represents AATP (Azure Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPCheckRequirementsProperties", + "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true } - } + }, + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" }, - "delete": { - "x-ms-examples": { - "Delete the incident comment.": { - "$ref": "./examples/incidents/comments/DeleteIncidentComment.json" + "AATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" } - }, - "tags": [ - "IncidentComments" ], - "description": "Delete the incident comment.", - "operationId": "IncidentComments_DeleteComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, + "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "MSTIDataConnector": { + "allOf": [ { - "$ref": "#/parameters/ResourceGroupName" + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Microsoft Threat Intelligence data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MSTIDataConnectorProperties", + "description": "Microsoft Threat Intelligence data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatIntelligence" + }, + "MSTIDataConnectorDataTypes": { + "description": "The available data types for Microsoft Threat Intelligence Platforms data connector.", + "properties": { + "bingSafetyPhishingURL": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "properties": { + "lookbackPeriod": { + "description": "lookback period", + "type": "string" + } + }, + "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", + "type": "object", + "required": [ + "lookbackPeriod" + ] }, + "microsoftEmergingThreatFeed": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "properties": { + "lookbackPeriod": { + "description": "lookback period", + "type": "string" + } + }, + "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", + "type": "object", + "required": [ + "lookbackPeriod" + ] + } + }, + "type": "object", + "required": [ + "bingSafetyPhishingURL", + "microsoftEmergingThreatFeed" + ] + }, + "MSTIDataConnectorProperties": { + "allOf": [ { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Microsoft Threat Intelligence data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MSTIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "MSTICheckRequirements": { + "allOf": [ { - "$ref": "#/parameters/WorkspaceName" - }, + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents Microsoft Threat Intelligence requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MSTICheckRequirementsProperties", + "description": "Microsoft Threat Intelligence requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatIntelligence" + }, + "MSTICheckRequirementsProperties": { + "allOf": [ { - "$ref": "#/parameters/IncidentId" - }, + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Microsoft Threat Intelligence requirements check properties.", + "type": "object" + }, + "MTPDataConnector": { + "allOf": [ { - "$ref": "#/parameters/IncidentCommentId" + "$ref": "#/definitions/DataConnector" } ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "description": "Represents MTP (Microsoft Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MTPDataConnectorProperties", + "description": "MTP (Microsoft Threat Protection) data connector properties.", + "x-ms-client-flatten": true } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities": { - "post": { - "x-ms-examples": { - "Gets all incident related entities": { - "$ref": "./examples/incidents/entities/GetAllIncidentEntities.json" + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatProtection" + }, + "MTPDataConnectorDataTypes": { + "description": "The available data types for Microsoft Threat Protection Platforms data connector.", + "properties": { + "incidents": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for Microsoft Threat Protection Platforms data connector.", + "type": "object" } }, - "tags": [ - "IncidentEntities" - ], - "description": "Gets all incident related entities.", - "operationId": "Incidents_ListOfEntities", - "parameters": [ + "type": "object", + "required": [ + "incidents" + ] + }, + "MTPDataConnectorProperties": { + "allOf": [ { - "$ref": "#/parameters/ApiVersion" - }, + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MTP (Microsoft Threat Protection) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MTPDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "MtpCheckRequirements": { + "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MTP (Microsoft Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MTPCheckRequirementsProperties", + "description": "MTP (Microsoft Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatProtection" + }, + "MTPCheckRequirementsProperties": { + "allOf": [ { - "$ref": "#/parameters/ResourceGroupName" - }, + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MTP (Microsoft Threat Protection) requirements check properties.", + "type": "object" + }, + "ASCDataConnector": { + "allOf": [ { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents ASC (Azure Security Center) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/ASCDataConnectorProperties", + "description": "ASC (Azure Security Center) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCDataConnectorProperties": { + "allOf": [ { - "$ref": "#/parameters/WorkspaceName" - }, + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "ASC (Azure Security Center) data connector properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "ASCCheckRequirements": { + "allOf": [ { - "$ref": "#/parameters/IncidentId" + "$ref": "#/definitions/DataConnectorsCheckRequirements" } ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentEntitiesResponse" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "description": "Represents ASC (Azure Security Center) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/ASCCheckRequirementsProperties", + "description": "ASC (Azure Security Center) requirements check properties.", + "x-ms-client-flatten": true } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations": { - "get": { - "x-ms-examples": { - "Get all incident relations.": { - "$ref": "./examples/incidents/relations/GetAllIncidentRelations.json" + }, + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCCheckRequirementsProperties": { + "description": "ASC (Azure Security Center) requirements check properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" } }, - "tags": [ - "IncidentRelations" + "type": "object" + }, + "AccountEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } ], - "description": "Gets all incident relations.", - "operationId": "IncidentRelations_List", - "parameters": [ + "description": "Represents an account entity.", + "properties": { + "properties": { + "$ref": "#/definitions/AccountEntityProperties", + "description": "Account entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Account" + }, + "AccountEntityProperties": { + "allOf": [ { - "$ref": "#/parameters/ApiVersion" + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Account entity property bag.", + "properties": { + "aadTenantId": { + "description": "The Azure Active Directory tenant id.", + "readOnly": true, + "type": "string" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "aadUserId": { + "description": "The Azure Active Directory user id.", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "accountName": { + "description": "The name of the account. This field should hold only the name without any domain added to it, i.e. administrator.", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "displayName": { + "description": "The display name of the account.", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id that contains the account in case it is a local account (not domain joined)", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/WorkspaceName" + "isDomainJoined": { + "description": "Determines whether this is a domain account.", + "readOnly": true, + "type": "boolean" }, - { - "$ref": "#/parameters/IncidentId" + "ntDomain": { + "description": "The NetBIOS domain name as it appears in the alert format – domain\\username. Examples: NT AUTHORITY.", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/ODataFilter" + "objectGuid": { + "description": "The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory.", + "format": "uuid", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/ODataOrderBy" + "puid": { + "description": "The Azure Active Directory Passport User ID.", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/ODataTop" + "sid": { + "description": "The account security identifier, e.g. S-1-5-18.", + "readOnly": true, + "type": "string" + }, + "upnSuffix": { + "description": "The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com.", + "readOnly": true, + "type": "string" }, + "dnsDomain": { + "description": "The fully qualified domain DNS name.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "ActionRequest": { + "allOf": [ { - "$ref": "#/parameters/ODataSkipToken" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/RelationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "description": "Action for alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ActionRequestProperties", + "description": "Action properties for put request", + "x-ms-client-flatten": true } }, - "x-ms-odata": "#/definitions/Relation", - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}": { - "get": { - "x-ms-examples": { - "Get an incident relation.": { - "$ref": "./examples/incidents/relations/GetIncidentRelationByName.json" + "type": "object" + }, + "ActionPropertiesBase": { + "description": "Action property bag base.", + "properties": { + "logicAppResourceId": { + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", + "type": "string" } }, - "tags": [ - "IncidentRelations" + "required": [ + "logicAppResourceId" ], - "description": "Gets an incident relation.", - "operationId": "IncidentRelations_GetRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, + "type": "object" + }, + "ActionRequestProperties": { + "allOf": [ { - "$ref": "#/parameters/ResourceGroupName" - }, + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "triggerUri": { + "description": "Logic App Callback URL for this specific workflow.", + "type": "string" + } + }, + "required": [ + "triggerUri" + ], + "type": "object" + }, + "ActionResponse": { + "allOf": [ { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + } + ], + "description": "Action for alert rule.", + "properties": { + "etag": { + "description": "Etag of the action.", + "type": "string" }, + "properties": { + "$ref": "#/definitions/ActionResponseProperties", + "description": "Action properties for get request", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "ActionResponseProperties": { + "allOf": [ { - "$ref": "#/parameters/WorkspaceName" + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "workflowId": { + "description": "The name of the logic app's workflow.", + "type": "string" + } + }, + "type": "object" + }, + "ActionsList": { + "description": "List all the actions.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of actions.", + "readOnly": true, + "type": "string" }, + "value": { + "description": "Array of actions.", + "items": { + "$ref": "#/definitions/ActionResponse" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Aggregations": { + "allOf": [ { - "$ref": "#/parameters/IncidentId" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" }, { - "$ref": "#/parameters/RelationName" + "$ref": "#/definitions/AggregationsKind" } ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" + "description": "The aggregation.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "AggregationsKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the setting", + "enum": [ + "CasesAggregation" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AggregationsKind" } + } + }, + "required": [ + "kind" + ], + "type": "object" + }, + "AlertRule": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + { + "$ref": "#/definitions/AlertRuleKind" } - } + ], + "description": "Alert rule.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] }, - "put": { - "x-ms-examples": { - "Creates or updates an incident relation.": { - "$ref": "./examples/incidents/relations/CreateIncidentRelation.json" + "AlertRuleKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the alert rule", + "enum": [ + "Scheduled", + "MicrosoftSecurityIncidentCreation", + "Fusion", + "MLBehaviorAnalytics", + "ThreatIntelligence" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertRuleKind", + "values": [ + { + "value": "Scheduled" + }, + { + "value": "MicrosoftSecurityIncidentCreation" + }, + { + "value": "Fusion" + }, + { + "value": "MLBehaviorAnalytics" + }, + { + "value": "ThreatIntelligence" + } + ] + } } }, - "tags": [ - "IncidentRelations" + "required": [ + "kind" ], - "description": "Creates or updates the incident relation.", - "operationId": "IncidentRelations_CreateOrUpdateRelation", - "parameters": [ + "type": "object" + }, + "AlertRuleTemplate": { + "allOf": [ { - "$ref": "#/parameters/ApiVersion" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/definitions/AlertRuleKind" + } + ], + "description": "Alert rule template.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "AlertRuleTemplateDataSource": { + "description": "alert rule template data sources", + "properties": { + "connectorId": { + "description": "The connector id that provides the following data types", + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "dataTypes": { + "description": "The data types used by the alert rule template", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "AlertRuleTemplatePropertiesBase": { + "description": "Base alert rule template property bag.", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "type": "integer" + }, + "lastUpdatedDateUTC": { + "description": "The last time that this alert rule template has been updated.", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/WorkspaceName" + "description": { + "description": "The description of the alert rule template.", + "type": "string" }, - { - "$ref": "#/parameters/IncidentId" + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" }, - { - "$ref": "#/parameters/RelationName" + "requiredDataConnectors": { + "description": "The required data sources for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" }, - { - "$ref": "#/parameters/Relation" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" + "status": { + "description": "The alert rule template status.", + "enum": [ + "Installed", + "Available", + "NotAvailable" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TemplateStatus", + "values": [ + { + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" + } + ] } + } + }, + "type": "object" + }, + "AlertRuleTemplatesList": { + "description": "List all the alert rule templates.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rule templates.", + "readOnly": true, + "type": "string" }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Relation" - } + "value": { + "description": "Array of alert rule templates.", + "items": { + "$ref": "#/definitions/AlertRuleTemplate" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertRuleTriggerOperator": { + "description": "The operation against the threshold that triggers alert rule.", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "TriggerOperator" + } + }, + "AlertRulesList": { + "description": "List all the alert rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rules.", + "readOnly": true, + "type": "string" }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "value": { + "description": "Array of alert rules.", + "items": { + "$ref": "#/definitions/AlertRule" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" } + ] + } + }, + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Alerts data type connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "alerts" + ] + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + }, + "AwsCloudTrailDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Amazon Web Services CloudTrail data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", + "description": "Amazon Web Services CloudTrail data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AwsCloudTrailDataConnectorDataTypes": { + "description": "The available data types for Amazon Web Services CloudTrail data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" } - } + }, + "type": "object", + "required": [ + "logs" + ] }, - "delete": { - "x-ms-examples": { - "Delete the incident relation.": { - "$ref": "./examples/incidents/relations/DeleteIncidentRelation.json" + "AwsCloudTrailDataConnectorProperties": { + "description": "Amazon Web Services CloudTrail data connector properties.", + "properties": { + "awsRoleArn": { + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", + "description": "The available data types for the connector." } }, - "tags": [ - "IncidentRelations" + "required": [ + "dataTypes" ], - "description": "Delete the incident relation.", - "operationId": "IncidentRelations_DeleteRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, + "type": "object" + }, + "AwsCloudTrailCheckRequirements": { + "allOf": [ { - "$ref": "#/parameters/RelationName" + "$ref": "#/definitions/DataConnectorsCheckRequirements" } ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "description": "Amazon Web Services CloudTrail requirements check request.", + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AzureResourceEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists": { - "get": { - "x-ms-examples": { - "Get all watchlists.": { - "$ref": "./examples/watchlists/GetWatchlists.json" + ], + "description": "Represents an azure resource entity.", + "properties": { + "properties": { + "$ref": "#/definitions/AzureResourceEntityProperties", + "description": "AzureResource entity properties", + "x-ms-client-flatten": true } }, - "tags": [ - "Watchlists" - ], - "description": "Gets all watchlists, without watchlist items.", - "operationId": "Watchlists_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, + "type": "object", + "x-ms-discriminator-value": "AzureResource" + }, + "AzureResourceEntityProperties": { + "allOf": [ { - "$ref": "#/parameters/ResourceGroupName" + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "AzureResource entity property bag.", + "properties": { + "resourceId": { + "description": "The azure resource id of the resource", + "readOnly": true, + "type": "string" }, + "subscriptionId": { + "description": "The subscription id of the resource", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "RelationBase": { + "type": "object", + "description": "Represents a relation", + "allOf": [ { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" }, { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistList" + "type": "object", + "properties": { + "kind": { + "type": "string", + "description": "The type of relation node", + "readOnly": true, + "enum": [ + "CasesToBookmarks" + ], + "x-ms-enum": { + "name": "RelationTypes", + "modelAsString": true, + "values": [ + { + "value": "CasesToBookmarks", + "description": "Relations between cases and bookmarks" + } + ] + } + }, + "etag": { + "type": "string", + "description": "ETag for relation" + } } + } + ] + }, + "CaseRelationList": { + "description": "List of case relations.", + "properties": { + "nextLink": { + "readOnly": true, + "description": "URL to fetch the next set of relations.", + "type": "string" }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" + "value": { + "description": "Array of relations.", + "type": "array", + "items": { + "$ref": "#/definitions/CaseRelation" } } }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}": { - "get": { - "x-ms-examples": { - "Get a watchlist.": { - "$ref": "./examples/watchlists/GetWatchlistByAlias.json" + "required": [ + "value" + ] + }, + "CaseRelation": { + "type": "object", + "description": "Represents a case relation", + "allOf": [ + { + "$ref": "#/definitions/RelationBase" } - }, - "tags": [ - "Watchlists" ], - "description": "Gets a watchlist, without its watchlist items.", - "operationId": "Watchlists_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" + "properties": { + "properties": { + "x-ms-client-flatten": true, + "description": "Case relation properties", + "$ref": "#/definitions/CaseRelationProperties" + } + } + }, + "CaseRelationProperties": { + "type": "object", + "description": "Case relation properties", + "properties": { + "relationName": { + "type": "string", + "description": "Name of relation" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "bookmarkId": { + "type": "string", + "description": "The case related bookmark id" }, - { - "$ref": "#/parameters/WorkspaceName" + "caseIdentifier": { + "type": "string", + "description": "The case identifier" }, + "bookmarkName": { + "type": "string", + "description": "The case related bookmark name" + } + }, + "required": [ + "relationName", + "caseIdentifier", + "bookmarkId" + ] + }, + "RelationsModelInput": { + "type": "object", + "description": "Relation input model", + "allOf": [ { - "$ref": "#/parameters/WatchlistAlias" + "$ref": "#/definitions/RelationBase" } ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Watchlist" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "properties": { + "properties": { + "x-ms-client-flatten": true, + "description": "Relation input properties", + "$ref": "#/definitions/RelationsModelInputProperties" } } }, - "delete": { - "x-ms-examples": { - "Delete a watchlist.": { - "$ref": "./examples/watchlists/DeleteWatchlist.json" - } - }, - "tags": [ - "Watchlists" - ], - "description": "Delete a watchlist.", - "operationId": "Watchlists_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + "RelationsModelInputProperties": { + "type": "object", + "description": "Relation input properties", + "properties": { + "relationName": { + "type": "string", + "description": "Name of relation" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "sourceRelationNode": { + "type": "object", + "description": "Relation source node", + "$ref": "#/definitions/RelationNode" }, - { - "$ref": "#/parameters/ResourceGroupName" + "targetRelationNode": { + "type": "object", + "description": "Relation target node", + "$ref": "#/definitions/RelationNode" + } + } + }, + "RelationNode": { + "type": "object", + "description": "Relation node", + "properties": { + "relationNodeId": { + "type": "string", + "description": "Relation Node Id" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "relationNodeKind": { + "type": "string", + "description": "The type of relation node", + "readOnly": true, + "enum": [ + "Case", + "Bookmark" + ], + "x-ms-enum": { + "name": "RelationNodeKind", + "modelAsString": true, + "values": [ + { + "value": "Case", + "description": "Case node part of the relation" + }, + { + "value": "Bookmark", + "description": "Bookmark node part of the relation" + } + ] + } }, - { - "$ref": "#/parameters/WorkspaceName" + "etag": { + "type": "string", + "description": "Etag for relation node" }, + "relationAdditionalProperties": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "Additional set of properties" + } + } + }, + "Bookmark": { + "allOf": [ { - "$ref": "#/parameters/WatchlistAlias" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "description": "Represents a bookmark in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/BookmarkProperties", + "description": "Bookmark properties", + "x-ms-client-flatten": true } - } + }, + "type": "object" }, - "put": { - "x-ms-examples": { - "Creates a watchlist.": { - "$ref": "./examples/watchlists/CreateWatchlist.json" + "BookmarkList": { + "description": "List all the bookmarks.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of cases.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of bookmarks.", + "items": { + "$ref": "#/definitions/Bookmark" + }, + "type": "array" } }, - "tags": [ - "Watchlists" - ], - "description": "Creates a watchlist and its watchlist items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint twice : the first call will create an empty Watchlist, and the second one will create its Items.", - "operationId": "Watchlists_Create", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + "required": [ + "value" + ] + }, + "BookmarkProperties": { + "description": "Describes bookmark properties", + "properties": { + "created": { + "description": "The time the bookmark was created", + "format": "date-time", + "type": "string" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" }, - { - "$ref": "#/parameters/ResourceGroupName" + "displayName": { + "description": "The display name of the bookmark", + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" }, - { - "$ref": "#/parameters/WorkspaceName" + "notes": { + "description": "The notes of the bookmark", + "type": "string" }, - { - "$ref": "#/parameters/WatchlistAlias" + "query": { + "description": "The query of the bookmark.", + "type": "string" }, - { - "$ref": "#/parameters/Watchlist" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Watchlist" - } + "queryResult": { + "description": "The query result of the bookmark.", + "type": "string" + }, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "eventTime": { + "description": "The bookmark event time", + "format": "date-time", + "type": "string" }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Watchlist" - } + "queryStartTime": { + "description": "The start time for the query", + "format": "date-time", + "type": "string" }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems": { - "get": { - "x-ms-examples": { - "Get all watchlist Items.": { - "$ref": "./examples/watchlists/GetWatchlistItems.json" + "queryEndTime": { + "description": "The end time for the query", + "format": "date-time", + "type": "string" + }, + "incidentInfo": { + "$ref": "#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" } }, - "tags": [ - "WatchlistItems" + "required": [ + "displayName", + "query" ], - "description": "Gets all watchlist Items.", - "operationId": "WatchlistItems_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" + "type": "object" + }, + "BookmarkExpandParameters": { + "description": "The parameters required to execute an expand operation on the given bookmark.", + "properties": { + "endTime": { + "description": "The end date filter, so the only expansion results returned are before this date.", + "format": "date-time", + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "expansionId": { + "description": "The Id of the expansion to perform.", + "format": "uuid", + "type": "string" }, - { - "$ref": "#/parameters/WorkspaceName" + "startTime": { + "description": "The start date filter, so the only expansion results returned are after this date.", + "format": "date-time", + "type": "string" + } + } + }, + "BookmarkExpandResponse": { + "description": "The entity expansion result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/ExpansionResultsMetadata", + "description": "The metadata from the expansion operation results." }, + "value": { + "description": "The expansion result values.", + "properties": { + "entities": { + "description": "Array of the expansion result entities.", + "items": { + "$ref": "#/definitions/Entity" + }, + "type": "array" + }, + "edges": { + "description": "Array of expansion result connected entities", + "items": { + "$ref": "#/definitions/ConnectedEntity" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Case": { + "allOf": [ { - "$ref": "#/parameters/WatchlistAlias" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" } ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistItemList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "description": "Represents a case in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/CaseProperties", + "description": "Case properties", + "x-ms-client-flatten": true } }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}": { - "get": { - "x-ms-examples": { - "Get a watchlist item.": { - "$ref": "./examples/watchlists/GetWatchlistItemById.json" + "type": "object" + }, + "CaseComment": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" } - }, - "tags": [ - "WatchlistItems" ], - "description": "Gets a watchlist, without its watchlist items.", - "operationId": "WatchlistItems_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "description": "Represents a case comment", + "properties": { + "properties": { + "$ref": "#/definitions/CaseCommentProperties", + "description": "Case comment properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "CaseCommentList": { + "description": "List of case comments.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of comments.", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/WorkspaceName" + "value": { + "description": "Array of comments.", + "items": { + "$ref": "#/definitions/CaseComment" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "CaseCommentProperties": { + "description": "Case comment property bag.", + "properties": { + "createdTimeUtc": { + "description": "The time the comment was created", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/WatchlistAlias" + "message": { + "description": "The comment message", + "type": "string" }, - { - "$ref": "#/parameters/WatchlistItemId" + "userInfo": { + "$ref": "#/definitions/UserInfo", + "description": "Describes the user that created the comment", + "readOnly": true, + "type": "object" } + }, + "required": [ + "message" ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistItem" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } + "type": "object" }, - "delete": { - "x-ms-examples": { - "Delete a watchlist Item.": { - "$ref": "./examples/watchlists/DeleteWatchlistItem.json" + "CaseList": { + "description": "List all the cases.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of cases.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of cases.", + "items": { + "$ref": "#/definitions/Case" + }, + "type": "array" } }, - "tags": [ - "WatchlistItems" - ], - "description": "Delete a watchlist item.", - "operationId": "WatchlistItems_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + "required": [ + "value" + ] + }, + "CaseProperties": { + "description": "Describes case properties", + "properties": { + "caseNumber": { + "description": "a sequential number", + "readOnly": true, + "type": "integer" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "closeReason": { + "description": "The reason the case was closed", + "enum": [ + "Resolved", + "Dismissed", + "TruePositive", + "FalsePositive", + "Other" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CloseReason", + "values": [ + { + "description": "Case was resolved", + "value": "Resolved" + }, + { + "description": "Case was dismissed", + "value": "Dismissed" + }, + { + "description": "Case was true positive", + "value": "TruePositive" + }, + { + "description": "Case was false positive", + "value": "FalsePositive" + }, + { + "description": "Case was closed for another reason", + "value": "Other" + } + ] + } }, - { - "$ref": "#/parameters/ResourceGroupName" + "closedReasonText": { + "description": "the case close reason details", + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "createdTimeUtc": { + "description": "The time the case was created", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/WorkspaceName" + "description": { + "description": "The description of the case", + "type": "string" }, - { - "$ref": "#/parameters/WatchlistAlias" + "endTimeUtc": { + "description": "The end time of the case", + "format": "date-time", + "type": "string" }, - { - "$ref": "#/parameters/WatchlistItemId" - } - ], - "responses": { - "200": { - "description": "OK" + "labels": { + "description": "List of labels relevant to this case", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" }, - "204": { - "description": "No Content" + "lastComment": { + "description": "the last comment in the case", + "readOnly": true, + "type": "string" }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - }, - "put": { - "x-ms-examples": { - "Creates or updates a watchlist item.": { - "$ref": "./examples/watchlists/CreateWatchlistItem.json" - } - }, - "tags": [ - "WatchlistItems" - ], - "description": "Creates or updates a watchlist item.", - "operationId": "WatchlistItems_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + "lastUpdatedTimeUtc": { + "description": "The last time the case was updated", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "metrics": { + "description": "Dictionary of metrics, for example the number of alerts in the case", + "type": "object", + "additionalProperties": { + "type": "integer", + "format": "int32" + }, + "readOnly": true }, - { - "$ref": "#/parameters/ResourceGroupName" + "owner": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that the case is assigned to", + "type": "object" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "relatedAlertIds": { + "description": "List of related alert identifiers", + "items": { + "description": "related alert id", + "type": "string" + }, + "readOnly": true, + "type": "array" }, - { - "$ref": "#/parameters/WorkspaceName" + "relatedAlertProductNames": { + "description": "List of related alert product names", + "items": { + "description": "related alert product name", + "type": "string" + }, + "readOnly": true, + "type": "array" }, - { - "$ref": "#/parameters/WatchlistAlias" + "tactics": { + "description": "The tactics associated with case", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" }, - { - "$ref": "#/parameters/WatchlistItemId" + "severity": { + "description": "The severity of the case", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } }, - { - "$ref": "#/parameters/WatchlistItem" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistItem" + "startTimeUtc": { + "description": "The start time of the case", + "format": "date-time", + "type": "string" + }, + "status": { + "description": "The status of the case", + "enum": [ + "Draft", + "New", + "InProgress", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseStatus", + "values": [ + { + "description": "Case that wasn't promoted yet to active", + "value": "Draft" + }, + { + "description": "An active case which isn't handled currently", + "value": "New" + }, + { + "description": "An active case which is handled", + "value": "InProgress" + }, + { + "description": "A non active case", + "value": "Closed" + } + ] } }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/WatchlistItem" - } + "title": { + "description": "The title of the case", + "type": "string" }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator": { - "post": { - "x-ms-examples": { - "Create a new Threat Intelligence": { - "$ref": "./examples/threatintelligence/CreateThreatIntelligence.json" + "totalComments": { + "description": "the number of total comments in the case", + "readOnly": true, + "type": "integer" } }, - "tags": [ - "ThreatIntelligence" + "required": [ + "title", + "severity", + "status" ], - "description": "Create a new threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_CreateIndicator", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, + "type": "object" + }, + "CasesAggregation": { + "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/definitions/Aggregations" + } + ], + "description": "Represents aggregations results for cases.", + "properties": { + "properties": { + "$ref": "#/definitions/CasesAggregationProperties", + "description": "Properties of aggregations results of cases.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "CasesAggregation" + }, + "CasesAggregationBySeverityProperties": { + "description": "Aggregative results of cases by severity property bag.", + "properties": { + "totalCriticalSeverity": { + "description": "Total amount of open cases with severity Critical", + "readOnly": true, + "type": "integer" }, - { - "$ref": "#/parameters/ResourceGroupName" + "totalHighSeverity": { + "description": "Total amount of open cases with severity High", + "readOnly": true, + "type": "integer" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "totalInformationalSeverity": { + "description": "Total amount of open cases with severity Informational", + "readOnly": true, + "type": "integer" }, - { - "$ref": "#/parameters/WorkspaceName" + "totalLowSeverity": { + "description": "Total amount of open cases with severity Low", + "readOnly": true, + "type": "integer" }, - { - "$ref": "#/parameters/ThreatIntelligenceProperties" + "totalMediumSeverity": { + "description": "Total amount of open cases with severity medium", + "readOnly": true, + "type": "integer" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } + }, + "type": "object" + }, + "CasesAggregationByStatusProperties": { + "description": "Aggregative results of cases by status property bag.", + "properties": { + "totalDismissedStatus": { + "description": "Total amount of closed cases with status Dismissed", + "readOnly": true, + "type": "integer" + }, + "totalInProgressStatus": { + "description": "Total amount of open cases with status InProgress", + "readOnly": true, + "type": "integer" + }, + "totalNewStatus": { + "description": "Total amount of open cases with status New", + "readOnly": true, + "type": "integer" + }, + "totalResolvedStatus": { + "description": "Total amount of closed cases with status Resolved", + "readOnly": true, + "type": "integer" + }, + "totalFalsePositiveStatus": { + "description": "Total amount of closed cases with status Closed and Close reason of False positive", + "readOnly": true, + "type": "integer", + "format": "int32" }, - "default": { - "description": "Error response describing why the operation failed to create indicators.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators": { - "get": { - "x-ms-examples": { - "Get all threat intelligence indicators": { - "$ref": "./examples/threatintelligence/GetThreatIntelligence.json" + "totalTruePositiveStatus": { + "description": "Total amount of closed cases with status Closed and Close reason of True positive", + "readOnly": true, + "type": "integer", + "format": "int32" } }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Get all threat intelligence indicators.", - "operationId": "ThreatIntelligenceIndicators_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + "type": "object" + }, + "CasesAggregationProperties": { + "description": "Aggregative results of cases property bag.", + "properties": { + "aggregationBySeverity": { + "$ref": "#/definitions/CasesAggregationBySeverityProperties", + "description": "Aggregations results by case severity." }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "aggregationByStatus": { + "$ref": "#/definitions/CasesAggregationByStatusProperties", + "description": "Aggregations results by case status." + } + }, + "type": "object" + }, + "ClientInfo": { + "description": "Information on the client (user or application) that made some action", + "properties": { + "email": { + "description": "The email of the client.", + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "name": { + "description": "The name of the client.", + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "objectId": { + "description": "The object id of the client.", + "format": "uuid", + "type": "string" }, + "userPrincipalName": { + "description": "The user principal name of the client.", + "type": "string" + } + }, + "type": "object" + }, + "CloudApplicationEntity": { + "allOf": [ { - "$ref": "#/parameters/WorkspaceName" - }, + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a cloud application entity.", + "properties": { + "properties": { + "$ref": "#/definitions/CloudApplicationEntityProperties", + "description": "CloudApplication entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "CloudApplication" + }, + "CloudApplicationEntityProperties": { + "allOf": [ { - "$ref": "#/parameters/ODataFilter" + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "CloudApplication entity property bag.", + "properties": { + "appId": { + "description": "The technical identifier of the application.", + "readOnly": true, + "type": "integer" + }, + "appName": { + "description": "The name of the related cloud application.", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/ODataTop" + "instanceName": { + "description": "The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "CloudError": { + "description": "Error response structure.", + "properties": { + "error": { + "$ref": "#/definitions/CloudErrorBody", + "description": "Error data", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-external": true + }, + "CloudErrorBody": { + "description": "Error details.", + "properties": { + "code": { + "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", + "readOnly": true, + "type": "string" }, + "message": { + "description": "A message describing the error, intended to be suitable for display in a user interface.", + "readOnly": true, + "type": "string" + } + }, + "type": "object", + "x-ms-external": true + }, + "DataConnector": { + "allOf": [ { - "$ref": "#/parameters/ODataSkipToken" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" }, { - "$ref": "#/parameters/ODataOrderBy" + "$ref": "#/definitions/DataConnectorKind" } ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformationList" + "description": "Data connector.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "DataConnectorsCheckRequirements": { + "description": "Data connector requirements properties.", + "properties": { + "kind": { + "$ref": "#/definitions/DataConnectorKind", + "description": "Describes the kind of connector to be checked." + } + }, + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "DataConnectorAuthorizationState": { + "description": "Describes the state of user's authorization for a connector kind.", + "enum": [ + "Valid", + "Invalid" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorAuthorizationState", + "values": [ + { + "value": "Valid" + }, + { + "value": "Invalid" } - }, - "default": { - "description": "Error response describing why the operation failed to get indicators.", - "schema": { - "$ref": "#/definitions/CloudError" + ] + } + }, + "DataConnectorLicenseState": { + "description": "Describes the state of user's license for a connector kind.", + "enum": [ + "Valid", + "Invalid", + "Unknown" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorLicenseState", + "values": [ + { + "value": "Valid" + }, + { + "value": "Invalid" + }, + { + "value": "Unknown" + } + ] + } + }, + "DataConnectorDataTypeCommon": { + "description": "Common field for data type in data connectors.", + "properties": { + "state": { + "description": "Describe whether this data type connection is enabled or not.", + "enum": [ + "Enabled", + "Disabled" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataTypeState" } } }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}": { - "get": { - "x-ms-examples": { - "View a threat intelligence indicator by name": { - "$ref": "./examples/threatintelligence/GetThreatIntelligenceById.json" + "type": "object", + "required": [ + "state" + ] + }, + "DataConnectorKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the data connector", + "enum": [ + "AzureActiveDirectory", + "AzureSecurityCenter", + "MicrosoftCloudAppSecurity", + "ThreatIntelligence", + "ThreatIntelligenceTaxii", + "Office365", + "OfficeATP", + "AmazonWebServicesCloudTrail", + "AzureAdvancedThreatProtection", + "MicrosoftDefenderAdvancedThreatProtection", + "Dynamics365", + "MicrosoftThreatProtection", + "MicrosoftThreatIntelligence" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorKind", + "values": [ + { + "value": "AzureActiveDirectory" + }, + { + "value": "AzureSecurityCenter" + }, + { + "value": "MicrosoftCloudAppSecurity" + }, + { + "value": "ThreatIntelligence" + }, + { + "value": "ThreatIntelligenceTaxii" + }, + { + "value": "Office365" + }, + { + "value": "OfficeATP" + }, + { + "value": "AmazonWebServicesCloudTrail" + }, + { + "value": "AzureAdvancedThreatProtection" + }, + { + "value": "MicrosoftDefenderAdvancedThreatProtection" + }, + { + "value": "Dynamics365" + }, + { + "value": "MicrosoftThreatProtection" + }, + { + "value": "MicrosoftThreatIntelligence" + } + ] + } } }, - "tags": [ - "ThreatIntelligence" + "required": [ + "kind" ], - "description": "View a threat intelligence indicator by name.", - "operationId": "ThreatIntelligenceIndicator_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + "type": "object" + }, + "DataConnectorList": { + "description": "List all the data connectors.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of data connectors.", + "readOnly": true, + "type": "string" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "value": { + "description": "Array of data connectors.", + "items": { + "$ref": "#/definitions/DataConnector" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "DataConnectorRequirementsState": { + "description": "Data connector requirements status.", + "properties": { + "authorizationState": { + "description": "Authorization state for this connector", + "$ref": "#/definitions/DataConnectorAuthorizationState" }, + "licenseState": { + "description": "License state for this connector", + "$ref": "#/definitions/DataConnectorLicenseState" + } + }, + "type": "object" + }, + "DataConnectorTenantId": { + "description": "Properties data connector on tenant level.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + } + }, + "required": [ + "tenantId" + ], + "type": "object" + }, + "DataConnectorWithAlertsProperties": { + "description": "Data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "DnsEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a dns entity.", + "properties": { + "properties": { + "$ref": "#/definitions/DnsEntityProperties", + "description": "Dns entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "DnsResolution" + }, + "DnsEntityProperties": { + "allOf": [ { - "$ref": "#/parameters/ResourceGroupName" + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Dns entity property bag.", + "properties": { + "dnsServerIpEntityId": { + "description": "An ip entity id for the dns server resolving the request", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "domainName": { + "description": "The name of the dns record associated with the alert", + "readOnly": true, + "type": "string" }, - { - "$ref": "#/parameters/WorkspaceName" + "hostIpAddressEntityId": { + "description": "An ip entity id for the dns request client", + "readOnly": true, + "type": "string" }, + "ipAddressEntityIds": { + "description": "Ip entity identifiers for the resolved ip address.", + "items": { + "description": "Ip entity id", + "type": "string" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "Dynamics365DataConnector": { + "allOf": [ { - "$ref": "#/parameters/ThreatIntelligenceName" + "$ref": "#/definitions/DataConnector" } ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "default": { - "description": "Error response describing why the operation failed to view an indicator.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "description": "Represents Dynamics365 data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/Dynamics365DataConnectorProperties", + "description": "Dynamics365 data connector properties.", + "x-ms-client-flatten": true } - } + }, + "type": "object", + "x-ms-discriminator-value": "Dynamics365" }, - "put": { - "x-ms-examples": { - "Update a threat Intelligence indicator": { - "$ref": "./examples/threatintelligence/UpdateThreatIntelligence.json" + "Dynamics365DataConnectorDataTypes": { + "description": "The available data types for Dynamics365 data connector.", + "properties": { + "dynamics365CdsActivities": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Common Data Service data type connection.", + "type": "object" } }, - "tags": [ - "ThreatIntelligence" + "type": "object", + "required": [ + "dynamics365CdsActivities" + ] + }, + "Dynamics365DataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } ], - "description": "Update a threat Intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_Create", - "parameters": [ + "description": "Dynamics365 data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/Dynamics365DataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "Dynamics365CheckRequirements": { + "allOf": [ { - "$ref": "#/parameters/ApiVersion" - }, + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents Dynamics365 requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/Dynamics365CheckRequirementsProperties", + "description": "Dynamics365 requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Dynamics365" + }, + "Dynamics365CheckRequirementsProperties": { + "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Dynamics365 requirements check properties.", + "type": "object" + }, + "EnrichmentDomainWhois": { + "description": "Whois information for a given domain and associated metadata", + "properties": { + "domain": { + "description": "The domain for this whois record", + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "server": { + "description": "The hostname of this registrar's whois server", + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "created": { + "description": "The timestamp at which this record was created", + "format": "date-time", + "type": "string" }, - { - "$ref": "#/parameters/WorkspaceName" + "updated": { + "description": "The timestamp at which this record was last updated", + "format": "date-time", + "type": "string" }, - { - "$ref": "#/parameters/ThreatIntelligenceName" + "expires": { + "description": "The timestamp at which this record will expire", + "format": "date-time", + "type": "string" }, - { - "$ref": "#/parameters/ThreatIntelligenceProperties" + "parsedWhois": { + "description": "The whois record for a given domain", + "$ref": "#/definitions/EnrichmentDomainWhoisDetails" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } + } + }, + "EnrichmentDomainWhoisDetails": { + "description": "The whois record for a given domain", + "properties": { + "registrar": { + "description": "The registrar associated with this domain", + "$ref": "#/definitions/EnrichmentDomainWhoisRegistrarDetails" }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" + "contacts": { + "description": "The set of contacts associated with this domain", + "$ref": "#/definitions/EnrichmentDomainWhoisContacts" + }, + "nameServers": { + "description": "A list of name servers associated with this domain", + "type": "array", + "items": { + "type": "string" } }, - "default": { - "description": "Error response describing why the operation failed to update an indicator.", - "schema": { - "$ref": "#/definitions/CloudError" + "statuses": { + "description": "The set of status flags for this whois record", + "type": "array", + "items": { + "type": "string" } } } }, - "delete": { - "x-ms-examples": { - "Delete a threat intelligence indicator": { - "$ref": "./examples/threatintelligence/DeleteThreatIntelligence.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Delete a threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + "EnrichmentDomainWhoisRegistrarDetails": { + "description": "The registrar associated with this domain", + "properties": { + "name": { + "description": "The name of this registrar", + "type": "string" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "abuseContactEmail": { + "description": "This registrar's abuse contact email", + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "abuseContactPhone": { + "description": "This registrar's abuse contact phone number", + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "ianaId": { + "description": "This registrar's Internet Assigned Numbers Authority id", + "type": "string" }, - { - "$ref": "#/parameters/WorkspaceName" + "url": { + "description": "This registrar's URL", + "type": "string" }, - { - "$ref": "#/parameters/ThreatIntelligenceName" + "whoisServer": { + "description": "The hostname of this registrar's whois server", + "type": "string" } - ], - "responses": { - "200": { - "description": "OK" + } + }, + "EnrichmentDomainWhoisContacts": { + "description": "The set of contacts associated with this domain", + "properties": { + "admin": { + "description": "The admin contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" }, - "204": { - "description": "No Content" + "billing": { + "description": "The billing contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" }, - "default": { - "description": "Error response describing why the operation failed to delete an indicator.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "registrant": { + "description": "The registrant contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + }, + "tech": { + "description": "The technical contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" } } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators": { - "post": { - "x-ms-examples": { - "Query threat intelligence indicators as per filtering criteria": { - "$ref": "./examples/threatintelligence/QueryThreatIntelligence.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Query threat intelligence indicators as per filtering criteria.", - "operationId": "ThreatIntelligenceIndicator_QueryIndicators", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + }, + "EnrichmentDomainWhoisContact": { + "description": "An individual contact associated with this domain", + "properties": { + "name": { + "description": "The name of this contact", + "type": "string" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "org": { + "description": "The organization for this contact", + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "street": { + "description": "A list describing the street address for this contact", + "type": "array", + "items": { + "type": "string" + } }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "city": { + "description": "The city for this contact", + "type": "string" }, - { - "$ref": "#/parameters/WorkspaceName" + "state": { + "description": "The state for this contact", + "type": "string" }, - { - "$ref": "#/parameters/ThreatIntelligenceFilteringCriteria" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformationList" - } + "postal": { + "description": "The postal code for this contact", + "type": "string" }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "country": { + "description": "The country for this contact", + "type": "string" + }, + "phone": { + "description": "The phone number for this contact", + "type": "string" + }, + "fax": { + "description": "The fax number for this contact", + "type": "string" + }, + "email": { + "description": "The email address for this contact", + "type": "string" } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics": { - "get": { - "x-ms-examples": { - "Get threat intelligence indicators metrics.": { - "$ref": "./examples/threatintelligence/CollectThreatIntelligenceMetrics.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source).", - "operationId": "ThreatIntelligenceIndicatorMetrics_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + }, + "EnrichmentIpGeodata": { + "description": "Geodata information for a given IP address", + "properties": { + "asn": { + "description": "The autonomous system number associated with this IP address", + "type": "string" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "carrier": { + "description": "The name of the carrier for this IP address", + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "city": { + "description": "The city this IP address is located in", + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "cityCf": { + "description": "A numeric rating of confidence that the value in the 'city' field is correct, on a scale of 0-100", + "type": "integer", + "format": "int32" }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceMetricsList" - } + "continent": { + "description": "The continent this IP address is located on", + "type": "string" }, - "default": { - "description": "Error response describing why the operation failed to get metrics.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags": { - "post": { - "x-ms-examples": { - "Append tags to a threat intelligence indicator": { - "$ref": "./examples/threatintelligence/AppendTagsThreatIntelligence.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Append tags to a threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_AppendTags", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + "country": { + "description": "The county this IP address is located in", + "type": "string" + }, + "countryCf": { + "description": "A numeric rating of confidence that the value in the 'country' field is correct on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "ipAddr": { + "description": "The dotted-decimal or colon-separated string representation of the IP address", + "type": "string" + }, + "ipRoutingType": { + "description": "A description of the connection type of this IP address", + "type": "string" + }, + "latitude": { + "description": "The latitude of this IP address", + "type": "string" + }, + "longitude": { + "description": "The longitude of this IP address", + "type": "string" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "organization": { + "description": "The name of the organization for this IP address", + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "organizationType": { + "description": "The type of the organization for this IP address", + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "region": { + "description": "The geographic region this IP address is located in", + "type": "string" }, - { - "$ref": "#/parameters/WorkspaceName" + "state": { + "description": "The state this IP address is located in", + "type": "string" }, + "stateCf": { + "description": "A numeric rating of confidence that the value in the 'state' field is correct on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "stateCode": { + "description": "The abbreviated name for the state this IP address is located in", + "type": "string" + } + } + }, + "Entity": { + "allOf": [ { - "$ref": "#/parameters/ThreatIntelligenceName" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" }, { - "$ref": "#/parameters/ThreatIntelligenceAppendTags" + "$ref": "#/definitions/EntityKind" } ], - "responses": { - "200": { - "description": "OK" + "description": "Specific entity.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "EntityEdges": { + "description": "The edge that connects the entity to the other entity.", + "properties": { + "targetEntityId": { + "description": "The target entity Id.", + "type": "string" }, - "default": { - "description": "Error response describing why the operation failed to append tags.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags": { - "post": { - "x-ms-examples": { - "Replace tags to a Threat Intelligence": { - "$ref": "./examples/threatintelligence/ReplaceTagsThreatIntelligence.json" + "additionalData": { + "additionalProperties": { + "type": "object" + }, + "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "type": "object" } }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Replace tags added to a threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_ReplaceTags", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" + "type": "object" + }, + "EntityCommonProperties": { + "description": "Entity common property bag.", + "properties": { + "additionalData": { + "additionalProperties": { + "type": "object" + }, + "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "readOnly": true, + "type": "object" }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "friendlyName": { + "description": "The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "EntityExpandParameters": { + "description": "The parameters required to execute an expand operation on the given entity.", + "properties": { + "endTime": { + "description": "The end date filter, so the only expansion results returned are before this date.", + "format": "date-time", + "type": "string" }, - { - "$ref": "#/parameters/ResourceGroupName" + "expansionId": { + "description": "The Id of the expansion to perform.", + "format": "uuid", + "type": "string" }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "startTime": { + "description": "The start date filter, so the only expansion results returned are after this date.", + "format": "date-time", + "type": "string" + } + } + }, + "EntityTimelineParameters": { + "description": "The parameters required to execute s timeline operation on the given entity.", + "properties": { + "kinds": { + "description": "Array of timeline Item kinds.", + "items": { + "$ref": "#/definitions/EntityTimelineKind" + }, + "type": "array" }, - { - "$ref": "#/parameters/WorkspaceName" + "startTime": { + "description": "The start timeline date, so the results returned are after this date.", + "format": "date-time", + "type": "string" }, - { - "$ref": "#/parameters/ThreatIntelligenceName" + "endTime": { + "description": "The end timeline date, so the results returned are before this date.", + "format": "date-time", + "type": "string" }, - { - "$ref": "#/parameters/ThreatIntelligenceReplaceTags" + "numberOfBucket": { + "description": "The number of bucket for timeline queries aggregation.", + "type": "integer", + "format": "int32" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } + }, + "required": [ + "startTime", + "endTime" + ] + }, + "EntityExpandResponse": { + "description": "The entity expansion result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/ExpansionResultsMetadata", + "description": "The metadata from the expansion operation results." }, - "default": { - "description": "Error response describing why the operation failed to replace tags.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "value": { + "description": "The expansion result values.", + "properties": { + "entities": { + "description": "Array of the expansion result entities.", + "items": { + "$ref": "#/definitions/Entity" + }, + "type": "array" + }, + "edges": { + "description": "Array of edges that connects the entity to the list of entities.", + "items": { + "$ref": "#/definitions/EntityEdges" + }, + "type": "array" + } + }, + "type": "object" } } - } - } - }, - "definitions": { - "MLBehaviorAnalyticsAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents MLBehaviorAnalytics alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/MLBehaviorAnalyticsAlertRuleProperties", - "description": "MLBehaviorAnalytics alert rule properties", - "x-ms-client-flatten": true - } }, - "type": "object", - "x-ms-discriminator-value": "MLBehaviorAnalytics" - }, - "MLBehaviorAnalyticsAlertRuleProperties": { - "description": "MLBehaviorAnalytics alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "readOnly": true, - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert rule has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule.", - "readOnly": true - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" + "EntityTimelineResponse": { + "description": "The entity timeline result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/TimelineResultsMetadata", + "description": "The metadata from the timeline operation results." + }, + "value": { + "description": "The timeline result values.", + "items": { + "$ref": "#/definitions/EntityTimelineItem" + }, + "type": "array" + } } }, - "required": [ - "alertRuleTemplateName", - "enabled" - ], - "type": "object" - }, - "MLBehaviorAnalyticsAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents MLBehaviorAnalytics alert rule template.", - "properties": { + "GetQueriesResponse": { + "description": "Retrieve queries for entity result operation response.", "properties": { - "allOf": [ + "value": { + "description": "The query result values.", + "items": { + "$ref": "#/definitions/EntityQueryItem" + }, + "type": "array" + } + } + }, + "EntityInnerKind": { + "description": "The kind of the entity", + "enum": [ + "Account", + "Host", + "File", + "AzureResource", + "CloudApplication", + "DnsResolution", + "FileHash", + "Ip", + "Malware", + "Process", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "Url", + "IoTDevice", + "SecurityAlert", + "Bookmark", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityKind", + "values": [ { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - } - ], - "description": "MLBehaviorAnalytics alert rule template properties.", - "properties": { - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." + "description": "Entity represents account in the system.", + "value": "Account" }, - "tactics": { - "description": "The tactics of the alert rule template.", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" + { + "description": "Entity represents host in the system.", + "value": "Host" + }, + { + "description": "Entity represents file in the system.", + "value": "File" + }, + { + "description": "Entity represents azure resource in the system.", + "value": "AzureResource" + }, + { + "description": "Entity represents cloud application in the system.", + "value": "CloudApplication" + }, + { + "description": "Entity represents dns resolution in the system.", + "value": "DnsResolution" + }, + { + "description": "Entity represents file hash in the system.", + "value": "FileHash" + }, + { + "description": "Entity represents ip in the system.", + "value": "Ip" + }, + { + "description": "Entity represents malware in the system.", + "value": "Malware" + }, + { + "description": "Entity represents process in the system.", + "value": "Process" + }, + { + "description": "Entity represents registry key in the system.", + "value": "RegistryKey" + }, + { + "description": "Entity represents registry value in the system.", + "value": "RegistryValue" + }, + { + "description": "Entity represents security group in the system.", + "value": "SecurityGroup" + }, + { + "description": "Entity represents url in the system.", + "value": "Url" + }, + { + "description": "Entity represents IoT device in the system.", + "value": "IoTDevice" + }, + { + "description": "Entity represents security alert in the system.", + "value": "SecurityAlert" + }, + { + "description": "Entity represents bookmark in the system.", + "value": "Bookmark" + }, + { + "description": "Entity represents mail cluster in the system.", + "value": "MailCluster" + }, + { + "description": "Entity represents mail message in the system.", + "value": "MailMessage" + }, + { + "description": "Entity represents mailbox in the system.", + "value": "Mailbox" + }, + { + "description": "Entity represents submission mail in the system.", + "value": "SubmissionMail" } - }, - "required": [ - "displayName", - "description", - "status", - "severity", - "alertRulesCreatedByTemplateCount" - ], - "x-ms-client-flatten": true + ] } }, - "type": "object", - "x-ms-discriminator-value": "MLBehaviorAnalytics" - }, - "AADDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" + "EntityInnerType": { + "description": "The type of the entity", + "enum": [ + "Account", + "Host", + "File", + "AzureResource", + "CloudApplication", + "DNS", + "FileHash", + "IP", + "Malware", + "Process", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "IoTDevice", + "SecurityAlert", + "HuntingBookmark", + "MailCluster", + "MailMessage", + "Mailbox", + "SubmissionMail" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityType", + "values": [ + { + "description": "Entity represents account in the system.", + "value": "Account" + }, + { + "description": "Entity represents host in the system.", + "value": "Host" + }, + { + "description": "Entity represents file in the system.", + "value": "File" + }, + { + "description": "Entity represents azure resource in the system.", + "value": "AzureResource" + }, + { + "description": "Entity represents cloud application in the system.", + "value": "CloudApplication" + }, + { + "description": "Entity represents dns in the system.", + "value": "DNS" + }, + { + "description": "Entity represents file hash in the system.", + "value": "FileHash" + }, + { + "description": "Entity represents ip in the system.", + "value": "IP" + }, + { + "description": "Entity represents malware in the system.", + "value": "Malware" + }, + { + "description": "Entity represents process in the system.", + "value": "Process" + }, + { + "description": "Entity represents registry key in the system.", + "value": "RegistryKey" + }, + { + "description": "Entity represents registry value in the system.", + "value": "RegistryValue" + }, + { + "description": "Entity represents security group in the system.", + "value": "SecurityGroup" + }, + { + "description": "Entity represents url in the system.", + "value": "URL" + }, + { + "description": "Entity represents IoT device in the system.", + "value": "IoTDevice" + }, + { + "description": "Entity represents security alert in the system.", + "value": "SecurityAlert" + }, + { + "description": "Entity represents HuntingBookmark in the system.", + "value": "HuntingBookmark" + }, + { + "description": "Entity represents mail cluster in the system.", + "value": "MailCluster" + }, + { + "description": "Entity represents mail message in the system.", + "value": "MailMessage" + }, + { + "description": "Entity represents mailbox in the system.", + "value": "Mailbox" + }, + { + "description": "Entity represents submission mail in the system.", + "value": "SubmissionMail" + } + ] } - ], - "description": "Represents AAD (Azure Active Directory) data connector.", - "properties": { + }, + "EntityKind": { + "description": "Describes an entity with kind.", "properties": { - "$ref": "#/definitions/AADDataConnectorProperties", - "description": "AAD (Azure Active Directory) data connector properties.", - "x-ms-client-flatten": true - } + "kind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the entity." + } + }, + "required": [ + "kind" + ], + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "AzureActiveDirectory" - }, - "AADDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "EntityList": { + "description": "List of all the entities.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of entities.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of entities.", + "items": { + "$ref": "#/definitions/Entity" + }, + "type": "array" + } }, - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "AAD (Azure Active Directory) data connector properties.", - "type": "object" - }, - "AADCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents AAD (Azure Active Directory) requirements check request.", - "properties": { + "required": [ + "value" + ] + }, + "EntityQueryKind": { + "description": "Describes an Entity query resource with kind.", "properties": { - "$ref": "#/definitions/AADCheckRequirementsProperties", - "description": "AAD (Azure Active Directory) requirements check properties.", - "x-ms-client-flatten": true - } + "kind": { + "description": "The kind of the entity query", + "enum": [ + "Expansion", + "Insight" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityQueryKind", + "values": [ + { + "value": "Expansion" + }, + { + "value": "Insight" + } + ] + } + } + }, + "required": [ + "kind" + ], + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "AzureActiveDirectory" - }, - "AADCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "AAD (Azure Active Directory) requirements check properties.", - "type": "object" - }, - "AATPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", - "properties": { + "EntityQuery": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/EntityQueryKind" + } + ], + "description": "Specific entity query.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "ExpansionEntityQuery": { + "description": "Represents Expansion entity query.", + "allOf": [ + { + "$ref": "#/definitions/EntityQuery" + } + ], "properties": { - "$ref": "#/definitions/AATPDataConnectorProperties", - "description": "AATP (Azure Advanced Threat Protection) data connector properties.", - "x-ms-client-flatten": true + "properties": { + "$ref": "#/definitions/ExpansionEntityQueriesProperties", + "description": "Expansion entity query properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Expansion" + }, + "EntityTimelineKind": { + "description": "The entity query kind", + "enum": [ + "Activity", + "Bookmark", + "SecurityAlert" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityTimelineKind", + "values": [ + { + "description": "activity", + "value": "Activity" + }, + { + "description": "bookmarks", + "value": "Bookmark" + }, + { + "description": "security alerts", + "value": "SecurityAlert" + } + ] } }, - "type": "object", - "x-ms-discriminator-value": "AzureAdvancedThreatProtection" - }, - "AATPDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - }, - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "AATP (Azure Advanced Threat Protection) data connector properties.", - "type": "object" - }, - "AATPCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents AATP (Azure Advanced Threat Protection) requirements check request.", - "properties": { + "EntityQueryList": { + "description": "List of all the entity queries.", "properties": { - "$ref": "#/definitions/AATPCheckRequirementsProperties", - "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", - "x-ms-client-flatten": true - } + "nextLink": { + "description": "URL to fetch the next set of entity queries.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of entity queries.", + "items": { + "$ref": "#/definitions/EntityQuery" + }, + "type": "array" + } + }, + "required": [ + "value" + ] }, - "type": "object", - "x-ms-discriminator-value": "AzureAdvancedThreatProtection" - }, - "AATPCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", - "type": "object" - }, - "MSTIDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents Microsoft Threat Intelligence data connector.", - "properties": { + "ExpansionEntityQueriesProperties": { + "description": "Describes expansion entity query properties", "properties": { - "$ref": "#/definitions/MSTIDataConnectorProperties", - "description": "Microsoft Threat Intelligence data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatIntelligence" - }, - "MSTIDataConnectorDataTypes": { - "description": "The available data types for Microsoft Threat Intelligence Platforms data connector.", - "properties": { - "bingSafetyPhishingURL": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "properties": { - "lookbackPeriod": { - "description": "lookback period", + "dataSources": { + "description": "List of the data sources that are required to run the query", + "items": { + "description": "data source", "type": "string" - } + }, + "type": "array" }, - "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", - "type": "object", - "required": [ - "lookbackPeriod" - ] - }, - "microsoftEmergingThreatFeed": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "properties": { - "lookbackPeriod": { - "description": "lookback period", + "displayName": { + "description": "The query display name", + "type": "string" + }, + "inputEntityType": { + "$ref": "#/definitions/EntityInnerType", + "description": "The type of the query's source entity" + }, + "inputFields": { + "description": "List of the fields of the source entity that are required to run the query", + "items": { + "description": "input field", "type": "string" - } + }, + "type": "array" }, - "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", - "type": "object", - "required": [ - "lookbackPeriod" - ] - } - }, - "type": "object", - "required": [ - "bingSafetyPhishingURL", - "microsoftEmergingThreatFeed" - ] - }, - "MSTIDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Microsoft Threat Intelligence data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/MSTIDataConnectorDataTypes", - "description": "The available data types for the connector." - } + "outputEntityTypes": { + "description": "List of the desired output types to be constructed from the result", + "items": { + "$ref": "#/definitions/EntityInnerType", + "description": "output entity type" + }, + "type": "array" + }, + "queryTemplate": { + "description": "The template query string to be parsed and formatted", + "type": "string" + } + }, + "type": "object" }, - "required": [ - "dataTypes" - ], - "type": "object" - }, - "MSTICheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents Microsoft Threat Intelligence requirements check request.", - "properties": { + "ExpansionResultAggregation": { + "description": "Information of a specific aggregation in the expansion result.", "properties": { - "$ref": "#/definitions/MSTICheckRequirementsProperties", - "description": "Microsoft Threat Intelligence requirements check properties.", - "x-ms-client-flatten": true - } + "aggregationType": { + "description": "The common type of the aggregation. (for e.g. entity field name)", + "type": "string" + }, + "count": { + "description": "Total number of aggregations of the given kind (and aggregationType if given) in the expansion result.", + "type": "integer" + }, + "displayName": { + "description": "The display name of the aggregation by type.", + "type": "string" + }, + "entityKind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the aggregated entity." + } + }, + "required": [ + "entityKind", + "count" + ], + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatIntelligence" - }, - "MSTICheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Microsoft Threat Intelligence requirements check properties.", - "type": "object" - }, - "MTPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents MTP (Microsoft Threat Protection) data connector.", - "properties": { + "ExpansionResultsMetadata": { + "description": "Expansion result metadata.", "properties": { - "$ref": "#/definitions/MTPDataConnectorProperties", - "description": "MTP (Microsoft Threat Protection) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatProtection" - }, - "MTPDataConnectorDataTypes": { - "description": "The available data types for Microsoft Threat Protection Platforms data connector.", - "properties": { - "incidents": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Data type for Microsoft Threat Protection Platforms data connector.", - "type": "object" - } - }, - "type": "object", - "required": [ - "incidents" - ] - }, - "MTPDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MTP (Microsoft Threat Protection) data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/MTPDataConnectorDataTypes", - "description": "The available data types for the connector." - } + "aggregations": { + "description": "Information of the aggregated nodes in the expansion result.", + "items": { + "$ref": "#/definitions/ExpansionResultAggregation" + }, + "type": "array" + } + }, + "type": "object" }, - "required": [ - "dataTypes" - ], - "type": "object" - }, - "MtpCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents MTP (Microsoft Threat Protection) requirements check request.", - "properties": { + "ConnectedEntity": { + "description": "Expansion result connected entities", "properties": { - "$ref": "#/definitions/MTPCheckRequirementsProperties", - "description": "MTP (Microsoft Threat Protection) requirements check properties.", - "x-ms-client-flatten": true + "targetEntityId": { + "description": "Entity Id of the connected entity", + "type": "string" + }, + "additionalData": { + "description": "key-value pairs for a connected entity mapping", + "type": "object" + } } }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatProtection" - }, - "MTPCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MTP (Microsoft Threat Protection) requirements check properties.", - "type": "object" - }, - "ASCDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents ASC (Azure Security Center) data connector.", - "properties": { + "TimelineResultsMetadata": { + "description": "Expansion result metadata.", "properties": { - "$ref": "#/definitions/ASCDataConnectorProperties", - "description": "ASC (Azure Security Center) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureSecurityCenter" - }, - "ASCDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "ASC (Azure Security Center) data connector properties.", - "properties": { - "subscriptionId": { - "description": "The subscription id to connect to, and get the data from.", - "type": "string" - } + "totalCount": { + "description": "the total items found for the timeline request", + "type": "integer", + "format": "int32" + }, + "aggregations": { + "description": "timeline aggregation per kind", + "items": { + "$ref": "#/definitions/TimelineAggregation" + }, + "type": "array" + }, + "errors": { + "description": "information about the failure queries", + "items": { + "$ref": "#/definitions/TimelineError" + }, + "type": "array" + } + }, + "required": [ + "totalCount", + "aggregations" + ], + "type": "object" }, - "type": "object" - }, - "ASCCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents ASC (Azure Security Center) requirements check request.", - "properties": { + "TimelineError": { + "description": "Timeline Query Errors.", "properties": { - "$ref": "#/definitions/ASCCheckRequirementsProperties", - "description": "ASC (Azure Security Center) requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureSecurityCenter" - }, - "ASCCheckRequirementsProperties": { - "description": "ASC (Azure Security Center) requirements check properties.", - "properties": { - "subscriptionId": { - "description": "The subscription id to connect to, and get the data from.", - "type": "string" - } + "kind": { + "description": "the query kind", + "$ref": "#/definitions/EntityTimelineKind" + }, + "queryId": { + "description": "the query id", + "type": "string" + }, + "errorMessage": { + "description": "the error message", + "type": "string" + } + }, + "required": [ + "kind", + "errorMessage" + ], + "type": "object" }, - "type": "object" - }, - "AccountEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an account entity.", - "properties": { + "TimelineAggregation": { + "description": "timeline aggregation information per kind", "properties": { - "$ref": "#/definitions/AccountEntityProperties", - "description": "Account entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Account" - }, - "AccountEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Account entity property bag.", - "properties": { - "aadTenantId": { - "description": "The Azure Active Directory tenant id.", - "readOnly": true, - "type": "string" - }, - "aadUserId": { - "description": "The Azure Active Directory user id.", - "readOnly": true, - "type": "string" - }, - "accountName": { - "description": "The name of the account. This field should hold only the name without any domain added to it, i.e. administrator.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name of the account.", - "readOnly": true, - "type": "string" - }, - "hostEntityId": { - "description": "The Host entity id that contains the account in case it is a local account (not domain joined)", - "readOnly": true, - "type": "string" - }, - "isDomainJoined": { - "description": "Determines whether this is a domain account.", - "readOnly": true, - "type": "boolean" - }, - "ntDomain": { - "description": "The NetBIOS domain name as it appears in the alert format – domain\\username. Examples: NT AUTHORITY.", - "readOnly": true, - "type": "string" - }, - "objectGuid": { - "description": "The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "puid": { - "description": "The Azure Active Directory Passport User ID.", - "readOnly": true, - "type": "string" - }, - "sid": { - "description": "The account security identifier, e.g. S-1-5-18.", - "readOnly": true, - "type": "string" - }, - "upnSuffix": { - "description": "The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com.", - "readOnly": true, - "type": "string" - }, - "dnsDomain": { - "description": "The fully qualified domain DNS name.", - "readOnly": true, - "type": "string" - } + "count": { + "description": "the total items found for a kind", + "type": "integer", + "format": "int32" + }, + "kind": { + "description": "the query kind", + "$ref": "#/definitions/EntityTimelineKind" + } + }, + "required": [ + "kind", + "count" + ], + "type": "object" }, - "type": "object" - }, - "ActionRequest": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Action for alert rule.", - "properties": { + "EntityTimelineItem": { + "description": "Entity timeline Item.", + "discriminator": "kind", + "type": "object", "properties": { - "$ref": "#/definitions/ActionRequestProperties", - "description": "Action properties for put request", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "ActionPropertiesBase": { - "description": "Action property bag base.", - "properties": { - "logicAppResourceId": { - "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", - "type": "string" - } - }, - "required": [ - "logicAppResourceId" - ], - "type": "object" - }, - "ActionRequestProperties": { - "allOf": [ - { - "$ref": "#/definitions/ActionPropertiesBase" - } - ], - "description": "Action property bag.", - "properties": { - "triggerUri": { - "description": "Logic App Callback URL for this specific workflow.", - "type": "string" - } - }, - "required": [ - "triggerUri" - ], - "type": "object" - }, - "ActionResponse": { - "allOf": [ - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" - } - ], - "description": "Action for alert rule.", - "properties": { - "etag": { - "description": "Etag of the action.", - "type": "string" + "kind": { + "$ref": "#/definitions/EntityTimelineKind", + "description": "The entity query kind type." + } }, - "properties": { - "$ref": "#/definitions/ActionResponseProperties", - "description": "Action properties for get request", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "ActionResponseProperties": { - "allOf": [ - { - "$ref": "#/definitions/ActionPropertiesBase" - } - ], - "description": "Action property bag.", - "properties": { - "workflowId": { - "description": "The name of the logic app's workflow.", - "type": "string" - } - }, - "type": "object" - }, - "ActionsList": { - "description": "List all the actions.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of actions.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of actions.", - "items": { - "$ref": "#/definitions/ActionResponse" - }, - "type": "array" - } + "required": [ + "kind" + ] }, - "required": [ - "value" - ] - }, - "Aggregations": { - "allOf": [ - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "FileEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a file entity.", + "properties": { + "properties": { + "$ref": "#/definitions/FileEntityProperties", + "description": "File entity properties", + "x-ms-client-flatten": true + } }, - { - "$ref": "#/definitions/AggregationsKind" - } - ], - "description": "The aggregation.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "AggregationsKind": { - "description": "Describes an Azure resource with kind.", - "properties": { - "kind": { - "description": "The kind of the setting", - "enum": [ - "CasesAggregation" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AggregationsKind" + "type": "object", + "x-ms-discriminator-value": "File" + }, + "FileEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" } - } + ], + "description": "File entity property bag.", + "properties": { + "directory": { + "description": "The full path to the file.", + "readOnly": true, + "type": "string" + }, + "fileHashEntityIds": { + "description": "The file hash entity identifiers associated with this file", + "items": { + "description": "file hash id", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "fileName": { + "description": "The file name without path (some alerts might not include path).", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id which the file belongs to", + "readOnly": true, + "type": "string" + } + }, + "type": "object" }, - "required": [ - "kind" - ], - "type": "object" - }, - "AlertRule": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "FileHashEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a file hash entity.", + "properties": { + "properties": { + "$ref": "#/definitions/FileHashEntityProperties", + "description": "FileHash entity properties", + "x-ms-client-flatten": true + } }, - { - "$ref": "#/definitions/AlertRuleKind" - } - ], - "description": "Alert rule.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "AlertRuleKind": { - "description": "Describes an Azure resource with kind.", - "properties": { - "kind": { - "description": "The kind of the alert rule", - "enum": [ - "Scheduled", - "MicrosoftSecurityIncidentCreation", - "Fusion", - "MLBehaviorAnalytics", - "ThreatIntelligence" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertRuleKind", - "values": [ - { - "value": "Scheduled" - }, - { - "value": "MicrosoftSecurityIncidentCreation" - }, - { - "value": "Fusion" - }, - { - "value": "MLBehaviorAnalytics" - }, - { - "value": "ThreatIntelligence" - } - ] + "type": "object", + "x-ms-discriminator-value": "FileHash" + }, + "FileHashEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "FileHash entity property bag.", + "properties": { + "algorithm": { + "description": "The hash algorithm type.", + "enum": [ + "Unknown", + "MD5", + "SHA1", + "SHA256", + "SHA256AC" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "FileHashAlgorithm", + "values": [ + { + "description": "Unknown hash algorithm", + "value": "Unknown" + }, + { + "description": "MD5 hash type", + "value": "MD5" + }, + { + "description": "SHA1 hash type", + "value": "SHA1" + }, + { + "description": "SHA256 hash type", + "value": "SHA256" + }, + { + "description": "SHA256 Authenticode hash type", + "value": "SHA256AC" + } + ] + } + }, + "hashValue": { + "description": "The file hash value.", + "readOnly": true, + "type": "string" } - } - }, - "required": [ - "kind" - ], - "type": "object" - }, - "AlertRuleTemplate": { - "allOf": [ - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" - }, - { - "$ref": "#/definitions/AlertRuleKind" - } - ], - "description": "Alert rule template.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "AlertRuleTemplateDataSource": { - "description": "alert rule template data sources", - "properties": { - "connectorId": { - "description": "The connector id that provides the following data types", - "type": "string" }, - "dataTypes": { - "description": "The data types used by the alert rule template", - "items": { - "type": "string" - }, - "type": "array" - } + "type": "object" }, - "type": "object" - }, - "AlertRuleTemplatePropertiesBase": { - "description": "Base alert rule template property bag.", - "properties": { - "alertRulesCreatedByTemplateCount": { - "description": "the number of alert rules that were created by this template", - "type": "integer" - }, - "lastUpdatedDateUTC": { - "description": "The last time that this alert rule template has been updated.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "createdDateUTC": { - "description": "The time that this alert rule template has been added.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the alert rule template.", - "type": "string" - }, - "displayName": { - "description": "The display name for alert rule template.", - "type": "string" - }, - "requiredDataConnectors": { - "description": "The required data sources for this template", - "items": { - "$ref": "#/definitions/AlertRuleTemplateDataSource" - }, - "type": "array" - }, - "status": { - "description": "The alert rule template status.", - "enum": [ - "Installed", - "Available", - "NotAvailable" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TemplateStatus", - "values": [ - { - "description": "Alert rule template installed. and can not use more then once", - "value": "Installed" - }, - { - "description": "Alert rule template is available.", - "value": "Available" - }, - { - "description": "Alert rule template is not available", - "value": "NotAvailable" - } - ] + "InsightQueryItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityQueryItem" } - } + ], + "description": "Represents Insight Query.", + "properties": { + "properties": { + "description": "Properties bag for InsightQueryItem", + "$ref": "#/definitions/InsightQueryItemProperties" + } + }, + "type": "object", + "x-ms-discriminator-value": "Insight" }, - "type": "object" - }, - "AlertRuleTemplatesList": { - "description": "List all the alert rule templates.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rule templates.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rule templates.", - "items": { - "$ref": "#/definitions/AlertRuleTemplate" + "InsightQueryItemProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityQueryItemProperties" + } + ], + "description": "Represents Insight Query.", + "properties": { + "displayName": { + "type": "string", + "description": "The insight display name." }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertRuleTriggerOperator": { - "description": "The operation against the threshold that triggers alert rule.", - "enum": [ - "GreaterThan", - "LessThan", - "Equal", - "NotEqual" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "TriggerOperator" - } - }, - "AlertRulesList": { - "description": "List all the alert rules.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rules.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rules.", - "items": { - "$ref": "#/definitions/AlertRule" + "description": { + "type": "string", + "description": "The insight description." }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertSeverity": { - "description": "The severity of the alert", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertSeverity", - "values": [ - { - "description": "High severity", - "value": "High" + "baseQuery": { + "type": "string", + "description": "The base query of the insight." }, - { - "description": "Medium severity", - "value": "Medium" + "tableQuery": { + "type": "object", + "description": "The insight table query.", + "properties": { + "columnsDefinitions": { + "type": "array", + "description": "List of insight column definitions.", + "items": { + "properties": { + "header": { + "type": "string", + "description": "Insight column header." + }, + "outputType": { + "type": "string", + "description": "Insights Column type.", + "enum": [ + "Number", + "String", + "Date", + "Entity" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "outputType" + } + }, + "supportDeepLink": { + "type": "boolean", + "description": "Is query supports deep-link." + } + } + } + }, + "queriesDefinitions": { + "type": "array", + "description": "List of insight queries definitions.", + "items": { + "properties": { + "filter": { + "type": "string", + "description": "Insight column header." + }, + "summarize": { + "type": "string", + "description": "Insight column header." + }, + "project": { + "type": "string", + "description": "Insight column header." + }, + "linkColumnsDefinitions": { + "type": "array", + "description": "Insight column header.", + "items": { + "properties": { + "projectedName": { + "type": "string", + "description": "Insight Link Definition Projected Name." + }, + "Query": { + "type": "string", + "description": "Insight Link Definition Query." + } + } + } + } + } + } + } + } }, - { - "description": "Low severity", - "value": "Low" + "chartQuery": { + "type": "object", + "description": "The insight chart query." }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "AlertsDataTypeOfDataConnector": { - "description": "Alerts data type for data connectors.", - "properties": { - "alerts": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" + "additionalQuery": { + "type": "object", + "description": "The activity query definitions.", + "properties": { + "query": { + "type": "string", + "description": "The insight query." + }, + "text": { + "type": "string", + "description": "The insight text." + } } - ], - "description": "Alerts data type connection.", - "type": "object" - } - }, - "type": "object", - "required": [ - "alerts" - ] - }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact", - "PreAttack" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, - "AwsCloudTrailDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents Amazon Web Services CloudTrail data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", - "description": "Amazon Web Services CloudTrail data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" - }, - "AwsCloudTrailDataConnectorDataTypes": { - "description": "The available data types for Amazon Web Services CloudTrail data connector.", - "properties": { - "logs": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + "defaultTimeRange": { + "type": "object", + "description": "The insight chart query.", + "properties": { + "beforeRange": { + "type": "string", + "description": "The padding for the start time of the query." + }, + "afterRange": { + "type": "string", + "description": "The padding for the end time of the query." + } } - ], - "description": "Logs data type.", - "type": "object" - } - }, - "type": "object", - "required": [ - "logs" - ] - }, - "AwsCloudTrailDataConnectorProperties": { - "description": "Amazon Web Services CloudTrail data connector properties.", - "properties": { - "awsRoleArn": { - "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", - "type": "string" - }, - "dataTypes": { - "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, - "required": [ - "dataTypes" - ], - "type": "object" - }, - "AwsCloudTrailCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Amazon Web Services CloudTrail requirements check request.", - "type": "object", - "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" - }, - "AzureResourceEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an azure resource entity.", - "properties": { - "properties": { - "$ref": "#/definitions/AzureResourceEntityProperties", - "description": "AzureResource entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureResource" - }, - "AzureResourceEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "AzureResource entity property bag.", - "properties": { - "resourceId": { - "description": "The azure resource id of the resource", - "readOnly": true, - "type": "string" - }, - "subscriptionId": { - "description": "The subscription id of the resource", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "RelationBase": { - "type": "object", - "description": "Represents a relation", - "allOf": [ - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" - }, - { - "type": "object", - "properties": { - "kind": { - "type": "string", - "description": "The type of relation node", - "readOnly": true, - "enum": [ - "CasesToBookmarks" - ], - "x-ms-enum": { - "name": "RelationTypes", - "modelAsString": true, - "values": [ - { - "value": "CasesToBookmarks", - "description": "Relations between cases and bookmarks" - } - ] + }, + "referenceTimeRange": { + "type": "object", + "description": "The insight chart query.", + "properties": { + "beforeRange": { + "type": "string", + "description": "Additional query time for looking back." } - }, - "etag": { - "type": "string", - "description": "ETag for relation" } } - } - ] - }, - "CaseRelationList": { - "description": "List of case relations.", - "properties": { - "nextLink": { - "readOnly": true, - "description": "URL to fetch the next set of relations.", - "type": "string" - }, - "value": { - "description": "Array of relations.", - "type": "array", - "items": { - "$ref": "#/definitions/CaseRelation" - } - } + }, + "type": "object", + "x-ms-discriminator-value": "Insight" }, - "required": [ - "value" - ] - }, - "CaseRelation": { - "type": "object", - "description": "Represents a case relation", - "allOf": [ - { - "$ref": "#/definitions/RelationBase" - } - ], - "properties": { + "ActivityTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents Activity timeline item.", "properties": { - "x-ms-client-flatten": true, - "description": "Case relation properties", - "$ref": "#/definitions/CaseRelationProperties" - } - } - }, - "CaseRelationProperties": { - "type": "object", - "description": "Case relation properties", - "properties": { - "relationName": { - "type": "string", - "description": "Name of relation" - }, - "bookmarkId": { - "type": "string", - "description": "The case related bookmark id" - }, - "caseIdentifier": { - "type": "string", - "description": "The case identifier" - }, - "bookmarkName": { - "type": "string", - "description": "The case related bookmark name" - } + "queryId": { + "type": "string", + "description": "The activity query id." + }, + "bucketStartTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The grouping bucket start time." + }, + "bucketEndTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The grouping bucket end time." + }, + "firstActivityTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The time of the first activity in the grouping bucket." + }, + "lastActivityTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The time of the last activity in the grouping bucket." + }, + "content": { + "type": "string", + "description": "The activity timeline content." + }, + "title": { + "type": "string", + "description": "The activity timeline title." + } + }, + "required": [ + "queryId", + "bucketStartTimeUTC", + "bucketEndTimeUTC", + "firstActivityTimeUTC", + "lastActivityTimeUTC", + "content", + "title" + ], + "type": "object", + "x-ms-discriminator-value": "Activity" }, - "required": [ - "relationName", - "caseIdentifier", - "bookmarkId" - ] - }, - "RelationsModelInput": { - "type": "object", - "description": "Relation input model", - "allOf": [ - { - "$ref": "#/definitions/RelationBase" - } - ], - "properties": { + "SecurityAlertTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents security alert timeline item.", "properties": { - "x-ms-client-flatten": true, - "description": "Relation input properties", - "$ref": "#/definitions/RelationsModelInputProperties" - } - } - }, - "RelationsModelInputProperties": { - "type": "object", - "description": "Relation input properties", - "properties": { - "relationName": { - "type": "string", - "description": "Name of relation" - }, - "sourceRelationNode": { - "type": "object", - "description": "Relation source node", - "$ref": "#/definitions/RelationNode" - }, - "targetRelationNode": { - "type": "object", - "description": "Relation target node", - "$ref": "#/definitions/RelationNode" - } - } - }, - "RelationNode": { - "type": "object", - "description": "Relation node", - "properties": { - "relationNodeId": { - "type": "string", - "description": "Relation Node Id" - }, - "relationNodeKind": { - "type": "string", - "description": "The type of relation node", - "readOnly": true, - "enum": [ - "Case", - "Bookmark" - ], - "x-ms-enum": { - "name": "RelationNodeKind", - "modelAsString": true, - "values": [ - { - "value": "Case", - "description": "Case node part of the relation" - }, - { - "value": "Bookmark", - "description": "Bookmark node part of the relation" - } - ] + "azureResourceId": { + "type": "string", + "description": "The alert azure resource id." + }, + "productName": { + "type": "string", + "description": "The alert product name." + }, + "description": { + "type": "string", + "description": "The alert description." + }, + "displayName": { + "type": "string", + "description": "The alert name." + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The alert severity." + }, + "endTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The alert end time." + }, + "startTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The alert start time." + }, + "timeGenerated": { + "format": "date-time", + "type": "string", + "description": "The alert generated time." + }, + "alertType": { + "type": "string", + "description": "The name of the alert type." } }, - "etag": { - "type": "string", - "description": "Etag for relation node" - }, - "relationAdditionalProperties": { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "description": "Additional set of properties" - } - } - }, - "Bookmark": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a bookmark in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/BookmarkProperties", - "description": "Bookmark properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "BookmarkList": { - "description": "List all the bookmarks.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of cases.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of bookmarks.", - "items": { - "$ref": "#/definitions/Bookmark" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "BookmarkProperties": { - "description": "Describes bookmark properties", - "properties": { - "created": { - "description": "The time the bookmark was created", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" - }, - "displayName": { - "description": "The display name of the bookmark", - "type": "string" - }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - }, - "notes": { - "description": "The notes of the bookmark", - "type": "string" - }, - "query": { - "description": "The query of the bookmark.", - "type": "string" - }, - "queryResult": { - "description": "The query result of the bookmark.", - "type": "string" - }, - "updated": { - "description": "The last time the bookmark was updated", - "format": "date-time", - "type": "string" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the bookmark", - "type": "object" - }, - "eventTime": { - "description": "The bookmark event time", - "format": "date-time", - "type": "string" - }, - "queryStartTime": { - "description": "The start time for the query", - "format": "date-time", - "type": "string" - }, - "queryEndTime": { - "description": "The end time for the query", - "format": "date-time", - "type": "string" - }, - "incidentInfo": { - "$ref": "#/definitions/IncidentInfo", - "description": "Describes an incident that relates to bookmark", - "type": "object" - } + "required": [ + "azureResourceId", + "displayName", + "severity", + "endTimeUtc", + "startTimeUtc", + "timeGenerated", + "alertType" + ], + "type": "object", + "x-ms-discriminator-value": "SecurityAlert" }, - "required": [ - "displayName", - "query" - ], - "type": "object" - }, - "BookmarkExpandParameters": { - "description": "The parameters required to execute an expand operation on the given bookmark.", - "properties": { - "endTime": { - "description": "The end date filter, so the only expansion results returned are before this date.", - "format": "date-time", - "type": "string" - }, - "expansionId": { - "description": "The Id of the expansion to perform.", - "format": "uuid", - "type": "string" - }, - "startTime": { - "description": "The start date filter, so the only expansion results returned are after this date.", - "format": "date-time", - "type": "string" - } - } - }, - "BookmarkExpandResponse": { - "description": "The entity expansion result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/ExpansionResultsMetadata", - "description": "The metadata from the expansion operation results." - }, - "value": { - "description": "The expansion result values.", - "properties": { - "entities": { - "description": "Array of the expansion result entities.", - "items": { - "$ref": "#/definitions/Entity" - }, - "type": "array" - }, - "edges": { - "description": "Array of expansion result connected entities", - "items": { - "$ref": "#/definitions/ConnectedEntity" - }, - "type": "array" - } + "BookmarkTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents bookmark timeline item.", + "properties": { + "azureResourceId": { + "type": "string", + "description": "The bookmark azure resource id." }, - "type": "object" - } - } - }, - "Case": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a case in Azure Security Insights.", - "properties": { + "displayName": { + "type": "string", + "description": "The bookmark display name." + }, + "notes": { + "type": "string", + "description": "The notes of the bookmark" + }, + "endTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The bookmark end time." + }, + "startTimeUtc": { + "format": "date-time", + "type": "string", + "description": "TThe bookmark start time." + }, + "eventTime": { + "format": "date-time", + "type": "string", + "description": "The bookmark event time." + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + } + }, + "required": [ + "azureResourceId" + ], + "type": "object", + "x-ms-discriminator-value": "Bookmark" + }, + "FusionAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents Fusion alert rule.", "properties": { - "$ref": "#/definitions/CaseProperties", - "description": "Case properties", - "x-ms-client-flatten": true - } + "properties": { + "$ref": "#/definitions/FusionAlertRuleProperties", + "description": "Fusion alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" }, - "type": "object" - }, - "CaseComment": { - "allOf": [ - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" - } - ], - "description": "Represents a case comment", - "properties": { + "FusionAlertRuleProperties": { + "description": "Fusion alert rule base property bag.", "properties": { - "$ref": "#/definitions/CaseCommentProperties", - "description": "Case comment properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "CaseCommentList": { - "description": "List of case comments.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of comments.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of comments.", - "items": { - "$ref": "#/definitions/CaseComment" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "CaseCommentProperties": { - "description": "Case comment property bag.", - "properties": { - "createdTimeUtc": { - "description": "The time the comment was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "The comment message", - "type": "string" - }, - "userInfo": { - "$ref": "#/definitions/UserInfo", - "description": "Describes the user that created the comment", - "readOnly": true, - "type": "object" - } - }, - "required": [ - "message" - ], - "type": "object" - }, - "CaseList": { - "description": "List all the cases.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of cases.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of cases.", - "items": { - "$ref": "#/definitions/Case" - }, - "type": "array" - } + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" }, - "required": [ - "value" - ] - }, - "CaseProperties": { - "description": "Describes case properties", - "properties": { - "caseNumber": { - "description": "a sequential number", - "readOnly": true, - "type": "integer" - }, - "closeReason": { - "description": "The reason the case was closed", - "enum": [ - "Resolved", - "Dismissed", - "TruePositive", - "FalsePositive", - "Other" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CloseReason", - "values": [ - { - "description": "Case was resolved", - "value": "Resolved" - }, - { - "description": "Case was dismissed", - "value": "Dismissed" - }, - { - "description": "Case was true positive", - "value": "TruePositive" - }, + "FusionAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents Fusion alert rule template.", + "properties": { + "properties": { + "allOf": [ { - "description": "Case was false positive", - "value": "FalsePositive" + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + } + ], + "description": "Fusion alert rule template properties", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." }, - { - "description": "Case was closed for another reason", - "value": "Other" + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" } - ] + }, + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true } }, - "closedReasonText": { - "description": "the case close reason details", - "type": "string" - }, - "createdTimeUtc": { - "description": "The time the case was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the case", - "type": "string" - }, - "endTimeUtc": { - "description": "The end time of the case", - "format": "date-time", - "type": "string" + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "ThreatIntelligenceAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents Threat Intelligence alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ThreatIntelligenceAlertRuleProperties", + "description": "Threat Intelligence alert rule properties", + "x-ms-client-flatten": true + } }, - "labels": { - "description": "List of labels relevant to this case", - "items": { - "$ref": "#/definitions/Label" + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "ThreatIntelligenceAlertRuleProperties": { + "description": "Threat Intelligence alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" }, - "type": "array" - }, - "lastComment": { - "description": "the last comment in the case", - "readOnly": true, - "type": "string" - }, - "lastUpdatedTimeUtc": { - "description": "The last time the case was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "metrics": { - "description": "Dictionary of metrics, for example the number of alerts in the case", - "type": "object", - "additionalProperties": { - "type": "integer", - "format": "int32" + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" }, - "readOnly": true - }, - "owner": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that the case is assigned to", - "type": "object" - }, - "relatedAlertIds": { - "description": "List of related alert identifiers", - "items": { - "description": "related alert id", + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, "type": "string" }, - "readOnly": true, - "type": "array" - }, - "relatedAlertProductNames": { - "description": "List of related alert product names", - "items": { - "description": "related alert product name", + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, "type": "string" }, - "readOnly": true, - "type": "array" - }, - "tactics": { - "description": "The tactics associated with case", - "items": { - "$ref": "#/definitions/AttackTactic" + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true }, - "readOnly": true, - "type": "array" - }, - "severity": { - "description": "The severity of the case", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" } }, - "startTimeUtc": { - "description": "The start time of the case", - "format": "date-time", - "type": "string" - }, - "status": { - "description": "The status of the case", - "enum": [ - "Draft", - "New", - "InProgress", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseStatus", - "values": [ - { - "description": "Case that wasn't promoted yet to active", - "value": "Draft" - }, - { - "description": "An active case which isn't handled currently", - "value": "New" - }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "ThreatIntelligenceAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents Threat Intelligence alert rule template.", + "properties": { + "properties": { + "allOf": [ { - "description": "An active case which is handled", - "value": "InProgress" + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + } + ], + "description": "Threat Intelligence alert rule template properties", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." }, - { - "description": "A non active case", - "value": "Closed" + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" } - ] + }, + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true } }, - "title": { - "description": "The title of the case", - "type": "string" - }, - "totalComments": { - "description": "the number of total comments in the case", - "readOnly": true, - "type": "integer" - } + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" }, - "required": [ - "title", - "severity", - "status" - ], - "type": "object" - }, - "CasesAggregation": { - "allOf": [ - { - "$ref": "#/definitions/Aggregations" - } - ], - "description": "Represents aggregations results for cases.", - "properties": { + "GeoLocation": { + "description": "The geo-location context attached to the ip entity", "properties": { - "$ref": "#/definitions/CasesAggregationProperties", - "description": "Properties of aggregations results of cases.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "CasesAggregation" - }, - "CasesAggregationBySeverityProperties": { - "description": "Aggregative results of cases by severity property bag.", - "properties": { - "totalCriticalSeverity": { - "description": "Total amount of open cases with severity Critical", - "readOnly": true, - "type": "integer" - }, - "totalHighSeverity": { - "description": "Total amount of open cases with severity High", - "readOnly": true, - "type": "integer" - }, - "totalInformationalSeverity": { - "description": "Total amount of open cases with severity Informational", - "readOnly": true, - "type": "integer" - }, - "totalLowSeverity": { - "description": "Total amount of open cases with severity Low", - "readOnly": true, - "type": "integer" - }, - "totalMediumSeverity": { - "description": "Total amount of open cases with severity medium", - "readOnly": true, - "type": "integer" - } + "asn": { + "description": "Autonomous System Number", + "readOnly": true, + "type": "integer" + }, + "city": { + "description": "City name", + "readOnly": true, + "type": "string" + }, + "countryCode": { + "description": "The country code according to ISO 3166 format", + "readOnly": true, + "type": "string" + }, + "countryName": { + "description": "Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name", + "readOnly": true, + "type": "string" + }, + "latitude": { + "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "longitude": { + "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "state": { + "description": "State name", + "readOnly": true, + "type": "string" + } + }, + "readOnly": true, + "type": "object" }, - "type": "object" - }, - "CasesAggregationByStatusProperties": { - "description": "Aggregative results of cases by status property bag.", - "properties": { - "totalDismissedStatus": { - "description": "Total amount of closed cases with status Dismissed", - "readOnly": true, - "type": "integer" - }, - "totalInProgressStatus": { - "description": "Total amount of open cases with status InProgress", - "readOnly": true, - "type": "integer" - }, - "totalNewStatus": { - "description": "Total amount of open cases with status New", - "readOnly": true, - "type": "integer" - }, - "totalResolvedStatus": { - "description": "Total amount of closed cases with status Resolved", - "readOnly": true, - "type": "integer" - }, - "totalFalsePositiveStatus": { - "description": "Total amount of closed cases with status Closed and Close reason of False positive", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "totalTruePositiveStatus": { - "description": "Total amount of closed cases with status Closed and Close reason of True positive", - "readOnly": true, - "type": "integer", - "format": "int32" - } + "HostEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a host entity.", + "properties": { + "properties": { + "$ref": "#/definitions/HostEntityProperties", + "description": "Host entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Host" }, - "type": "object" - }, - "CasesAggregationProperties": { - "description": "Aggregative results of cases property bag.", - "properties": { - "aggregationBySeverity": { - "$ref": "#/definitions/CasesAggregationBySeverityProperties", - "description": "Aggregations results by case severity." - }, - "aggregationByStatus": { - "$ref": "#/definitions/CasesAggregationByStatusProperties", - "description": "Aggregations results by case status." - } + "HostEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Host entity property bag.", + "properties": { + "azureID": { + "description": "The azure resource id of the VM.", + "readOnly": true, + "type": "string" + }, + "dnsDomain": { + "description": "The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain", + "readOnly": true, + "type": "string" + }, + "hostName": { + "description": "The hostname without the domain suffix.", + "readOnly": true, + "type": "string" + }, + "isDomainJoined": { + "description": "Determines whether this host belongs to a domain.", + "readOnly": true, + "type": "boolean" + }, + "netBiosName": { + "description": "The host name (pre-windows2000).", + "readOnly": true, + "type": "string" + }, + "ntDomain": { + "description": "The NT domain that this host belongs to.", + "readOnly": true, + "type": "string" + }, + "omsAgentID": { + "description": "The OMS agent id, if the host has OMS agent installed.", + "readOnly": true, + "type": "string" + }, + "osFamily": { + "description": "The operating system type.", + "enum": [ + "Linux", + "Windows", + "Android", + "IOS", + "Unknown" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "OSFamily", + "values": [ + { + "description": "Host with Linux operating system.", + "value": "Linux" + }, + { + "description": "Host with Windows operating system.", + "value": "Windows" + }, + { + "description": "Host with Android operating system.", + "value": "Android" + }, + { + "description": "Host with IOS operating system.", + "value": "IOS" + }, + { + "description": "Host with Unknown operating system.", + "value": "Unknown" + } + ] + } + }, + "osVersion": { + "description": "A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration", + "readOnly": true, + "type": "string" + } + }, + "type": "object" }, - "type": "object" - }, - "ClientInfo": { - "description": "Information on the client (user or application) that made some action", - "properties": { - "email": { - "description": "The email of the client.", - "type": "string" - }, - "name": { - "description": "The name of the client.", - "type": "string" - }, - "objectId": { - "description": "The object id of the client.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the client.", - "type": "string" - } + "Incident": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents an incident in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/IncidentProperties", + "description": "Incident properties", + "x-ms-client-flatten": true + } + }, + "type": "object" }, - "type": "object" - }, - "CloudApplicationEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a cloud application entity.", - "properties": { + "HuntingBookmark": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a Hunting bookmark entity.", "properties": { - "$ref": "#/definitions/CloudApplicationEntityProperties", - "description": "CloudApplication entity properties", - "x-ms-client-flatten": true - } + "properties": { + "$ref": "#/definitions/HuntingBookmarkProperties", + "description": "HuntingBookmark entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Bookmark" }, - "type": "object", - "x-ms-discriminator-value": "CloudApplication" - }, - "CloudApplicationEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "CloudApplication entity property bag.", - "properties": { - "appId": { - "description": "The technical identifier of the application.", - "readOnly": true, - "type": "integer" - }, - "appName": { - "description": "The name of the related cloud application.", - "readOnly": true, - "type": "string" - }, - "instanceName": { - "description": "The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.", - "readOnly": true, - "type": "string" - } + "HuntingBookmarkProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Describes bookmark properties", + "properties": { + "created": { + "description": "The time the bookmark was created", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "displayName": { + "description": "The display name of the bookmark", + "type": "string" + }, + "eventTime": { + "description": "The time of the event", + "format": "date-time", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + }, + "notes": { + "description": "The notes of the bookmark", + "type": "string" + }, + "query": { + "description": "The query of the bookmark.", + "type": "string" + }, + "queryResult": { + "description": "The query result of the bookmark.", + "type": "string" + }, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "incidentInfo": { + "$ref": "#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" + } + }, + "required": [ + "displayName", + "query" + ], + "type": "object" }, - "type": "object" - }, - "CloudError": { - "description": "Error response structure.", - "properties": { - "error": { - "$ref": "#/definitions/CloudErrorBody", - "description": "Error data", - "x-ms-client-flatten": true - } + "IncidentAdditionalData": { + "description": "Incident additional data property bag.", + "properties": { + "alertsCount": { + "description": "The number of alerts in the incident", + "readOnly": true, + "type": "integer" + }, + "bookmarksCount": { + "description": "The number of bookmarks in the incident", + "readOnly": true, + "type": "integer" + }, + "commentsCount": { + "description": "The number of comments in the incident", + "readOnly": true, + "type": "integer" + }, + "alertProductNames": { + "description": "List of product names of alerts in the incident", + "items": { + "description": "Alert product name", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "tactics": { + "description": "The tactics associated with incident", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" }, - "type": "object", - "x-ms-external": true - }, - "CloudErrorBody": { - "description": "Error details.", - "properties": { - "code": { - "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "A message describing the error, intended to be suitable for display in a user interface.", - "readOnly": true, - "type": "string" - } + "IncidentAlertList": { + "description": "List of incident alerts.", + "properties": { + "value": { + "description": "Array of incident alerts.", + "type": "array", + "items": { + "$ref": "#/definitions/SecurityAlert" + } + } + }, + "required": [ + "value" + ] }, - "type": "object", - "x-ms-external": true - }, - "DataConnector": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "IncidentBookmarkList": { + "description": "List of incident bookmarks.", + "properties": { + "value": { + "description": "Array of incident bookmarks.", + "type": "array", + "items": { + "$ref": "#/definitions/HuntingBookmark" + } + } }, - { - "$ref": "#/definitions/DataConnectorKind" - } - ], - "description": "Data connector.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "DataConnectorsCheckRequirements": { - "description": "Data connector requirements properties.", - "properties": { - "kind": { - "$ref": "#/definitions/DataConnectorKind", - "description": "Describes the kind of connector to be checked." - } + "required": [ + "value" + ] }, - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "DataConnectorAuthorizationState": { - "description": "Describes the state of user's authorization for a connector kind.", - "enum": [ - "Valid", - "Invalid" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataConnectorAuthorizationState", - "values": [ + "IncidentComment": { + "allOf": [ { - "value": "Valid" + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents an incident comment", + "properties": { + "properties": { + "$ref": "#/definitions/IncidentCommentProperties", + "description": "Incident comment properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "IncidentCommentList": { + "description": "List of incident comments.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of comments.", + "readOnly": true, + "type": "string" }, - { - "value": "Invalid" + "value": { + "description": "Array of comments.", + "items": { + "$ref": "#/definitions/IncidentComment" + }, + "type": "array" } + }, + "required": [ + "value" ] - } - }, - "DataConnectorLicenseState": { - "description": "Describes the state of user's license for a connector kind.", - "enum": [ - "Valid", - "Invalid", - "Unknown" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataConnectorLicenseState", - "values": [ - { - "value": "Valid" + }, + "IncidentCommentProperties": { + "description": "Incident comment property bag.", + "properties": { + "createdTimeUtc": { + "description": "The time the comment was created", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "value": "Invalid" + "lastModifiedTimeUtc": { + "description": "The time the comment was updated", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "value": "Unknown" - } - ] - } - }, - "DataConnectorDataTypeCommon": { - "description": "Common field for data type in data connectors.", - "properties": { - "state": { - "description": "Describe whether this data type connection is enabled or not.", - "enum": [ - "Enabled", - "Disabled" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataTypeState" + "message": { + "description": "The comment message", + "type": "string" + }, + "author": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that created the comment", + "readOnly": true, + "type": "object" } - } + }, + "required": [ + "message" + ], + "type": "object" }, - "type": "object", - "required": [ - "state" - ] - }, - "DataConnectorKind": { - "description": "Describes an Azure resource with kind.", - "properties": { - "kind": { - "description": "The kind of the data connector", - "enum": [ - "AzureActiveDirectory", - "AzureSecurityCenter", - "MicrosoftCloudAppSecurity", - "ThreatIntelligence", - "ThreatIntelligenceTaxii", - "Office365", - "OfficeATP", - "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", - "MicrosoftDefenderAdvancedThreatProtection", - "Dynamics365", - "MicrosoftThreatProtection", - "MicrosoftThreatIntelligence" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataConnectorKind", - "values": [ - { - "value": "AzureActiveDirectory" - }, - { - "value": "AzureSecurityCenter" - }, - { - "value": "MicrosoftCloudAppSecurity" - }, - { - "value": "ThreatIntelligence" - }, - { - "value": "ThreatIntelligenceTaxii" - }, - { - "value": "Office365" - }, - { - "value": "OfficeATP" - }, - { - "value": "AmazonWebServicesCloudTrail" - }, - { - "value": "AzureAdvancedThreatProtection" - }, - { - "value": "MicrosoftDefenderAdvancedThreatProtection" - }, - { - "value": "Dynamics365" - }, - { - "value": "MicrosoftThreatProtection" - }, - { - "value": "MicrosoftThreatIntelligence" - } - ] + "IncidentEntitiesResponse": { + "description": "The incident related entities response.", + "properties": { + "entities": { + "description": "Array of the incident related entities.", + "type": "array", + "items": { + "$ref": "#/definitions/Entity" + } + }, + "metaData": { + "description": "The metadata from the incident related entities results.", + "type": "array", + "items": { + "$ref": "#/definitions/IncidentEntitiesResultsMetadata" + } } } }, - "required": [ - "kind" - ], - "type": "object" - }, - "DataConnectorList": { - "description": "List all the data connectors.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of data connectors.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of data connectors.", - "items": { - "$ref": "#/definitions/DataConnector" + "IncidentEntitiesResultsMetadata": { + "description": "Information of a specific aggregation in the incident related entities result.", + "properties": { + "count": { + "description": "Total number of aggregations of the given kind in the incident related entities result.", + "type": "integer", + "format": "int32" }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "DataConnectorRequirementsState": { - "description": "Data connector requirements status.", - "properties": { - "authorizationState": { - "description": "Authorization state for this connector", - "$ref": "#/definitions/DataConnectorAuthorizationState" - }, - "licenseState": { - "description": "License state for this connector", - "$ref": "#/definitions/DataConnectorLicenseState" - } + "entityKind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the aggregated entity." + } + }, + "required": [ + "entityKind", + "count" + ], + "type": "object" }, - "type": "object" - }, - "DataConnectorTenantId": { - "description": "Properties data connector on tenant level.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - } + "IncidentLabel": { + "description": "Represents an incident label", + "properties": { + "labelName": { + "description": "The name of the label", + "type": "string" + }, + "labelType": { + "description": "The type of the label", + "enum": [ + "User", + "System" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentLabelType", + "values": [ + { + "description": "Label manually created by a user", + "value": "User" + }, + { + "description": "Label automatically created by the system", + "value": "System" + } + ] + } + } + }, + "required": [ + "labelName" + ], + "type": "object" }, - "required": [ - "tenantId" - ], - "type": "object" - }, - "DataConnectorWithAlertsProperties": { - "description": "Data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector", - "description": "The available data types for the connector." - } + "IncidentList": { + "description": "List all the incidents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of incidents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of incidents.", + "items": { + "$ref": "#/definitions/Incident" + }, + "type": "array" + } + }, + "required": [ + "value" + ] }, - "type": "object" - }, - "DnsEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a dns entity.", - "properties": { + "IncidentOwnerInfo": { + "description": "Information on the user an incident is assigned to", "properties": { - "$ref": "#/definitions/DnsEntityProperties", - "description": "Dns entity properties", - "x-ms-client-flatten": true - } + "email": { + "description": "The email of the user the incident is assigned to.", + "type": "string" + }, + "assignedTo": { + "description": "The name of the user the incident is assigned to.", + "type": "string" + }, + "objectId": { + "description": "The object id of the user the incident is assigned to.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the user the incident is assigned to.", + "type": "string" + } + }, + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "DnsResolution" - }, - "DnsEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Dns entity property bag.", - "properties": { - "dnsServerIpEntityId": { - "description": "An ip entity id for the dns server resolving the request", - "readOnly": true, - "type": "string" - }, - "domainName": { - "description": "The name of the dns record associated with the alert", - "readOnly": true, - "type": "string" - }, - "hostIpAddressEntityId": { - "description": "An ip entity id for the dns request client", - "readOnly": true, - "type": "string" - }, - "ipAddressEntityIds": { - "description": "Ip entity identifiers for the resolved ip address.", - "items": { - "description": "Ip entity id", - "type": "string" - }, - "readOnly": true, - "type": "array" + "IncidentClassification": { + "description": "The reason the incident was closed", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassification", + "values": [ + { + "description": "Incident classification was undetermined", + "value": "Undetermined" + }, + { + "description": "Incident was true positive", + "value": "TruePositive" + }, + { + "description": "Incident was benign positive", + "value": "BenignPositive" + }, + { + "description": "Incident was false positive", + "value": "FalsePositive" + } + ] } }, - "type": "object" - }, - "Dynamics365DataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents Dynamics365 data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/Dynamics365DataConnectorProperties", - "description": "Dynamics365 data connector properties.", - "x-ms-client-flatten": true + "IncidentClassificationReason": { + "description": "The classification reason the incident was closed with", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassificationReason", + "values": [ + { + "description": "Classification reason was suspicious activity", + "value": "SuspiciousActivity" + }, + { + "description": "Classification reason was suspicious but expected", + "value": "SuspiciousButExpected" + }, + { + "description": "Classification reason was incorrect alert logic", + "value": "IncorrectAlertLogic" + }, + { + "description": "Classification reason was inaccurate data", + "value": "InaccurateData" + } + ] } }, - "type": "object", - "x-ms-discriminator-value": "Dynamics365" - }, - "Dynamics365DataConnectorDataTypes": { - "description": "The available data types for Dynamics365 data connector.", - "properties": { - "dynamics365CdsActivities": { - "allOf": [ + "IncidentSeverity": { + "description": "The severity of the incident", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, { - "$ref": "#/definitions/DataConnectorDataTypeCommon" + "description": "Informational severity", + "value": "Informational" } - ], - "description": "Common Data Service data type connection.", - "type": "object" + ] } }, - "type": "object", - "required": [ - "dynamics365CdsActivities" - ] - }, - "Dynamics365DataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Dynamics365 data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/Dynamics365DataConnectorDataTypes", - "description": "The available data types for the connector." + "IncidentStatus": { + "description": "The status of the incident", + "enum": [ + "New", + "Active", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentStatus", + "values": [ + { + "description": "An active incident which isn't being handled currently", + "value": "New" + }, + { + "description": "An active incident which is being handled", + "value": "Active" + }, + { + "description": "A non-active incident", + "value": "Closed" + } + ] } }, - "required": [ - "dataTypes" - ], - "type": "object" - }, - "Dynamics365CheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents Dynamics365 requirements check request.", - "properties": { + "IncidentProperties": { + "description": "Describes incident properties", "properties": { - "$ref": "#/definitions/Dynamics365CheckRequirementsProperties", - "description": "Dynamics365 requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Dynamics365" - }, - "Dynamics365CheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Dynamics365 requirements check properties.", - "type": "object" - }, - "EnrichmentDomainWhois": { - "description": "Whois information for a given domain and associated metadata", - "properties": { - "domain": { - "description": "The domain for this whois record", - "type": "string" - }, - "server": { - "description": "The hostname of this registrar's whois server", - "type": "string" - }, - "created": { - "description": "The timestamp at which this record was created", - "format": "date-time", - "type": "string" - }, - "updated": { - "description": "The timestamp at which this record was last updated", - "format": "date-time", - "type": "string" - }, - "expires": { - "description": "The timestamp at which this record will expire", - "format": "date-time", - "type": "string" - }, - "parsedWhois": { - "description": "The whois record for a given domain", - "$ref": "#/definitions/EnrichmentDomainWhoisDetails" - } - } - }, - "EnrichmentDomainWhoisDetails": { - "description": "The whois record for a given domain", - "properties": { - "registrar": { - "description": "The registrar associated with this domain", - "$ref": "#/definitions/EnrichmentDomainWhoisRegistrarDetails" + "additionalData": { + "$ref": "#/definitions/IncidentAdditionalData", + "description": "Additional data on the incident", + "readOnly": true, + "type": "object" + }, + "classification": { + "$ref": "#/definitions/IncidentClassification", + "description": "The reason the incident was closed" + }, + "classificationComment": { + "description": "Describes the reason the incident was closed", + "type": "string" + }, + "classificationReason": { + "$ref": "#/definitions/IncidentClassificationReason", + "description": "The classification reason the incident was closed with" + }, + "createdTimeUtc": { + "description": "The time the incident was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the incident", + "type": "string" + }, + "firstActivityTimeUtc": { + "description": "The time of the first activity in the incident", + "format": "date-time", + "type": "string" + }, + "incidentUrl": { + "description": "The deep-link url to the incident in Azure portal", + "readOnly": true, + "type": "string" + }, + "incidentNumber": { + "description": "A sequential number", + "readOnly": true, + "type": "integer" + }, + "labels": { + "description": "List of labels relevant to this incident", + "items": { + "$ref": "#/definitions/IncidentLabel" + }, + "type": "array" + }, + "providerName": { + "description": "The name of the source provider that generated the incident", + "type": "string" + }, + "providerIncidentId": { + "description": "The incident ID assigned by the incident provider", + "type": "string" + }, + "lastActivityTimeUtc": { + "description": "The time of the last activity in the incident", + "format": "date-time", + "type": "string" + }, + "lastModifiedTimeUtc": { + "description": "The last time the incident was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "owner": { + "$ref": "#/definitions/IncidentOwnerInfo", + "description": "Describes a user that the incident is assigned to", + "type": "object" + }, + "relatedAnalyticRuleIds": { + "description": "List of resource ids of Analytic rules related to the incident", + "items": { + "description": "Related Analytic rule resource id", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "severity": { + "$ref": "#/definitions/IncidentSeverity", + "description": "The severity of the incident" + }, + "status": { + "$ref": "#/definitions/IncidentStatus", + "description": "The status of the incident" + }, + "title": { + "description": "The title of the incident", + "type": "string" + } }, - "contacts": { - "description": "The set of contacts associated with this domain", - "$ref": "#/definitions/EnrichmentDomainWhoisContacts" + "required": [ + "title", + "severity", + "status" + ], + "type": "object" + }, + "IpEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an ip entity.", + "properties": { + "properties": { + "$ref": "#/definitions/IpEntityProperties", + "description": "Ip entity properties", + "x-ms-client-flatten": true + } }, - "nameServers": { - "description": "A list of name servers associated with this domain", - "type": "array", - "items": { + "type": "object", + "x-ms-discriminator-value": "Ip" + }, + "IpEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Ip entity property bag.", + "properties": { + "address": { + "description": "The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6)", + "readOnly": true, "type": "string" + }, + "location": { + "$ref": "#/definitions/GeoLocation", + "description": "The geo-location context attached to the ip entity" + }, + "threatIntelligence": { + "description": "A list of TI contexts attached to the ip entity.", + "items": { + "$ref": "#/definitions/ThreatIntelligence" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "Label": { + "description": "Label that will be used to tag and filter on.", + "type": "string" + }, + "MailboxEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" } - }, - "statuses": { - "description": "The set of status flags for this whois record", - "type": "array", - "items": { - "type": "string" + ], + "description": "Represents a mailbox entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailboxEntityProperties", + "description": "Mailbox entity properties", + "x-ms-client-flatten": true } - } - } - }, - "EnrichmentDomainWhoisRegistrarDetails": { - "description": "The registrar associated with this domain", - "properties": { - "name": { - "description": "The name of this registrar", - "type": "string" - }, - "abuseContactEmail": { - "description": "This registrar's abuse contact email", - "type": "string" - }, - "abuseContactPhone": { - "description": "This registrar's abuse contact phone number", - "type": "string" - }, - "ianaId": { - "description": "This registrar's Internet Assigned Numbers Authority id", - "type": "string" - }, - "url": { - "description": "This registrar's URL", - "type": "string" - }, - "whoisServer": { - "description": "The hostname of this registrar's whois server", - "type": "string" - } - } - }, - "EnrichmentDomainWhoisContacts": { - "description": "The set of contacts associated with this domain", - "properties": { - "admin": { - "description": "The admin contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" - }, - "billing": { - "description": "The billing contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" - }, - "registrant": { - "description": "The registrant contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" - }, - "tech": { - "description": "The technical contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" - } - } - }, - "EnrichmentDomainWhoisContact": { - "description": "An individual contact associated with this domain", - "properties": { - "name": { - "description": "The name of this contact", - "type": "string" - }, - "org": { - "description": "The organization for this contact", - "type": "string" }, - "street": { - "description": "A list describing the street address for this contact", - "type": "array", - "items": { + "type": "object", + "x-ms-discriminator-value": "Mailbox" + }, + "MailboxEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mailbox entity property bag.", + "properties": { + "mailboxPrimaryAddress": { + "description": "The mailbox's primary address", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The mailbox's display name", + "readOnly": true, + "type": "string" + }, + "upn": { + "description": "The mailbox's UPN", + "readOnly": true, + "type": "string" + }, + "externalDirectoryObjectId": { + "description": "The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side", + "format": "uuid", + "readOnly": true, "type": "string" } }, - "city": { - "description": "The city for this contact", - "type": "string" - }, - "state": { - "description": "The state for this contact", - "type": "string" - }, - "postal": { - "description": "The postal code for this contact", - "type": "string" - }, - "country": { - "description": "The country for this contact", - "type": "string" - }, - "phone": { - "description": "The phone number for this contact", - "type": "string" - }, - "fax": { - "description": "The fax number for this contact", - "type": "string" - }, - "email": { - "description": "The email address for this contact", - "type": "string" - } - } - }, - "EnrichmentIpGeodata": { - "description": "Geodata information for a given IP address", - "properties": { - "asn": { - "description": "The autonomous system number associated with this IP address", - "type": "string" - }, - "carrier": { - "description": "The name of the carrier for this IP address", - "type": "string" - }, - "city": { - "description": "The city this IP address is located in", - "type": "string" - }, - "cityCf": { - "description": "A numeric rating of confidence that the value in the 'city' field is correct, on a scale of 0-100", - "type": "integer", - "format": "int32" - }, - "continent": { - "description": "The continent this IP address is located on", - "type": "string" - }, - "country": { - "description": "The county this IP address is located in", - "type": "string" - }, - "countryCf": { - "description": "A numeric rating of confidence that the value in the 'country' field is correct on a scale of 0-100", - "type": "integer", - "format": "int32" - }, - "ipAddr": { - "description": "The dotted-decimal or colon-separated string representation of the IP address", - "type": "string" - }, - "ipRoutingType": { - "description": "A description of the connection type of this IP address", - "type": "string" - }, - "latitude": { - "description": "The latitude of this IP address", - "type": "string" - }, - "longitude": { - "description": "The longitude of this IP address", - "type": "string" - }, - "organization": { - "description": "The name of the organization for this IP address", - "type": "string" - }, - "organizationType": { - "description": "The type of the organization for this IP address", - "type": "string" - }, - "region": { - "description": "The geographic region this IP address is located in", - "type": "string" - }, - "state": { - "description": "The state this IP address is located in", - "type": "string" - }, - "stateCf": { - "description": "A numeric rating of confidence that the value in the 'state' field is correct on a scale of 0-100", - "type": "integer", - "format": "int32" - }, - "stateCode": { - "description": "The abbreviated name for the state this IP address is located in", - "type": "string" - } - } - }, - "Entity": { - "allOf": [ - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "type": "object" + }, + "MailClusterEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mail cluster entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailClusterEntityProperties", + "description": "Mail cluster entity properties", + "x-ms-client-flatten": true + } }, - { - "$ref": "#/definitions/EntityKind" - } - ], - "description": "Specific entity.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "EntityEdges": { - "description": "The edge that connects the entity to the other entity.", - "properties": { - "targetEntityId": { - "description": "The target entity Id.", - "type": "string" - }, - "additionalData": { - "additionalProperties": { + "type": "object", + "x-ms-discriminator-value": "MailCluster" + }, + "MailClusterEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mail cluster entity property bag.", + "properties": { + "networkMessageIds": { + "description": "The mail message IDs that are part of the mail cluster", + "items": { + "description": "A mail message ID", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "countByDeliveryStatus": { + "description": "Count of mail messages by DeliveryStatus string representation", + "readOnly": true, "type": "object" }, - "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", - "type": "object" - } - }, - "type": "object" - }, - "EntityCommonProperties": { - "description": "Entity common property bag.", - "properties": { - "additionalData": { - "additionalProperties": { + "countByThreatType": { + "description": "Count of mail messages by ThreatType string representation", + "readOnly": true, "type": "object" }, - "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", - "readOnly": true, - "type": "object" - }, - "friendlyName": { - "description": "The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "EntityExpandParameters": { - "description": "The parameters required to execute an expand operation on the given entity.", - "properties": { - "endTime": { - "description": "The end date filter, so the only expansion results returned are before this date.", - "format": "date-time", - "type": "string" - }, - "expansionId": { - "description": "The Id of the expansion to perform.", - "format": "uuid", - "type": "string" - }, - "startTime": { - "description": "The start date filter, so the only expansion results returned are after this date.", - "format": "date-time", - "type": "string" - } - } - }, - "EntityTimelineParameters": { - "description": "The parameters required to execute s timeline operation on the given entity.", - "properties": { - "kinds": { - "description": "Array of timeline Item kinds.", - "items": { - "$ref": "#/definitions/EntityTimelineKind" + "countByProtectionStatus": { + "description": "Count of mail messages by ProtectionStatus string representation", + "readOnly": true, + "type": "object" }, - "type": "array" - }, - "startTime": { - "description": "The start timeline date, so the results returned are after this date.", - "format": "date-time", - "type": "string" - }, - "endTime": { - "description": "The end timeline date, so the results returned are before this date.", - "format": "date-time", - "type": "string" - }, - "numberOfBucket": { - "description": "The number of bucket for timeline queries aggregation.", - "type": "integer", - "format": "int32" - } - }, - "required": [ - "startTime", - "endTime" - ] - }, - "EntityExpandResponse": { - "description": "The entity expansion result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/ExpansionResultsMetadata", - "description": "The metadata from the expansion operation results." - }, - "value": { - "description": "The expansion result values.", - "properties": { - "entities": { - "description": "Array of the expansion result entities.", - "items": { - "$ref": "#/definitions/Entity" - }, - "type": "array" + "threats": { + "description": "The threats of mail messages that are part of the mail cluster", + "items": { + "description": "A threat", + "type": "string" }, - "edges": { - "description": "Array of edges that connects the entity to the list of entities.", - "items": { - "$ref": "#/definitions/EntityEdges" - }, - "type": "array" - } + "readOnly": true, + "type": "array" }, - "type": "object" - } - } - }, - "EntityTimelineResponse": { - "description": "The entity timeline result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/TimelineResultsMetadata", - "description": "The metadata from the timeline operation results." - }, - "value": { - "description": "The timeline result values.", - "items": { - "$ref": "#/definitions/EntityTimelineItem" + "query": { + "description": "The query that was used to identify the messages of the mail cluster", + "readOnly": true, + "type": "string" }, - "type": "array" - } - } - }, - "GetQueriesResponse": { - "description": "Retrieve queries for entity result operation response.", - "properties": { - "value": { - "description": "The query result values.", - "items": { - "$ref": "#/definitions/EntityQueryItem" + "queryTime": { + "description": "The query time", + "format": "date-time", + "readOnly": true, + "type": "string" }, - "type": "array" - } - } - }, - "EntityInnerKind": { - "description": "The kind of the entity", - "enum": [ - "Account", - "Host", - "File", - "AzureResource", - "CloudApplication", - "DnsResolution", - "FileHash", - "Ip", - "Malware", - "Process", - "RegistryKey", - "RegistryValue", - "SecurityGroup", - "Url", - "IoTDevice", - "SecurityAlert", - "Bookmark", - "Mailbox", - "MailCluster", - "MailMessage", - "SubmissionMail" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityKind", - "values": [ - { - "description": "Entity represents account in the system.", - "value": "Account" + "mailCount": { + "description": "The number of mail messages that are part of the mail cluster", + "readOnly": true, + "type": "integer", + "format": "int32" }, - { - "description": "Entity represents host in the system.", - "value": "Host" + "isVolumeAnomaly": { + "description": "Is this a volume anomaly mail cluster", + "readOnly": true, + "type": "boolean" }, - { - "description": "Entity represents file in the system.", - "value": "File" + "source": { + "description": "The source of the mail cluster (default is 'O365 ATP')", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents azure resource in the system.", - "value": "AzureResource" + "clusterSourceIdentifier": { + "description": "The id of the cluster source", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents cloud application in the system.", - "value": "CloudApplication" + "clusterSourceType": { + "description": "The type of the cluster source", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents dns resolution in the system.", - "value": "DnsResolution" + "clusterQueryStartTime": { + "description": "The cluster query start time", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents file hash in the system.", - "value": "FileHash" + "clusterQueryEndTime": { + "description": "The cluster query end time", + "format": "date-time", + "readOnly": true, + "type": "string" }, + "clusterGroup": { + "description": "The cluster group", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "MailMessageEntity": { + "allOf": [ { - "description": "Entity represents ip in the system.", - "value": "Ip" - }, + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mail message entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailMessageEntityProperties", + "description": "Mail message entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MailMessage" + }, + "MailMessageEntityProperties": { + "allOf": [ { - "description": "Entity represents malware in the system.", - "value": "Malware" + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mail message entity property bag.", + "properties": { + "fileEntityIds": { + "description": "The File entity ids of this mail message's attachments", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" }, - { - "description": "Entity represents process in the system.", - "value": "Process" + "recipient": { + "description": "The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents registry key in the system.", - "value": "RegistryKey" + "urls": { + "description": "The Urls contained in this mail message", + "items": { + "description": "A Url contained in this mail message", + "type": "string" + }, + "readOnly": true, + "type": "array" }, - { - "description": "Entity represents registry value in the system.", - "value": "RegistryValue" + "threats": { + "description": "The threats of this mail message", + "items": { + "description": "A threat of the mail message", + "type": "string" + }, + "readOnly": true, + "type": "array" }, - { - "description": "Entity represents security group in the system.", - "value": "SecurityGroup" + "p1Sender": { + "description": "The p1 sender's email address", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents url in the system.", - "value": "Url" + "p1SenderDisplayName": { + "description": "The p1 sender's display name", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents IoT device in the system.", - "value": "IoTDevice" + "p1SenderDomain": { + "description": "The p1 sender's domain", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents security alert in the system.", - "value": "SecurityAlert" + "senderIP": { + "description": "The sender's IP address", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents bookmark in the system.", - "value": "Bookmark" + "p2Sender": { + "description": "The p2 sender's email address", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents mail cluster in the system.", - "value": "MailCluster" + "p2SenderDisplayName": { + "description": "The p2 sender's display name", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents mail message in the system.", - "value": "MailMessage" + "p2SenderDomain": { + "description": "The p2 sender's domain", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents mailbox in the system.", - "value": "Mailbox" + "receiveDate": { + "description": "The receive date of this message", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents submission mail in the system.", - "value": "SubmissionMail" - } - ] - } - }, - "EntityInnerType": { - "description": "The type of the entity", - "enum": [ - "Account", - "Host", - "File", - "AzureResource", - "CloudApplication", - "DNS", - "FileHash", - "IP", - "Malware", - "Process", - "RegistryKey", - "RegistryValue", - "SecurityGroup", - "URL", - "IoTDevice", - "SecurityAlert", - "HuntingBookmark", - "MailCluster", - "MailMessage", - "Mailbox", - "SubmissionMail" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityType", - "values": [ - { - "description": "Entity represents account in the system.", - "value": "Account" + "networkMessageId": { + "description": "The network message id of this mail message", + "format": "uuid", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents host in the system.", - "value": "Host" + "internetMessageId": { + "description": "The internet message id of this mail message", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents file in the system.", - "value": "File" + "subject": { + "description": "The subject of this mail message", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents azure resource in the system.", - "value": "AzureResource" + "language": { + "description": "The language of this mail message", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents cloud application in the system.", - "value": "CloudApplication" + "threatDetectionMethods": { + "description": "The threat detection methods", + "items": { + "description": "A threat detection method", + "type": "string" + }, + "readOnly": true, + "type": "array" }, - { - "description": "Entity represents dns in the system.", - "value": "DNS" + "bodyFingerprintBin1": { + "description": "The bodyFingerprintBin1", + "type": "integer", + "format": "int32" }, - { - "description": "Entity represents file hash in the system.", - "value": "FileHash" + "bodyFingerprintBin2": { + "description": "The bodyFingerprintBin2", + "type": "integer", + "format": "int32" }, - { - "description": "Entity represents ip in the system.", - "value": "IP" + "bodyFingerprintBin3": { + "description": "The bodyFingerprintBin3", + "type": "integer", + "format": "int32" }, - { - "description": "Entity represents malware in the system.", - "value": "Malware" + "bodyFingerprintBin4": { + "description": "The bodyFingerprintBin4", + "type": "integer", + "format": "int32" }, - { - "description": "Entity represents process in the system.", - "value": "Process" + "bodyFingerprintBin5": { + "description": "The bodyFingerprintBin5", + "type": "integer", + "format": "int32" + }, + "antispamDirection": { + "description": "The directionality of this mail message", + "enum": [ + "Unknown", + "Inbound", + "Outbound", + "Intraorg" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AntispamMailDirection", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "Inbound", + "value": "Inbound" + }, + { + "description": "Outbound", + "value": "Outbound" + }, + { + "description": "Intraorg", + "value": "Intraorg" + } + ] + } + }, + "deliveryAction": { + "description": "The delivery action of this mail message like Delivered, Blocked, Replaced etc", + "enum": [ + "Unknown", + "DeliveredAsSpam", + "Delivered", + "Blocked", + "Replaced" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "DeliveryAction", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "DeliveredAsSpam", + "value": "DeliveredAsSpam" + }, + { + "description": "Delivered", + "value": "Delivered" + }, + { + "description": "Blocked", + "value": "Blocked" + }, + { + "description": "Replaced", + "value": "Replaced" + } + ] + } }, + "deliveryLocation": { + "description": "The delivery location of this mail message like Inbox, JunkFolder etc", + "enum": [ + "Unknown", + "Inbox", + "JunkFolder", + "DeletedFolder", + "Quarantine", + "External", + "Failed", + "Dropped", + "Forwarded" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "DeliveryLocation", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "Inbox", + "value": "Inbox" + }, + { + "description": "JunkFolder", + "value": "JunkFolder" + }, + { + "description": "DeletedFolder", + "value": "DeletedFolder" + }, + { + "description": "Quarantine", + "value": "Quarantine" + }, + { + "description": "External", + "value": "External" + }, + { + "description": "Failed", + "value": "Failed" + }, + { + "description": "Dropped", + "value": "Dropped" + }, + { + "description": "Forwarded", + "value": "Forwarded" + } + ] + } + } + }, + "type": "object" + }, + "SubmissionMailEntity": { + "allOf": [ { - "description": "Entity represents registry key in the system.", - "value": "RegistryKey" - }, + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a submission mail entity.", + "properties": { + "properties": { + "$ref": "#/definitions/SubmissionMailEntityProperties", + "description": "Submission mail entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SubmissionMail" + }, + "SubmissionMailEntityProperties": { + "allOf": [ { - "description": "Entity represents registry value in the system.", - "value": "RegistryValue" + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Submission mail entity property bag.", + "properties": { + "networkMessageId": { + "description": "The network message id of email to which submission belongs", + "format": "uuid", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents security group in the system.", - "value": "SecurityGroup" + "submissionId": { + "description": "The submission id", + "format": "uuid", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents url in the system.", - "value": "URL" + "submitter": { + "description": "The submitter", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents IoT device in the system.", - "value": "IoTDevice" + "submissionDate": { + "description": "The submission date", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents security alert in the system.", - "value": "SecurityAlert" + "timestamp": { + "description": "The Time stamp when the message is received (Mail)", + "format": "date-time", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents HuntingBookmark in the system.", - "value": "HuntingBookmark" + "recipient": { + "description": "The recipient of the mail", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents mail cluster in the system.", - "value": "MailCluster" + "sender": { + "description": "The sender of the mail", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents mail message in the system.", - "value": "MailMessage" + "senderIp": { + "description": "The sender's IP", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents mailbox in the system.", - "value": "Mailbox" + "subject": { + "description": "The subject of submission mail", + "readOnly": true, + "type": "string" }, - { - "description": "Entity represents submission mail in the system.", - "value": "SubmissionMail" + "reportType": { + "description": "The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk.", + "readOnly": true, + "type": "string" } - ] - } - }, - "EntityKind": { - "description": "Describes an entity with kind.", - "properties": { - "kind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the entity." - } + }, + "type": "object" }, - "required": [ - "kind" - ], - "type": "object" - }, - "EntityList": { - "description": "List of all the entities.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of entities.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of entities.", - "items": { - "$ref": "#/definitions/Entity" - }, - "type": "array" - } + "MCASDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASDataConnectorProperties", + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" }, - "required": [ - "value" - ] - }, - "EntityQueryKind": { - "description": "Describes an Entity query resource with kind.", - "properties": { - "kind": { - "description": "The kind of the entity query", - "enum": [ - "Expansion", - "Insight" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityQueryKind", - "values": [ - { - "value": "Expansion" - }, + "MCASDataConnectorDataTypes": { + "allOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "discoveryLogs": { + "allOf": [ { - "value": "Insight" + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - ] + ], + "description": "Discovery log data type connection.", + "type": "object" } - } + }, + "type": "object" }, - "required": [ - "kind" - ], - "type": "object" - }, - "EntityQuery": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "MCASDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MCASDataConnectorDataTypes", + "description": "The available data types for the connector." + } }, - { - "$ref": "#/definitions/EntityQueryKind" - } - ], - "description": "Specific entity query.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "ExpansionEntityQuery": { - "description": "Represents Expansion entity query.", - "allOf": [ - { - "$ref": "#/definitions/EntityQuery" - } - ], - "properties": { + "required": [ + "dataTypes" + ], + "type": "object" + }, + "MCASCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) requirements check request.", "properties": { - "$ref": "#/definitions/ExpansionEntityQueriesProperties", - "description": "Expansion entity query properties", - "x-ms-client-flatten": true - } + "properties": { + "$ref": "#/definitions/MCASCheckRequirementsProperties", + "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" }, - "type": "object", - "x-ms-discriminator-value": "Expansion" - }, - "EntityTimelineKind": { - "description": "The entity query kind", - "enum": [ - "Activity", - "Bookmark", - "SecurityAlert" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityTimelineKind", - "values": [ + "MCASCheckRequirementsProperties": { + "allOf": [ { - "description": "activity", - "value": "Activity" - }, + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", + "type": "object" + }, + "MDATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPDataConnectorProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPDataConnectorProperties": { + "allOf": [ { - "description": "bookmarks", - "value": "Bookmark" + "$ref": "#/definitions/DataConnectorTenantId" }, { - "description": "security alerts", - "value": "SecurityAlert" + "$ref": "#/definitions/DataConnectorWithAlertsProperties" } - ] - } - }, - "EntityQueryList": { - "description": "List of all the entity queries.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of entity queries.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of entity queries.", - "items": { - "$ref": "#/definitions/EntityQuery" - }, - "type": "array" - } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "type": "object" }, - "required": [ - "value" - ] - }, - "ExpansionEntityQueriesProperties": { - "description": "Describes expansion entity query properties", - "properties": { - "dataSources": { - "description": "List of the data sources that are required to run the query", - "items": { - "description": "data source", - "type": "string" - }, - "type": "array" - }, - "displayName": { - "description": "The query display name", - "type": "string" + "MDATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPCheckRequirementsProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } }, - "inputEntityType": { - "$ref": "#/definitions/EntityInnerType", - "description": "The type of the query's source entity" + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "MalwareEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a malware entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MalwareEntityProperties", + "description": "File entity properties", + "x-ms-client-flatten": true + } }, - "inputFields": { - "description": "List of the fields of the source entity that are required to run the query", - "items": { - "description": "input field", + "type": "object", + "x-ms-discriminator-value": "Malware" + }, + "MalwareEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Malware entity property bag.", + "properties": { + "category": { + "description": "The malware category by the vendor, e.g. Trojan", + "readOnly": true, "type": "string" }, - "type": "array" - }, - "outputEntityTypes": { - "description": "List of the desired output types to be constructed from the result", - "items": { - "$ref": "#/definitions/EntityInnerType", - "description": "output entity type" + "fileEntityIds": { + "description": "List of linked file entity identifiers on which the malware was found", + "items": { + "description": "file entity id", + "type": "string" + }, + "readOnly": true, + "type": "array" }, - "type": "array" + "malwareName": { + "description": "The malware name by the vendor, e.g. Win32/Toga!rfn", + "readOnly": true, + "type": "string" + }, + "processEntityIds": { + "description": "List of linked process entity identifiers on which the malware was found.", + "items": { + "description": "process entity id", + "type": "string" + }, + "readOnly": true, + "type": "array" + } }, - "queryTemplate": { - "description": "The template query string to be parsed and formatted", - "type": "string" - } - }, - "type": "object" - }, - "ExpansionResultAggregation": { - "description": "Information of a specific aggregation in the expansion result.", - "properties": { - "aggregationType": { - "description": "The common type of the aggregation. (for e.g. entity field name)", - "type": "string" - }, - "count": { - "description": "Total number of aggregations of the given kind (and aggregationType if given) in the expansion result.", - "type": "integer" - }, - "displayName": { - "description": "The display name of the aggregation by type.", - "type": "string" - }, - "entityKind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the aggregated entity." - } - }, - "required": [ - "entityKind", - "count" - ], - "type": "object" - }, - "ExpansionResultsMetadata": { - "description": "Expansion result metadata.", - "properties": { - "aggregations": { - "description": "Information of the aggregated nodes in the expansion result.", - "items": { - "$ref": "#/definitions/ExpansionResultAggregation" - }, - "type": "array" - } - }, - "type": "object" - }, - "ConnectedEntity": { - "description": "Expansion result connected entities", - "properties": { - "targetEntityId": { - "description": "Entity Id of the connected entity", - "type": "string" - }, - "additionalData": { - "description": "key-value pairs for a connected entity mapping", - "type": "object" - } - } - }, - "TimelineResultsMetadata": { - "description": "Expansion result metadata.", - "properties": { - "totalCount": { - "description": "the total items found for the timeline request", - "type": "integer", - "format": "int32" - }, - "aggregations": { - "description": "timeline aggregation per kind", - "items": { - "$ref": "#/definitions/TimelineAggregation" - }, - "type": "array" - }, - "errors": { - "description": "information about the failure queries", - "items": { - "$ref": "#/definitions/TimelineError" - }, - "type": "array" - } - }, - "required": [ - "totalCount", - "aggregations" - ], - "type": "object" - }, - "TimelineError": { - "description": "Timeline Query Errors.", - "properties": { - "kind": { - "description": "the query kind", - "$ref": "#/definitions/EntityTimelineKind" - }, - "queryId": { - "description": "the query id", - "type": "string" - }, - "errorMessage": { - "description": "the error message", - "type": "string" - } - }, - "required": [ - "kind", - "errorMessage" - ], - "type": "object" - }, - "TimelineAggregation": { - "description": "timeline aggregation information per kind", - "properties": { - "count": { - "description": "the total items found for a kind", - "type": "integer", - "format": "int32" - }, - "kind": { - "description": "the query kind", - "$ref": "#/definitions/EntityTimelineKind" - } - }, - "required": [ - "kind", - "count" - ], - "type": "object" - }, - "EntityTimelineItem": { - "description": "Entity timeline Item.", - "discriminator": "kind", - "type": "object", - "properties": { - "kind": { - "$ref": "#/definitions/EntityTimelineKind", - "description": "The entity query kind type." - } + "type": "object" }, - "required": [ - "kind" - ] - }, - "FileEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a file entity.", - "properties": { + "MicrosoftSecurityIncidentCreationAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule.", "properties": { - "$ref": "#/definitions/FileEntityProperties", - "description": "File entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "File" - }, - "FileEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "File entity property bag.", - "properties": { - "directory": { - "description": "The full path to the file.", - "readOnly": true, - "type": "string" - }, - "fileHashEntityIds": { - "description": "The file hash entity identifiers associated with this file", - "items": { - "description": "file hash id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "fileName": { - "description": "The file name without path (some alerts might not include path).", - "readOnly": true, - "type": "string" - }, - "hostEntityId": { - "description": "The Host entity id which the file belongs to", - "readOnly": true, - "type": "string" - } + "properties": { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", + "description": "MicrosoftSecurityIncidentCreation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" }, - "type": "object" - }, - "FileHashEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a file hash entity.", - "properties": { + "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { + "description": "MicrosoftSecurityIncidentCreation rule common property bag.", "properties": { - "$ref": "#/definitions/FileHashEntityProperties", - "description": "FileHash entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "FileHash" - }, - "FileHashEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "FileHash entity property bag.", - "properties": { - "algorithm": { - "description": "The hash algorithm type.", - "enum": [ - "Unknown", - "MD5", - "SHA1", - "SHA256", - "SHA256AC" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "FileHashAlgorithm", - "values": [ - { - "description": "Unknown hash algorithm", - "value": "Unknown" - }, - { - "description": "MD5 hash type", - "value": "MD5" - }, - { - "description": "SHA1 hash type", - "value": "SHA1" - }, - { - "description": "SHA256 hash type", - "value": "SHA256" - }, - { - "description": "SHA256 Authenticode hash type", - "value": "SHA256AC" - } - ] + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "displayNamesExcludeFilter": { + "description": "the alerts' displayNames on which the cases will not be generated", + "items": { + "type": "string" + }, + "type": "array" + }, + "productFilter": { + "description": "The alerts' productName on which the cases will be generated", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT", + "Office 365 Advanced Threat Protection", + "Microsoft Defender Advanced Threat Protection" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MicrosoftSecurityProductName" + } + }, + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "#/definitions/AlertSeverity" + }, + "type": "array" } }, - "hashValue": { - "description": "The file hash value.", - "readOnly": true, - "type": "string" - } + "required": [ + "productFilter" + ], + "type": "object" }, - "type": "object" - }, - "InsightQueryItem": { - "allOf": [ - { - "$ref": "#/definitions/EntityQueryItem" - } - ], - "description": "Represents Insight Query.", - "properties": { + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag.", "properties": { - "description": "Properties bag for InsightQueryItem", - "$ref": "#/definitions/InsightQueryItemProperties" - } + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "Insight" - }, - "InsightQueryItemProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityQueryItemProperties" - } - ], - "description": "Represents Insight Query.", - "properties": { - "displayName": { - "type": "string", - "description": "The insight display name." - }, - "description": { - "type": "string", - "description": "The insight description." - }, - "baseQuery": { - "type": "string", - "description": "The base query of the insight." - }, - "tableQuery": { - "type": "object", - "description": "The insight table query.", - "properties": { - "columnsDefinitions": { - "type": "array", - "description": "List of insight column definitions.", - "items": { - "properties": { - "header": { - "type": "string", - "description": "Insight column header." - }, - "outputType": { - "type": "string", - "description": "Insights Column type.", - "enum": [ - "Number", - "String", - "Date", - "Entity" - ], - "x-ms-enum": { - "modelAsString": true, - "name": "outputType" - } - }, - "supportDeepLink": { - "type": "boolean", - "description": "Is query supports deep-link." - } - } - } - }, - "queriesDefinitions": { - "type": "array", - "description": "List of insight queries definitions.", - "items": { - "properties": { - "filter": { - "type": "string", - "description": "Insight column header." - }, - "summarize": { - "type": "string", - "description": "Insight column header." - }, - "project": { - "type": "string", - "description": "Insight column header." - }, - "linkColumnsDefinitions": { - "type": "array", - "description": "Insight column header.", - "items": { - "properties": { - "projectedName": { - "type": "string", - "description": "Insight Link Definition Projected Name." - }, - "Query": { - "type": "string", - "description": "Insight Link Definition Query." - } - } - } - } - } + "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + }, + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" } - } + ], + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "required": [ + "displayName", + "description", + "createdDateUTC", + "status", + "alertRulesCreatedByTemplateCount", + "productFilter" + ], + "x-ms-client-flatten": true } }, - "chartQuery": { - "type": "object", - "description": "The insight chart query." - }, - "additionalQuery": { - "type": "object", - "description": "The activity query definitions.", + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "OfficeATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) data connector.", + "properties": { "properties": { - "query": { - "type": "string", - "description": "The insight query." - }, - "text": { - "type": "string", - "description": "The insight text." - } + "$ref": "#/definitions/OfficeATPDataConnectorProperties", + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true } }, - "defaultTimeRange": { - "type": "object", - "description": "The insight chart query.", + "type": "object", + "x-ms-discriminator-value": "OfficeATP" + }, + "OfficeATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "OfficeATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) requirements check request.", + "properties": { "properties": { - "beforeRange": { - "type": "string", - "description": "The padding for the start time of the query." - }, - "afterRange": { - "type": "string", - "description": "The padding for the end time of the query." - } + "$ref": "#/definitions/OfficeATPCheckRequirementsProperties", + "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true } }, - "referenceTimeRange": { - "type": "object", - "description": "The insight chart query.", + "type": "object", + "x-ms-discriminator-value": "OfficeATP" + }, + "OfficeATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "OfficeConsent": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + } + ], + "description": "Consent for Office365 tenant that already made.", + "properties": { "properties": { - "beforeRange": { - "type": "string", - "description": "Additional query time for looking back." - } + "$ref": "#/definitions/OfficeConsentProperties", + "description": "Office consent properties", + "x-ms-client-flatten": true } - } + }, + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "Insight" - }, - "ActivityTimelineItem": { - "allOf": [ - { - "$ref": "#/definitions/EntityTimelineItem" - } - ], - "description": "Represents Activity timeline item.", - "properties": { - "queryId": { - "type": "string", - "description": "The activity query id." - }, - "bucketStartTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The grouping bucket start time." - }, - "bucketEndTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The grouping bucket end time." - }, - "firstActivityTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The time of the first activity in the grouping bucket." - }, - "lastActivityTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The time of the last activity in the grouping bucket." - }, - "content": { - "type": "string", - "description": "The activity timeline content." - }, - "title": { - "type": "string", - "description": "The activity timeline title." - } + "OfficeConsentList": { + "description": "List of all the office365 consents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of office consents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of the consents.", + "items": { + "$ref": "#/definitions/OfficeConsent" + }, + "type": "array" + } + }, + "required": [ + "value" + ] }, - "required": [ - "queryId", - "bucketStartTimeUTC", - "bucketEndTimeUTC", - "firstActivityTimeUTC", - "lastActivityTimeUTC", - "content", - "title" - ], - "type": "object", - "x-ms-discriminator-value": "Activity" - }, - "SecurityAlertTimelineItem": { - "allOf": [ - { - "$ref": "#/definitions/EntityTimelineItem" - } - ], - "description": "Represents security alert timeline item.", - "properties": { - "azureResourceId": { - "type": "string", - "description": "The alert azure resource id." - }, - "productName": { - "type": "string", - "description": "The alert product name." - }, - "description": { - "type": "string", - "description": "The alert description." - }, - "displayName": { - "type": "string", - "description": "The alert name." - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The alert severity." - }, - "endTimeUtc": { - "format": "date-time", - "type": "string", - "description": "The alert end time." - }, - "startTimeUtc": { - "format": "date-time", - "type": "string", - "description": "The alert start time." - }, - "timeGenerated": { - "format": "date-time", - "type": "string", - "description": "The alert generated time." - }, - "alertType": { - "type": "string", - "description": "The name of the alert type." - } + "OfficeConsentProperties": { + "description": "Consent property bag.", + "properties": { + "tenantId": { + "description": "The tenantId of the Office365 with the consent.", + "type": "string" + }, + "consentId": { + "description": "Help to easily cascade among the data layers.", + "type": "string" + } + }, + "type": "object" }, - "required": [ - "azureResourceId", - "displayName", - "severity", - "endTimeUtc", - "startTimeUtc", - "timeGenerated", - "alertType" - ], - "type": "object", - "x-ms-discriminator-value": "SecurityAlert" - }, - "BookmarkTimelineItem": { - "allOf": [ - { - "$ref": "#/definitions/EntityTimelineItem" - } - ], - "description": "Represents bookmark timeline item.", - "properties": { - "azureResourceId": { - "type": "string", - "description": "The bookmark azure resource id." - }, - "displayName": { - "type": "string", - "description": "The bookmark display name." - }, - "notes": { - "type": "string", - "description": "The notes of the bookmark" - }, - "endTimeUtc": { - "format": "date-time", - "type": "string", - "description": "The bookmark end time." - }, - "startTimeUtc": { - "format": "date-time", - "type": "string", - "description": "TThe bookmark start time." - }, - "eventTime": { - "format": "date-time", - "type": "string", - "description": "The bookmark event time." - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" - }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - } + "OfficeDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents office data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeDataConnectorProperties", + "description": "Office data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Office365" }, - "required": [ - "azureResourceId" - ], - "type": "object", - "x-ms-discriminator-value": "Bookmark" - }, - "FusionAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents Fusion alert rule.", - "properties": { + "OfficeDataConnectorDataTypes": { + "description": "The available data types for office data connector.", "properties": { - "$ref": "#/definitions/FusionAlertRuleProperties", - "description": "Fusion alert rule properties", - "x-ms-client-flatten": true - } + "exchange": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Exchange data type connection.", + "type": "object" + }, + "sharePoint": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "SharePoint data type connection.", + "type": "object" + }, + "teams": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Teams data type connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "exchange", + "sharePoint", + "teams" + ] }, - "type": "object", - "x-ms-discriminator-value": "Fusion" - }, - "FusionAlertRuleProperties": { - "description": "Fusion alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "readOnly": true, - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule.", - "readOnly": true - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } + "OfficeDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Office data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/OfficeDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" }, - "required": [ - "alertRuleTemplateName", - "enabled" - ], - "type": "object" - }, - "FusionAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents Fusion alert rule template.", - "properties": { + "Operation": { + "description": "Operation provided by provider", "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - } - ], - "description": "Fusion alert rule template properties", - "properties": { - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" + "display": { + "description": "Properties of the operation", + "properties": { + "description": { + "description": "Description of the operation", + "type": "string" }, - "type": "array" - } + "operation": { + "description": "Operation name", + "type": "string" + }, + "provider": { + "description": "Provider name", + "type": "string" + }, + "resource": { + "description": "Resource name", + "type": "string" + } + }, + "type": "object" }, - "required": [ - "displayName", - "description", - "status", - "severity", - "alertRulesCreatedByTemplateCount" - ], - "x-ms-client-flatten": true + "name": { + "description": "Name of the operation", + "type": "string" + }, + "origin": { + "description": "The origin of the operation", + "type": "string" + } } }, - "type": "object", - "x-ms-discriminator-value": "Fusion" - }, - "ThreatIntelligenceAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents Threat Intelligence alert rule.", - "properties": { + "OperationsList": { + "description": "Lists the operations available in the SecurityInsights RP.", "properties": { - "$ref": "#/definitions/ThreatIntelligenceAlertRuleProperties", - "description": "Threat Intelligence alert rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" - }, - "ThreatIntelligenceAlertRuleProperties": { - "description": "Threat Intelligence alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "readOnly": true, - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule.", - "readOnly": true - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } + "nextLink": { + "description": "URL to fetch the next set of operations.", + "type": "string" + }, + "value": { + "description": "Array of operations", + "items": { + "$ref": "#/definitions/Operation" + }, + "type": "array" + } + }, + "required": [ + "value" + ] }, - "required": [ - "alertRuleTemplateName", - "enabled" - ], - "type": "object" - }, - "ThreatIntelligenceAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents Threat Intelligence alert rule template.", - "properties": { + "ProcessEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a process entity.", "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - } - ], - "description": "Threat Intelligence alert rule template properties", "properties": { - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" + "$ref": "#/definitions/ProcessEntityProperties", + "description": "Process entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Process" + }, + "ProcessEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Process entity property bag.", + "properties": { + "accountEntityId": { + "description": "The account entity id running the processes.", + "readOnly": true, + "type": "string" + }, + "commandLine": { + "description": "The command line used to create the process", + "readOnly": true, + "type": "string" + }, + "creationTimeUtc": { + "description": "The time when the process started to run", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "elevationToken": { + "description": "The elevation token associated with the process.", + "enum": [ + "Default", + "Full", + "Limited" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "ElevationToken", + "values": [ + { + "description": "Default elevation token", + "value": "Default" + }, + { + "description": "Full elevation token", + "value": "Full" + }, + { + "description": "Limited elevation token", + "value": "Limited" + } + ] } }, - "required": [ - "displayName", - "description", - "status", - "severity", - "alertRulesCreatedByTemplateCount" - ], - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" - }, - "GeoLocation": { - "description": "The geo-location context attached to the ip entity", - "properties": { - "asn": { - "description": "Autonomous System Number", - "readOnly": true, - "type": "integer" - }, - "city": { - "description": "City name", - "readOnly": true, - "type": "string" - }, - "countryCode": { - "description": "The country code according to ISO 3166 format", - "readOnly": true, - "type": "string" - }, - "countryName": { - "description": "Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name", - "readOnly": true, - "type": "string" - }, - "latitude": { - "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.", - "format": "double", - "readOnly": true, - "type": "number" - }, - "longitude": { - "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.", - "format": "double", - "readOnly": true, - "type": "number" - }, - "state": { - "description": "State name", - "readOnly": true, - "type": "string" - } + "hostEntityId": { + "description": "The host entity id on which the process was running", + "readOnly": true, + "type": "string" + }, + "hostLogonSessionEntityId": { + "description": "The session entity id in which the process was running", + "readOnly": true, + "type": "string" + }, + "imageFileEntityId": { + "description": "Image file entity id", + "readOnly": true, + "type": "string" + }, + "parentProcessEntityId": { + "description": "The parent process entity id.", + "readOnly": true, + "type": "string" + }, + "processId": { + "description": "The process ID", + "readOnly": true, + "type": "string" + } + }, + "type": "object" }, - "readOnly": true, - "type": "object" - }, - "HostEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a host entity.", - "properties": { + "RegistryKeyEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a registry key entity.", "properties": { - "$ref": "#/definitions/HostEntityProperties", - "description": "Host entity properties", - "x-ms-client-flatten": true - } + "properties": { + "$ref": "#/definitions/RegistryKeyEntityProperties", + "description": "RegistryKey entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "RegistryKey" }, - "type": "object", - "x-ms-discriminator-value": "Host" - }, - "HostEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Host entity property bag.", - "properties": { - "azureID": { - "description": "The azure resource id of the VM.", - "readOnly": true, - "type": "string" - }, - "dnsDomain": { - "description": "The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain", - "readOnly": true, - "type": "string" - }, - "hostName": { - "description": "The hostname without the domain suffix.", - "readOnly": true, - "type": "string" - }, - "isDomainJoined": { - "description": "Determines whether this host belongs to a domain.", - "readOnly": true, - "type": "boolean" - }, - "netBiosName": { - "description": "The host name (pre-windows2000).", - "readOnly": true, - "type": "string" - }, - "ntDomain": { - "description": "The NT domain that this host belongs to.", - "readOnly": true, - "type": "string" - }, - "omsAgentID": { - "description": "The OMS agent id, if the host has OMS agent installed.", - "readOnly": true, - "type": "string" - }, - "osFamily": { - "description": "The operating system type.", - "enum": [ - "Linux", - "Windows", - "Android", - "IOS", - "Unknown" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "OSFamily", - "values": [ - { - "description": "Host with Linux operating system.", - "value": "Linux" - }, - { - "description": "Host with Windows operating system.", - "value": "Windows" - }, - { - "description": "Host with Android operating system.", - "value": "Android" - }, - { - "description": "Host with IOS operating system.", - "value": "IOS" - }, - { - "description": "Host with Unknown operating system.", - "value": "Unknown" - } - ] + "RegistryKeyEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "RegistryKey entity property bag.", + "properties": { + "hive": { + "description": "the hive that holds the registry key.", + "enum": [ + "HKEY_LOCAL_MACHINE", + "HKEY_CLASSES_ROOT", + "HKEY_CURRENT_CONFIG", + "HKEY_USERS", + "HKEY_CURRENT_USER_LOCAL_SETTINGS", + "HKEY_PERFORMANCE_DATA", + "HKEY_PERFORMANCE_NLSTEXT", + "HKEY_PERFORMANCE_TEXT", + "HKEY_A", + "HKEY_CURRENT_USER" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "RegistryHive", + "values": [ + { + "description": "HKEY_LOCAL_MACHINE", + "value": "HKEY_LOCAL_MACHINE" + }, + { + "description": "HKEY_CLASSES_ROOT", + "value": "HKEY_CLASSES_ROOT" + }, + { + "description": "HKEY_CURRENT_CONFIG", + "value": "HKEY_CURRENT_CONFIG" + }, + { + "description": "HKEY_USERS", + "value": "HKEY_USERS" + }, + { + "description": "HKEY_CURRENT_USER_LOCAL_SETTINGS", + "value": "HKEY_CURRENT_USER_LOCAL_SETTINGS" + }, + { + "description": "HKEY_PERFORMANCE_DATA", + "value": "HKEY_PERFORMANCE_DATA" + }, + { + "description": "HKEY_PERFORMANCE_NLSTEXT", + "value": "HKEY_PERFORMANCE_NLSTEXT" + }, + { + "description": "HKEY_PERFORMANCE_TEXT", + "value": "HKEY_PERFORMANCE_TEXT" + }, + { + "description": "HKEY_A", + "value": "HKEY_A" + }, + { + "description": "HKEY_CURRENT_USER", + "value": "HKEY_CURRENT_USER" + } + ] + } + }, + "key": { + "description": "The registry key path.", + "readOnly": true, + "type": "string" } }, - "osVersion": { - "description": "A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "Incident": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an incident in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentProperties", - "description": "Incident properties", - "x-ms-client-flatten": true - } + "type": "object" }, - "type": "object" - }, - "HuntingBookmark": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a Hunting bookmark entity.", - "properties": { + "RegistryValueEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a registry value entity.", "properties": { - "$ref": "#/definitions/HuntingBookmarkProperties", - "description": "HuntingBookmark entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Bookmark" - }, - "HuntingBookmarkProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Describes bookmark properties", - "properties": { - "created": { - "description": "The time the bookmark was created", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" - }, - "displayName": { - "description": "The display name of the bookmark", - "type": "string" - }, - "eventTime": { - "description": "The time of the event", - "format": "date-time", - "type": "string" - }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - }, - "notes": { - "description": "The notes of the bookmark", - "type": "string" - }, - "query": { - "description": "The query of the bookmark.", - "type": "string" - }, - "queryResult": { - "description": "The query result of the bookmark.", - "type": "string" - }, - "updated": { - "description": "The last time the bookmark was updated", - "format": "date-time", - "type": "string" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the bookmark", - "type": "object" - }, - "incidentInfo": { - "$ref": "#/definitions/IncidentInfo", - "description": "Describes an incident that relates to bookmark", - "type": "object" - } - }, - "required": [ - "displayName", - "query" - ], - "type": "object" - }, - "IncidentAdditionalData": { - "description": "Incident additional data property bag.", - "properties": { - "alertsCount": { - "description": "The number of alerts in the incident", - "readOnly": true, - "type": "integer" - }, - "bookmarksCount": { - "description": "The number of bookmarks in the incident", - "readOnly": true, - "type": "integer" - }, - "commentsCount": { - "description": "The number of comments in the incident", - "readOnly": true, - "type": "integer" - }, - "alertProductNames": { - "description": "List of product names of alerts in the incident", - "items": { - "description": "Alert product name", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "tactics": { - "description": "The tactics associated with incident", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "IncidentAlertList": { - "description": "List of incident alerts.", - "properties": { - "value": { - "description": "Array of incident alerts.", - "type": "array", - "items": { - "$ref": "#/definitions/SecurityAlert" + "properties": { + "$ref": "#/definitions/RegistryValueEntityProperties", + "description": "RegistryKey entity properties", + "x-ms-client-flatten": true } - } + }, + "type": "object", + "x-ms-discriminator-value": "RegistryValue" }, - "required": [ - "value" - ] - }, - "IncidentBookmarkList": { - "description": "List of incident bookmarks.", - "properties": { - "value": { - "description": "Array of incident bookmarks.", - "type": "array", - "items": { - "$ref": "#/definitions/HuntingBookmark" + "RegistryValueEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" } - } - }, - "required": [ - "value" - ] - }, - "IncidentComment": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an incident comment", - "properties": { + ], + "description": "RegistryValue entity property bag.", "properties": { - "$ref": "#/definitions/IncidentCommentProperties", - "description": "Incident comment properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "IncidentCommentList": { - "description": "List of incident comments.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of comments.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of comments.", - "items": { - "$ref": "#/definitions/IncidentComment" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "IncidentCommentProperties": { - "description": "Incident comment property bag.", - "properties": { - "createdTimeUtc": { - "description": "The time the comment was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "lastModifiedTimeUtc": { - "description": "The time the comment was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "The comment message", - "type": "string" - }, - "author": { - "$ref": "#/definitions/ClientInfo", - "description": "Describes the client that created the comment", - "readOnly": true, - "type": "object" - } - }, - "required": [ - "message" - ], - "type": "object" - }, - "IncidentEntitiesResponse": { - "description": "The incident related entities response.", - "properties": { - "entities": { - "description": "Array of the incident related entities.", - "type": "array", - "items": { - "$ref": "#/definitions/Entity" + "keyEntityId": { + "description": "The registry key entity id.", + "readOnly": true, + "type": "string" + }, + "valueData": { + "description": "String formatted representation of the value data.", + "readOnly": true, + "type": "string" + }, + "valueName": { + "description": "The registry value name.", + "readOnly": true, + "type": "string" + }, + "valueType": { + "description": "Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.", + "enum": [ + "None", + "Unknown", + "String", + "ExpandString", + "Binary", + "DWord", + "MultiString", + "QWord" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "RegistryValueKind", + "values": [ + { + "description": "None", + "value": "None" + }, + { + "description": "Unknown value type", + "value": "Unknown" + }, + { + "description": "String value type", + "value": "String" + }, + { + "description": "ExpandString value type", + "value": "ExpandString" + }, + { + "description": "Binary value type", + "value": "Binary" + }, + { + "description": "DWord value type", + "value": "DWord" + }, + { + "description": "MultiString value type", + "value": "MultiString" + }, + { + "description": "QWord value type", + "value": "QWord" + } + ] + } } }, - "metaData": { - "description": "The metadata from the incident related entities results.", - "type": "array", - "items": { - "$ref": "#/definitions/IncidentEntitiesResultsMetadata" - } - } - } - }, - "IncidentEntitiesResultsMetadata": { - "description": "Information of a specific aggregation in the incident related entities result.", - "properties": { - "count": { - "description": "Total number of aggregations of the given kind in the incident related entities result.", - "type": "integer", - "format": "int32" - }, - "entityKind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the aggregated entity." - } + "type": "object" }, - "required": [ - "entityKind", - "count" - ], - "type": "object" - }, - "IncidentLabel": { - "description": "Represents an incident label", - "properties": { - "labelName": { - "description": "The name of the label", - "type": "string" - }, - "labelType": { - "description": "The type of the label", - "enum": [ - "User", - "System" - ], - "type": "string", - "readOnly": true, - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentLabelType", - "values": [ - { - "description": "Label manually created by a user", - "value": "User" - }, - { - "description": "Label automatically created by the system", - "value": "System" - } - ] + "RelationList": { + "description": "List of relations.", + "properties": { + "nextLink": { + "readOnly": true, + "description": "URL to fetch the next set of relations.", + "type": "string" + }, + "value": { + "description": "Array of relations.", + "type": "array", + "items": { + "$ref": "#/definitions/Relation" + } } - } - }, - "required": [ - "labelName" - ], - "type": "object" - }, - "IncidentList": { - "description": "List all the incidents.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of incidents.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of incidents.", - "items": { - "$ref": "#/definitions/Incident" - }, - "type": "array" - } + }, + "required": [ + "value" + ] }, - "required": [ - "value" - ] - }, - "IncidentOwnerInfo": { - "description": "Information on the user an incident is assigned to", - "properties": { - "email": { - "description": "The email of the user the incident is assigned to.", - "type": "string" - }, - "assignedTo": { - "description": "The name of the user the incident is assigned to.", - "type": "string" - }, - "objectId": { - "description": "The object id of the user the incident is assigned to.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the user the incident is assigned to.", - "type": "string" + "Relation": { + "type": "object", + "description": "Represents a relation between two resources", + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "properties": { + "properties": { + "$ref": "#/definitions/RelationProperties", + "description": "Relation properties", + "x-ms-client-flatten": true + } } }, - "type": "object" - }, - "IncidentClassification": { - "description": "The reason the incident was closed", - "enum": [ - "Undetermined", - "TruePositive", - "BenignPositive", - "FalsePositive" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassification", - "values": [ - { - "description": "Incident classification was undetermined", - "value": "Undetermined" + "RelationProperties": { + "description": "Relation property bag.", + "properties": { + "relatedResourceId": { + "description": "The resource ID of the related resource", + "type": "string" }, - { - "description": "Incident was true positive", - "value": "TruePositive" + "relatedResourceName": { + "description": "The name of the related resource", + "readOnly": true, + "type": "string" }, - { - "description": "Incident was benign positive", - "value": "BenignPositive" + "relatedResourceType": { + "description": "The resource type of the related resource", + "readOnly": true, + "type": "string" }, - { - "description": "Incident was false positive", - "value": "FalsePositive" + "relatedResourceKind": { + "description": "The resource kind of the related resource", + "readOnly": true, + "type": "string" } - ] - } - }, - "IncidentClassificationReason": { - "description": "The classification reason the incident was closed with", - "enum": [ - "SuspiciousActivity", - "SuspiciousButExpected", - "IncorrectAlertLogic", - "InaccurateData" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassificationReason", - "values": [ - { - "description": "Classification reason was suspicious activity", - "value": "SuspiciousActivity" - }, - { - "description": "Classification reason was suspicious but expected", - "value": "SuspiciousButExpected" + }, + "required": [ + "relatedResourceId" + ], + "type": "object" + }, + "Resource": { + "description": "An azure resource object", + "properties": { + "id": { + "description": "Azure resource Id", + "readOnly": true, + "type": "string" }, - { - "description": "Classification reason was incorrect alert logic", - "value": "IncorrectAlertLogic" + "name": { + "description": "Azure resource name", + "readOnly": true, + "type": "string" }, - { - "description": "Classification reason was inaccurate data", - "value": "InaccurateData" + "type": { + "description": "Azure resource type", + "readOnly": true, + "type": "string" } - ] - } - }, - "IncidentSeverity": { - "description": "The severity of the incident", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentSeverity", - "values": [ + }, + "x-ms-azure-resource": true + }, + "ScheduledAlertRule": { + "allOf": [ { - "description": "High severity", - "value": "High" + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents scheduled alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ScheduledAlertRuleProperties", + "description": "Scheduled alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" + }, + "ScheduledAlertRuleCommonProperties": { + "description": "Scheduled alert rule template property bag.", + "properties": { + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" }, - { - "description": "Medium severity", - "value": "Medium" + "queryFrequency": { + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", + "format": "duration", + "type": "string" }, - { - "description": "Low severity", - "value": "Low" + "queryPeriod": { + "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", + "format": "duration", + "type": "string" }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "IncidentStatus": { - "description": "The status of the incident", - "enum": [ - "New", - "Active", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentStatus", - "values": [ - { - "description": "An active incident which isn't being handled currently", - "value": "New" + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." }, - { - "description": "An active incident which is being handled", - "value": "Active" + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." }, - { - "description": "A non-active incident", - "value": "Closed" + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "type": "integer" + }, + "eventGroupingSettings": { + "$ref": "#/definitions/EventGroupingSettings", + "description": "The event grouping settings." } - ] - } - }, - "IncidentProperties": { - "description": "Describes incident properties", - "properties": { - "additionalData": { - "$ref": "#/definitions/IncidentAdditionalData", - "description": "Additional data on the incident", - "readOnly": true, - "type": "object" - }, - "classification": { - "$ref": "#/definitions/IncidentClassification", - "description": "The reason the incident was closed" - }, - "classificationComment": { - "description": "Describes the reason the incident was closed", - "type": "string" - }, - "classificationReason": { - "$ref": "#/definitions/IncidentClassificationReason", - "description": "The classification reason the incident was closed with" - }, - "createdTimeUtc": { - "description": "The time the incident was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the incident", - "type": "string" - }, - "firstActivityTimeUtc": { - "description": "The time of the first activity in the incident", - "format": "date-time", - "type": "string" - }, - "incidentUrl": { - "description": "The deep-link url to the incident in Azure portal", - "readOnly": true, - "type": "string" - }, - "incidentNumber": { - "description": "A sequential number", - "readOnly": true, - "type": "integer" - }, - "labels": { - "description": "List of labels relevant to this incident", - "items": { - "$ref": "#/definitions/IncidentLabel" - }, - "type": "array" - }, - "providerName": { - "description": "The name of the source provider that generated the incident", - "type": "string" - }, - "providerIncidentId": { - "description": "The incident ID assigned by the incident provider", - "type": "string" - }, - "lastActivityTimeUtc": { - "description": "The time of the last activity in the incident", - "format": "date-time", - "type": "string" - }, - "lastModifiedTimeUtc": { - "description": "The last time the incident was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "owner": { - "$ref": "#/definitions/IncidentOwnerInfo", - "description": "Describes a user that the incident is assigned to", - "type": "object" - }, - "relatedAnalyticRuleIds": { - "description": "List of resource ids of Analytic rules related to the incident", - "items": { - "description": "Related Analytic rule resource id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "severity": { - "$ref": "#/definitions/IncidentSeverity", - "description": "The severity of the incident" - }, - "status": { - "$ref": "#/definitions/IncidentStatus", - "description": "The status of the incident" - }, - "title": { - "description": "The title of the incident", - "type": "string" - } - }, - "required": [ - "title", - "severity", - "status" - ], - "type": "object" - }, - "IpEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an ip entity.", - "properties": { - "properties": { - "$ref": "#/definitions/IpEntityProperties", - "description": "Ip entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Ip" - }, - "IpEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Ip entity property bag.", - "properties": { - "address": { - "description": "The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6)", - "readOnly": true, - "type": "string" - }, - "location": { - "$ref": "#/definitions/GeoLocation", - "description": "The geo-location context attached to the ip entity" - }, - "threatIntelligence": { - "description": "A list of TI contexts attached to the ip entity.", - "items": { - "$ref": "#/definitions/ThreatIntelligence" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "Label": { - "description": "Label that will be used to tag and filter on.", - "type": "string" - }, - "MailboxEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mailbox entity.", - "properties": { - "properties": { - "$ref": "#/definitions/MailboxEntityProperties", - "description": "Mailbox entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Mailbox" - }, - "MailboxEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Mailbox entity property bag.", - "properties": { - "mailboxPrimaryAddress": { - "description": "The mailbox's primary address", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The mailbox's display name", - "readOnly": true, - "type": "string" - }, - "upn": { - "description": "The mailbox's UPN", - "readOnly": true, - "type": "string" - }, - "externalDirectoryObjectId": { - "description": "The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side", - "format": "uuid", - "readOnly": true, - "type": "string" - } + }, + "type": "object" }, - "type": "object" - }, - "MailClusterEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mail cluster entity.", - "properties": { + "EventGroupingSettings": { + "description": "Event grouping settings property bag.", "properties": { - "$ref": "#/definitions/MailClusterEntityProperties", - "description": "Mail cluster entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MailCluster" - }, - "MailClusterEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Mail cluster entity property bag.", - "properties": { - "networkMessageIds": { - "description": "The mail message IDs that are part of the mail cluster", - "items": { - "description": "A mail message ID", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "countByDeliveryStatus": { - "description": "Count of mail messages by DeliveryStatus string representation", - "readOnly": true, - "type": "object" - }, - "countByThreatType": { - "description": "Count of mail messages by ThreatType string representation", - "readOnly": true, - "type": "object" - }, - "countByProtectionStatus": { - "description": "Count of mail messages by ProtectionStatus string representation", - "readOnly": true, - "type": "object" - }, - "threats": { - "description": "The threats of mail messages that are part of the mail cluster", - "items": { - "description": "A threat", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "query": { - "description": "The query that was used to identify the messages of the mail cluster", - "readOnly": true, - "type": "string" - }, - "queryTime": { - "description": "The query time", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "mailCount": { - "description": "The number of mail messages that are part of the mail cluster", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "isVolumeAnomaly": { - "description": "Is this a volume anomaly mail cluster", - "readOnly": true, - "type": "boolean" - }, - "source": { - "description": "The source of the mail cluster (default is 'O365 ATP')", - "readOnly": true, - "type": "string" - }, - "clusterSourceIdentifier": { - "description": "The id of the cluster source", - "readOnly": true, - "type": "string" - }, - "clusterSourceType": { - "description": "The type of the cluster source", - "readOnly": true, - "type": "string" - }, - "clusterQueryStartTime": { - "description": "The cluster query start time", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "clusterQueryEndTime": { - "description": "The cluster query end time", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "clusterGroup": { - "description": "The cluster group", - "readOnly": true, - "type": "string" - } + "aggregationKind": { + "$ref": "#/definitions/EventGroupingAggregationKind" + } + }, + "type": "object" }, - "type": "object" - }, - "MailMessageEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mail message entity.", - "properties": { - "properties": { - "$ref": "#/definitions/MailMessageEntityProperties", - "description": "Mail message entity properties", - "x-ms-client-flatten": true + "EventGroupingAggregationKind": { + "description": "The event grouping aggregation kinds", + "enum": [ + "SingleAlert", + "AlertPerResult" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EventGroupingAggregationKind" } }, - "type": "object", - "x-ms-discriminator-value": "MailMessage" - }, - "MailMessageEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Mail message entity property bag.", - "properties": { - "fileEntityIds": { - "description": "The File entity ids of this mail message's attachments", - "items": { - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "recipient": { - "description": "The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient", - "readOnly": true, - "type": "string" - }, - "urls": { - "description": "The Urls contained in this mail message", - "items": { - "description": "A Url contained in this mail message", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "threats": { - "description": "The threats of this mail message", - "items": { - "description": "A threat of the mail message", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "p1Sender": { - "description": "The p1 sender's email address", - "readOnly": true, - "type": "string" - }, - "p1SenderDisplayName": { - "description": "The p1 sender's display name", - "readOnly": true, - "type": "string" - }, - "p1SenderDomain": { - "description": "The p1 sender's domain", - "readOnly": true, - "type": "string" - }, - "senderIP": { - "description": "The sender's IP address", - "readOnly": true, - "type": "string" - }, - "p2Sender": { - "description": "The p2 sender's email address", - "readOnly": true, - "type": "string" - }, - "p2SenderDisplayName": { - "description": "The p2 sender's display name", - "readOnly": true, - "type": "string" - }, - "p2SenderDomain": { - "description": "The p2 sender's domain", - "readOnly": true, - "type": "string" - }, - "receiveDate": { - "description": "The receive date of this message", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "networkMessageId": { - "description": "The network message id of this mail message", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "internetMessageId": { - "description": "The internet message id of this mail message", - "readOnly": true, - "type": "string" - }, - "subject": { - "description": "The subject of this mail message", - "readOnly": true, - "type": "string" - }, - "language": { - "description": "The language of this mail message", - "readOnly": true, - "type": "string" - }, - "threatDetectionMethods": { - "description": "The threat detection methods", - "items": { - "description": "A threat detection method", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "bodyFingerprintBin1": { - "description": "The bodyFingerprintBin1", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin2": { - "description": "The bodyFingerprintBin2", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin3": { - "description": "The bodyFingerprintBin3", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin4": { - "description": "The bodyFingerprintBin4", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin5": { - "description": "The bodyFingerprintBin5", - "type": "integer", - "format": "int32" - }, - "antispamDirection": { - "description": "The directionality of this mail message", - "enum": [ - "Unknown", - "Inbound", - "Outbound", - "Intraorg" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AntispamMailDirection", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "Inbound", - "value": "Inbound" - }, - { - "description": "Outbound", - "value": "Outbound" - }, - { - "description": "Intraorg", - "value": "Intraorg" - } - ] + "ScheduledAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" } - }, - "deliveryAction": { - "description": "The delivery action of this mail message like Delivered, Blocked, Replaced etc", - "enum": [ - "Unknown", - "DeliveredAsSpam", - "Delivered", - "Blocked", - "Replaced" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "DeliveryAction", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "DeliveredAsSpam", - "value": "DeliveredAsSpam" - }, - { - "description": "Delivered", - "value": "Delivered" - }, - { - "description": "Blocked", - "value": "Blocked" - }, - { - "description": "Replaced", - "value": "Replaced" - } - ] + ], + "description": "Scheduled alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "suppressionDuration": { + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + "format": "duration", + "type": "string" + }, + "suppressionEnabled": { + "description": "Determines whether the suppression for this alert rule is enabled or disabled.", + "type": "boolean" + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + }, + "incidentConfiguration": { + "$ref": "#/definitions/IncidentConfiguration", + "description": "The settings of the incidents that created from alerts triggered by this analytics rule" } - }, - "deliveryLocation": { - "description": "The delivery location of this mail message like Inbox, JunkFolder etc", - "enum": [ - "Unknown", - "Inbox", - "JunkFolder", - "DeletedFolder", - "Quarantine", - "External", - "Failed", - "Dropped", - "Forwarded" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "DeliveryLocation", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "Inbox", - "value": "Inbox" - }, - { - "description": "JunkFolder", - "value": "JunkFolder" - }, - { - "description": "DeletedFolder", - "value": "DeletedFolder" - }, - { - "description": "Quarantine", - "value": "Quarantine" - }, - { - "description": "External", - "value": "External" - }, - { - "description": "Failed", - "value": "Failed" - }, + }, + "required": [ + "displayName", + "enabled", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold", + "suppressionEnabled", + "suppressionDuration" + ], + "type": "object" + }, + "ScheduledAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents scheduled alert rule template.", + "properties": { + "properties": { + "allOf": [ { - "description": "Dropped", - "value": "Dropped" + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" }, { - "description": "Forwarded", - "value": "Forwarded" + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" } - ] + ], + "description": "Scheduled alert rule template properties", + "properties": { + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "description", + "status", + "alertRulesCreatedByTemplateCount", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold" + ], + "x-ms-client-flatten": true } - } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" }, - "type": "object" - }, - "SubmissionMailEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a submission mail entity.", - "properties": { + "IncidentConfiguration": { + "description": "Incident Configuration property bag.", "properties": { - "$ref": "#/definitions/SubmissionMailEntityProperties", - "description": "Submission mail entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "SubmissionMail" - }, - "SubmissionMailEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Submission mail entity property bag.", - "properties": { - "networkMessageId": { - "description": "The network message id of email to which submission belongs", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "submissionId": { - "description": "The submission id", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "submitter": { - "description": "The submitter", - "readOnly": true, - "type": "string" - }, - "submissionDate": { - "description": "The submission date", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "timestamp": { - "description": "The Time stamp when the message is received (Mail)", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "recipient": { - "description": "The recipient of the mail", - "readOnly": true, - "type": "string" - }, - "sender": { - "description": "The sender of the mail", - "readOnly": true, - "type": "string" - }, - "senderIp": { - "description": "The sender's IP", - "readOnly": true, - "type": "string" - }, - "subject": { - "description": "The subject of submission mail", - "readOnly": true, - "type": "string" - }, - "reportType": { - "description": "The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk.", - "readOnly": true, - "type": "string" - } + "createIncident": { + "description": "Create incidents from alerts triggered by this analytics rule", + "type": "boolean" + }, + "groupingConfiguration": { + "$ref": "#/definitions/GroupingConfiguration", + "description": "Set how the alerts that are triggered by this analytics rule, are grouped into incidents" + } + }, + "type": "object", + "required": [ + "createIncident" + ] }, - "type": "object" - }, - "MCASDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", - "properties": { + "GroupingConfiguration": { + "description": "Grouping configuration property bag.", "properties": { - "$ref": "#/definitions/MCASDataConnectorProperties", - "description": "MCAS (Microsoft Cloud App Security) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" - }, - "MCASDataConnectorDataTypes": { - "allOf": [ - { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector" - } - ], - "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", - "properties": { - "discoveryLogs": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" + "enabled": { + "description": "Grouping enabled", + "type": "boolean" + }, + "reopenClosedIncident": { + "description": "Re-open closed matching incidents", + "type": "boolean" + }, + "lookbackDuration": { + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "entitiesMatchingMethod": { + "description": "Grouping matching method", + "enum": [ + "All", + "None", + "Custom" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntitiesMatchingMethod", + "values": [ + { + "description": "Grouping alerts into a single incident if all the entities match", + "value": "All" + }, + { + "description": "Grouping all alerts triggered by this rule into a single incident", + "value": "None" + }, + { + "description": "Grouping alerts into a single incident if the selected entities match", + "value": "Custom" + } + ] } - ], - "description": "Discovery log data type connection.", - "type": "object" - } - }, - "type": "object" - }, - "MCASDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MCAS (Microsoft Cloud App Security) data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/MCASDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, - "required": [ - "dataTypes" - ], - "type": "object" - }, - "MCASCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents MCAS (Microsoft Cloud App Security) requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/MCASCheckRequirementsProperties", - "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", - "x-ms-client-flatten": true - } + }, + "groupByEntities": { + "description": "A list of entity types to group by (when entitiesMatchingMethod is Custom)", + "items": { + "description": "Grouping entity type", + "enum": [ + "Account", + "Host", + "Ip", + "Url", + "FileHash" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "GroupingEntityType", + "values": [ + { + "description": "Account entity", + "value": "Account" + }, + { + "description": "Host entity", + "value": "Host" + }, + { + "description": "Ip entity", + "value": "Ip" + }, + { + "description": "Url entity", + "value": "Url" + }, + { + "description": "FileHash entity", + "value": "FileHash" + } + ] + } + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "enabled", + "reopenClosedIncident", + "lookbackDuration", + "entitiesMatchingMethod" + ] }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" - }, - "MCASCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", - "type": "object" - }, - "MDATPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", - "properties": { + "SecurityAlert": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a security alert entity.", "properties": { - "$ref": "#/definitions/MDATPDataConnectorProperties", - "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" - }, - "MDATPDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "properties": { + "$ref": "#/definitions/SecurityAlertProperties", + "description": "SecurityAlert entity properties", + "x-ms-client-flatten": true + } }, - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", - "type": "object" - }, - "MDATPCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/MDATPCheckRequirementsProperties", - "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", - "x-ms-client-flatten": true - } + "type": "object", + "x-ms-discriminator-value": "SecurityAlert" }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" - }, - "MDATPCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", - "type": "object" - }, - "MalwareEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a malware entity.", - "properties": { + "SecurityAlertProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "SecurityAlert entity property bag.", "properties": { - "$ref": "#/definitions/MalwareEntityProperties", - "description": "File entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Malware" - }, - "MalwareEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Malware entity property bag.", - "properties": { - "category": { - "description": "The malware category by the vendor, e.g. Trojan", - "readOnly": true, - "type": "string" - }, - "fileEntityIds": { - "description": "List of linked file entity identifiers on which the malware was found", - "items": { - "description": "file entity id", + "alertDisplayName": { + "description": "The display name of the alert.", + "readOnly": true, "type": "string" }, - "readOnly": true, - "type": "array" - }, - "malwareName": { - "description": "The malware name by the vendor, e.g. Win32/Toga!rfn", - "readOnly": true, - "type": "string" - }, - "processEntityIds": { - "description": "List of linked process entity identifiers on which the malware was found.", - "items": { - "description": "process entity id", + "alertType": { + "description": "The type name of the alert.", + "readOnly": true, "type": "string" }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "MicrosoftSecurityIncidentCreationAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents MicrosoftSecurityIncidentCreation rule.", - "properties": { - "properties": { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", - "description": "MicrosoftSecurityIncidentCreation rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" - }, - "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { - "description": "MicrosoftSecurityIncidentCreation rule common property bag.", - "properties": { - "displayNamesFilter": { - "description": "the alerts' displayNames on which the cases will be generated", - "items": { + "compromisedEntity": { + "description": "Display name of the main entity being reported on.", + "readOnly": true, + "type": "string" + }, + "confidenceLevel": { + "description": "The confidence level of this alert.", + "enum": [ + "Unknown", + "Low", + "High" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConfidenceLevel", + "values": [ + { + "description": "Unknown confidence, the is the default value", + "value": "Unknown" + }, + { + "description": "Low confidence, meaning we have some doubts this is indeed malicious or part of an attack", + "value": "Low" + }, + { + "description": "High confidence that the alert is true positive malicious", + "value": "High" + } + ] + } + }, + "confidenceReasons": { + "description": "The confidence reasons", + "items": { + "description": "confidence reason item", + "properties": { + "reason": { + "description": "The reason's description", + "readOnly": true, + "type": "string" + }, + "reasonType": { + "description": "The type (category) of the reason", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "readOnly": true, + "type": "array" + }, + "confidenceScore": { + "description": "The confidence score of the alert.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "confidenceScoreStatus": { + "description": "The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.", + "enum": [ + "NotApplicable", + "InProcess", + "NotFinal", + "Final" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConfidenceScoreStatus", + "values": [ + { + "description": "Score will not be calculated for this alert as it is not supported by virtual analyst", + "value": "NotApplicable" + }, + { + "description": "No score was set yet and calculation is in progress", + "value": "InProcess" + }, + { + "description": "Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data", + "value": "NotFinal" + }, + { + "description": "Final score was calculated and available", + "value": "Final" + } + ] + } + }, + "description": { + "description": "Alert description.", + "readOnly": true, + "type": "string" + }, + "endTimeUtc": { + "description": "The impact end time of the alert (the time of the last event contributing to the alert).", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "intent": { + "description": "Holds the alert intent stage(s) mapping for this alert.", + "enum": [ + "Unknown", + "Probing", + "Exploitation", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Execution", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "KillChainIntent", + "values": [ + { + "description": "The default value.", + "value": "Unknown" + }, + { + "description": "Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.", + "value": "Probing" + }, + { + "description": "Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.", + "value": "Exploitation" + }, + { + "description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.", + "value": "Persistence" + }, + { + "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.", + "value": "PrivilegeEscalation" + }, + { + "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ", + "value": "DefenseEvasion" + }, + { + "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.", + "value": "CredentialAccess" + }, + { + "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", + "value": "Discovery" + }, + { + "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.", + "value": "LateralMovement" + }, + { + "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.", + "value": "Execution" + }, + { + "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Collection" + }, + { + "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Exfiltration" + }, + { + "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network.", + "value": "CommandAndControl" + }, + { + "description": "The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.", + "value": "Impact" + } + ] + } + }, + "providerAlertId": { + "description": "The identifier of the alert inside the product which generated the alert.", + "readOnly": true, + "type": "string" + }, + "processingEndTime": { + "description": "The time the alert was made available for consumption.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "productComponentName": { + "description": "The name of a component inside the product which generated the alert.", + "readOnly": true, + "type": "string" + }, + "productName": { + "description": "The name of the product which published this alert.", + "readOnly": true, + "type": "string" + }, + "productVersion": { + "description": "The version of the product generating the alert.", + "readOnly": true, + "type": "string" + }, + "remediationSteps": { + "description": "Manual action items to take to remediate the alert.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity of the alert" + }, + "startTimeUtc": { + "description": "The impact start time of the alert (the time of the first event contributing to the alert).", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "status": { + "description": "The lifecycle status of the alert.", + "enum": [ + "Unknown", + "New", + "Resolved", + "Dismissed", + "InProgress" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertStatus", + "values": [ + { + "description": "Unknown value", + "value": "Unknown" + }, + { + "description": "New alert", + "value": "New" + }, + { + "description": "Alert closed after handling", + "value": "Resolved" + }, + { + "description": "Alert dismissed as false positive", + "value": "Dismissed" + }, + { + "description": "Alert is being handled", + "value": "InProgress" + } + ] + } + }, + "systemAlertId": { + "description": "Holds the product identifier of the alert for the product.", + "readOnly": true, + "type": "string" + }, + "tactics": { + "description": "The tactics of the alert", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + }, + "timeGenerated": { + "description": "The time the alert was generated.", + "format": "date-time", + "readOnly": true, "type": "string" }, - "type": "array" - }, - "displayNamesExcludeFilter": { - "description": "the alerts' displayNames on which the cases will not be generated", - "items": { + "vendorName": { + "description": "The name of the vendor that raise the alert.", + "readOnly": true, "type": "string" }, - "type": "array" - }, - "productFilter": { - "description": "The alerts' productName on which the cases will be generated", - "enum": [ - "Microsoft Cloud App Security", - "Azure Security Center", - "Azure Advanced Threat Protection", - "Azure Active Directory Identity Protection", - "Azure Security Center for IoT", - "Office 365 Advanced Threat Protection", - "Microsoft Defender Advanced Threat Protection" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "MicrosoftSecurityProductName" + "alertLink": { + "description": "The uri link of the alert.", + "readOnly": true, + "type": "string" + }, + "resourceIdentifiers": { + "description": "The list of resource identifiers of the alert.", + "items": { + "type": "object" + }, + "readOnly": true, + "type": "array" } }, - "severitiesFilter": { - "description": "the alerts' severities on which the cases will be generated", - "items": { - "$ref": "#/definitions/AlertSeverity" - }, - "type": "array" - } - }, - "required": [ - "productFilter" - ], - "type": "object" - }, - "MicrosoftSecurityIncidentCreationAlertRuleProperties": { - "allOf": [ - { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" - } - ], - "description": "MicrosoftSecurityIncidentCreation rule property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" - } + "type": "object" }, - "required": [ - "displayName", - "enabled", - "productFilter" - ], - "type": "object" - }, - "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents MicrosoftSecurityIncidentCreation rule template.", - "properties": { + "SecurityGroupEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a security group entity.", "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - }, - { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" - } - ], - "description": "MicrosoftSecurityIncidentCreation rule template properties", - "required": [ - "displayName", - "description", - "createdDateUTC", - "status", - "alertRulesCreatedByTemplateCount", - "productFilter" - ], - "x-ms-client-flatten": true - } + "properties": { + "$ref": "#/definitions/SecurityGroupEntityProperties", + "description": "SecurityGroup entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SecurityGroup" }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" - }, - "OfficeATPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) data connector.", - "properties": { + "SecurityGroupEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "SecurityGroup entity property bag.", "properties": { - "$ref": "#/definitions/OfficeATPDataConnectorProperties", - "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "OfficeATP" - }, - "OfficeATPDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "distinguishedName": { + "description": "The group distinguished name", + "readOnly": true, + "type": "string" + }, + "objectGuid": { + "description": "A single-value attribute that is the unique identifier for the object, assigned by active directory.", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "sid": { + "description": "The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group", + "readOnly": true, + "type": "string" + } }, - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", - "type": "object" - }, - "OfficeATPCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/OfficeATPCheckRequirementsProperties", - "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", - "x-ms-client-flatten": true - } + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "OfficeATP" - }, - "OfficeATPCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", - "type": "object" - }, - "OfficeConsent": { - "allOf": [ - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" - } - ], - "description": "Consent for Office365 tenant that already made.", - "properties": { + "SettingList": { + "description": "List of all the settings.", "properties": { - "$ref": "#/definitions/OfficeConsentProperties", - "description": "Office consent properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "OfficeConsentList": { - "description": "List of all the office365 consents.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of office consents.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of the consents.", - "items": { - "$ref": "#/definitions/OfficeConsent" - }, - "type": "array" - } + "value": { + "description": "Array of settings.", + "items": { + "$ref": "#/definitions/Settings" + }, + "type": "array" + } + }, + "required": [ + "value" + ] }, - "required": [ - "value" - ] - }, - "OfficeConsentProperties": { - "description": "Consent property bag.", - "properties": { - "tenantId": { - "description": "The tenantId of the Office365 with the consent.", - "type": "string" - }, - "consentId": { - "description": "Help to easily cascade among the data layers.", - "type": "string" - } + "Settings": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/SettingsKind" + } + ], + "description": "The Setting.", + "discriminator": "kind", + "type": "object" }, - "type": "object" - }, - "OfficeDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents office data connector.", - "properties": { + "SettingsKind": { + "description": "Describes an Azure resource with kind.", "properties": { - "$ref": "#/definitions/OfficeDataConnectorProperties", - "description": "Office data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Office365" - }, - "OfficeDataConnectorDataTypes": { - "description": "The available data types for office data connector.", - "properties": { - "exchange": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Exchange data type connection.", - "type": "object" - }, - "sharePoint": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" + "kind": { + "description": "The kind of the setting", + "enum": [ + "EyesOn", + "EntityAnalytics", + "Ueba" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "SettingKind" } - ], - "description": "SharePoint data type connection.", - "type": "object" + } }, - "teams": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Teams data type connection.", - "type": "object" - } - }, - "type": "object", - "required": [ - "exchange", - "sharePoint", - "teams" - ] - }, - "OfficeDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Office data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/OfficeDataConnectorDataTypes", - "description": "The available data types for the connector." - } + "required": [ + "kind" + ], + "type": "object" }, - "required": [ - "dataTypes" - ], - "type": "object" - }, - "Operation": { - "description": "Operation provided by provider", - "properties": { - "display": { - "description": "Properties of the operation", + "TIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Data connector to pull threat intelligence data from TIP products.", + "properties": { "properties": { - "description": { - "description": "Description of the operation", - "type": "string" - }, - "operation": { - "description": "Operation name", - "type": "string" - }, - "provider": { - "description": "Provider name", - "type": "string" - }, - "resource": { - "description": "Resource name", - "type": "string" - } - }, - "type": "object" - }, - "name": { - "description": "Name of the operation", - "type": "string" + "$ref": "#/definitions/TIDataConnectorProperties", + "description": "Threat Intelligence Platforms data connector properties.", + "x-ms-client-flatten": true + } }, - "origin": { - "description": "The origin of the operation", - "type": "string" - } - } - }, - "OperationsList": { - "description": "Lists the operations available in the SecurityInsights RP.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of operations.", - "type": "string" - }, - "value": { - "description": "Array of operations", - "items": { - "$ref": "#/definitions/Operation" - }, - "type": "array" - } + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" }, - "required": [ - "value" - ] - }, - "ProcessEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a process entity.", - "properties": { + "TIDataConnectorDataTypes": { + "description": "The available data types for Threat Intelligence Platforms data connector.", "properties": { - "$ref": "#/definitions/ProcessEntityProperties", - "description": "Process entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Process" - }, - "ProcessEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Process entity property bag.", - "properties": { - "accountEntityId": { - "description": "The account entity id running the processes.", - "readOnly": true, - "type": "string" - }, - "commandLine": { - "description": "The command line used to create the process", - "readOnly": true, - "type": "string" - }, - "creationTimeUtc": { - "description": "The time when the process started to run", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "elevationToken": { - "description": "The elevation token associated with the process.", - "enum": [ - "Default", - "Full", - "Limited" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "ElevationToken", - "values": [ - { - "description": "Default elevation token", - "value": "Default" - }, - { - "description": "Full elevation token", - "value": "Full" - }, + "indicators": { + "allOf": [ { - "description": "Limited elevation token", - "value": "Limited" + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - ] + ], + "description": "Data type for Threat Intelligence Platforms data connector.", + "type": "object" } }, - "hostEntityId": { - "description": "The host entity id on which the process was running", - "readOnly": true, - "type": "string" - }, - "hostLogonSessionEntityId": { - "description": "The session entity id in which the process was running", - "readOnly": true, - "type": "string" - }, - "imageFileEntityId": { - "description": "Image file entity id", - "readOnly": true, - "type": "string" - }, - "parentProcessEntityId": { - "description": "The parent process entity id.", - "readOnly": true, - "type": "string" - }, - "processId": { - "description": "The process ID", - "readOnly": true, - "type": "string" - } + "type": "object", + "required": [ + "indicators" + ] }, - "type": "object" - }, - "RegistryKeyEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a registry key entity.", - "properties": { + "TIDataConnectorProperties": { + "description": "TI (Threat Intelligence) data connector properties.", "properties": { - "$ref": "#/definitions/RegistryKeyEntityProperties", - "description": "RegistryKey entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "RegistryKey" - }, - "RegistryKeyEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "RegistryKey entity property bag.", - "properties": { - "hive": { - "description": "the hive that holds the registry key.", - "enum": [ - "HKEY_LOCAL_MACHINE", - "HKEY_CLASSES_ROOT", - "HKEY_CURRENT_CONFIG", - "HKEY_USERS", - "HKEY_CURRENT_USER_LOCAL_SETTINGS", - "HKEY_PERFORMANCE_DATA", - "HKEY_PERFORMANCE_NLSTEXT", - "HKEY_PERFORMANCE_TEXT", - "HKEY_A", - "HKEY_CURRENT_USER" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "RegistryHive", - "values": [ - { - "description": "HKEY_LOCAL_MACHINE", - "value": "HKEY_LOCAL_MACHINE" - }, - { - "description": "HKEY_CLASSES_ROOT", - "value": "HKEY_CLASSES_ROOT" - }, - { - "description": "HKEY_CURRENT_CONFIG", - "value": "HKEY_CURRENT_CONFIG" - }, - { - "description": "HKEY_USERS", - "value": "HKEY_USERS" - }, - { - "description": "HKEY_CURRENT_USER_LOCAL_SETTINGS", - "value": "HKEY_CURRENT_USER_LOCAL_SETTINGS" - }, - { - "description": "HKEY_PERFORMANCE_DATA", - "value": "HKEY_PERFORMANCE_DATA" - }, - { - "description": "HKEY_PERFORMANCE_NLSTEXT", - "value": "HKEY_PERFORMANCE_NLSTEXT" - }, - { - "description": "HKEY_PERFORMANCE_TEXT", - "value": "HKEY_PERFORMANCE_TEXT" - }, - { - "description": "HKEY_A", - "value": "HKEY_A" - }, - { - "description": "HKEY_CURRENT_USER", - "value": "HKEY_CURRENT_USER" - } - ] + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "tipLookbackPeriod": { + "description": "The lookback period for the feed to be imported.", + "format": "date-time", + "type": "string", + "x-nullable": true + }, + "dataTypes": { + "$ref": "#/definitions/TIDataConnectorDataTypes", + "description": "The available data types for the connector." } }, - "key": { - "description": "The registry key path.", - "readOnly": true, - "type": "string" - } + "type": "object", + "required": [ + "tenantId", + "dataTypes" + ] }, - "type": "object" - }, - "RegistryValueEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a registry value entity.", - "properties": { + "TICheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Threat Intelligence Platforms data connector check requirements", "properties": { - "$ref": "#/definitions/RegistryValueEntityProperties", - "description": "RegistryKey entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "RegistryValue" - }, - "RegistryValueEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "RegistryValue entity property bag.", - "properties": { - "keyEntityId": { - "description": "The registry key entity id.", - "readOnly": true, - "type": "string" - }, - "valueData": { - "description": "String formatted representation of the value data.", - "readOnly": true, - "type": "string" - }, - "valueName": { - "description": "The registry value name.", - "readOnly": true, - "type": "string" - }, - "valueType": { - "description": "Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.", - "enum": [ - "None", - "Unknown", - "String", - "ExpandString", - "Binary", - "DWord", - "MultiString", - "QWord" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "RegistryValueKind", - "values": [ - { - "description": "None", - "value": "None" - }, - { - "description": "Unknown value type", - "value": "Unknown" - }, - { - "description": "String value type", - "value": "String" - }, - { - "description": "ExpandString value type", - "value": "ExpandString" - }, - { - "description": "Binary value type", - "value": "Binary" - }, - { - "description": "DWord value type", - "value": "DWord" - }, - { - "description": "MultiString value type", - "value": "MultiString" - }, - { - "description": "QWord value type", - "value": "QWord" - } - ] + "properties": { + "$ref": "#/definitions/TICheckRequirementsProperties", + "description": "Threat Intelligence Platforms data connector check required properties", + "x-ms-client-flatten": true } - } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" }, - "type": "object" - }, - "RelationList": { - "description": "List of relations.", - "properties": { - "nextLink": { - "readOnly": true, - "description": "URL to fetch the next set of relations.", - "type": "string" - }, - "value": { - "description": "Array of relations.", - "type": "array", - "items": { - "$ref": "#/definitions/Relation" + "TICheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" } - } - }, - "required": [ - "value" - ] - }, - "Relation": { - "type": "object", - "description": "Represents a relation between two resources", - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "properties": { - "properties": { - "$ref": "#/definitions/RelationProperties", - "description": "Relation properties", - "x-ms-client-flatten": true - } - } - }, - "RelationProperties": { - "description": "Relation property bag.", - "properties": { - "relatedResourceId": { - "description": "The resource ID of the related resource", - "type": "string" - }, - "relatedResourceName": { - "description": "The name of the related resource", - "readOnly": true, - "type": "string" - }, - "relatedResourceType": { - "description": "The resource type of the related resource", - "readOnly": true, - "type": "string" - }, - "relatedResourceKind": { - "description": "The resource kind of the related resource", - "readOnly": true, - "type": "string" - } - }, - "required": [ - "relatedResourceId" - ], - "type": "object" - }, - "Resource": { - "description": "An azure resource object", - "properties": { - "id": { - "description": "Azure resource Id", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "Azure resource name", - "readOnly": true, - "type": "string" - }, - "type": { - "description": "Azure resource type", - "readOnly": true, - "type": "string" - } - }, - "x-ms-azure-resource": true - }, - "ScheduledAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents scheduled alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/ScheduledAlertRuleProperties", - "description": "Scheduled alert rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Scheduled" - }, - "ScheduledAlertRuleCommonProperties": { - "description": "Scheduled alert rule template property bag.", - "properties": { - "query": { - "description": "The query that creates alerts for this rule.", - "type": "string" - }, - "queryFrequency": { - "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", - "format": "duration", - "type": "string" - }, - "queryPeriod": { - "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", - "format": "duration", - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "triggerOperator": { - "$ref": "#/definitions/AlertRuleTriggerOperator", - "description": "The operation against the threshold that triggers alert rule." - }, - "triggerThreshold": { - "description": "The threshold triggers this alert rule.", - "type": "integer" - }, - "eventGroupingSettings": { - "$ref": "#/definitions/EventGroupingSettings", - "description": "The event grouping settings." - } - }, - "type": "object" - }, - "EventGroupingSettings": { - "description": "Event grouping settings property bag.", - "properties": { - "aggregationKind": { - "$ref": "#/definitions/EventGroupingAggregationKind" - } - }, - "type": "object" - }, - "EventGroupingAggregationKind": { - "description": "The event grouping aggregation kinds", - "enum": [ - "SingleAlert", - "AlertPerResult" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EventGroupingAggregationKind" - } - }, - "ScheduledAlertRuleProperties": { - "allOf": [ - { - "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" - } - ], - "description": "Scheduled alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert rule has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "suppressionDuration": { - "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", - "format": "duration", - "type": "string" - }, - "suppressionEnabled": { - "description": "Determines whether the suppression for this alert rule is enabled or disabled.", - "type": "boolean" - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - }, - "incidentConfiguration": { - "$ref": "#/definitions/IncidentConfiguration", - "description": "The settings of the incidents that created from alerts triggered by this analytics rule" - } + ], + "description": "Threat Intelligence Platforms data connector required properties.", + "properties": {}, + "type": "object" }, - "required": [ - "displayName", - "enabled", - "severity", - "query", - "queryFrequency", - "queryPeriod", - "triggerOperator", - "triggerThreshold", - "suppressionEnabled", - "suppressionDuration" - ], - "type": "object" - }, - "ScheduledAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents scheduled alert rule template.", - "properties": { + "TiTaxiiDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server", "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - }, - { - "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" - } - ], - "description": "Scheduled alert rule template properties", - "properties": { - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "required": [ - "displayName", - "description", - "status", - "alertRulesCreatedByTemplateCount", - "severity", - "query", - "queryFrequency", - "queryPeriod", - "triggerOperator", - "triggerThreshold" - ], - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Scheduled" - }, - "IncidentConfiguration": { - "description": "Incident Configuration property bag.", - "properties": { - "createIncident": { - "description": "Create incidents from alerts triggered by this analytics rule", - "type": "boolean" - }, - "groupingConfiguration": { - "$ref": "#/definitions/GroupingConfiguration", - "description": "Set how the alerts that are triggered by this analytics rule, are grouped into incidents" - } + "properties": { + "$ref": "#/definitions/TiTaxiiDataConnectorProperties", + "description": "Threat intelligence TAXII data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" }, - "type": "object", - "required": [ - "createIncident" - ] - }, - "GroupingConfiguration": { - "description": "Grouping configuration property bag.", - "properties": { - "enabled": { - "description": "Grouping enabled", - "type": "boolean" - }, - "reopenClosedIncident": { - "description": "Re-open closed matching incidents", - "type": "boolean" - }, - "lookbackDuration": { - "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", - "format": "duration", - "type": "string" - }, - "entitiesMatchingMethod": { - "description": "Grouping matching method", - "enum": [ - "All", - "None", - "Custom" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntitiesMatchingMethod", - "values": [ - { - "description": "Grouping alerts into a single incident if all the entities match", - "value": "All" - }, - { - "description": "Grouping all alerts triggered by this rule into a single incident", - "value": "None" - }, + "TiTaxiiDataConnectorDataTypes": { + "description": "The available data types for Threat Intelligence TAXII data connector.", + "properties": { + "taxiiClient": { + "allOf": [ { - "description": "Grouping alerts into a single incident if the selected entities match", - "value": "Custom" + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - ] + ], + "description": "Data type for TAXII connector.", + "type": "object" } }, - "groupByEntities": { - "description": "A list of entity types to group by (when entitiesMatchingMethod is Custom)", - "items": { - "description": "Grouping entity type", + "type": "object", + "required": [ + "taxiiClient" + ] + }, + "TiTaxiiDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence TAXII data connector properties.", + "properties": { + "workspaceId": { + "description": "The workspace id.", + "type": "string" + }, + "friendlyName": { + "description": "The friendly name for the TAXII server.", + "type": "string" + }, + "taxiiServer": { + "description": "The API root for the TAXII server.", + "type": "string" + }, + "collectionId": { + "description": "The collection id of the TAXII server.", + "type": "string" + }, + "userName": { + "description": "The userName for the TAXII server.", + "type": "string" + }, + "password": { + "description": "The password for the TAXII server.", + "type": "string" + }, + "taxiiLookbackPeriod": { + "description": "The lookback period for the TAXII server.", + "format": "date-time", + "type": "string", + "x-nullable": true + }, + "pollingFrequency": { + "description": "The polling frequency for the TAXII server.", + "type": "string", + "x-nullable": true, "enum": [ - "Account", - "Host", - "Ip", - "Url", - "FileHash" + "OnceAMinute", + "OnceAnHour", + "OnceADay" ], - "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "GroupingEntityType", + "name": "PollingFrequency", "values": [ { - "description": "Account entity", - "value": "Account" - }, - { - "description": "Host entity", - "value": "Host" - }, - { - "description": "Ip entity", - "value": "Ip" + "description": "Once a minute", + "value": "OnceAMinute" }, { - "description": "Url entity", - "value": "Url" + "description": "Once an hour", + "value": "OnceAnHour" }, { - "description": "FileHash entity", - "value": "FileHash" + "description": "Once a day", + "value": "OnceADay" } ] } }, - "type": "array" - } + "dataTypes": { + "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes", + "description": "The available data types for Threat Intelligence TAXII data connector." + } + }, + "required": [ + "dataTypes", + "pollingFrequency" + ], + "type": "object" }, - "type": "object", - "required": [ - "enabled", - "reopenClosedIncident", - "lookbackDuration", - "entitiesMatchingMethod" - ] - }, - "SecurityAlert": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a security alert entity.", - "properties": { + "TiTaxiiCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Threat Intelligence TAXII data connector check requirements", "properties": { - "$ref": "#/definitions/SecurityAlertProperties", - "description": "SecurityAlert entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "SecurityAlert" - }, - "SecurityAlertProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "SecurityAlert entity property bag.", - "properties": { - "alertDisplayName": { - "description": "The display name of the alert.", - "readOnly": true, - "type": "string" - }, - "alertType": { - "description": "The type name of the alert.", - "readOnly": true, - "type": "string" - }, - "compromisedEntity": { - "description": "Display name of the main entity being reported on.", - "readOnly": true, - "type": "string" - }, - "confidenceLevel": { - "description": "The confidence level of this alert.", - "enum": [ - "Unknown", - "Low", - "High" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ConfidenceLevel", - "values": [ - { - "description": "Unknown confidence, the is the default value", - "value": "Unknown" - }, - { - "description": "Low confidence, meaning we have some doubts this is indeed malicious or part of an attack", - "value": "Low" - }, - { - "description": "High confidence that the alert is true positive malicious", - "value": "High" - } - ] + "properties": { + "$ref": "#/definitions/TiTaxiiCheckRequirementsProperties", + "description": "Threat Intelligence TAXII check required properties.", + "x-ms-client-flatten": true } }, - "confidenceReasons": { - "description": "The confidence reasons", - "items": { - "description": "confidence reason item", - "properties": { - "reason": { - "description": "The reason's description", - "readOnly": true, - "type": "string" - }, - "reasonType": { - "description": "The type (category) of the reason", - "readOnly": true, - "type": "string" - } - }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + }, + "TiTaxiiCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence TAXII data connector required properties.", + "type": "object" + }, + "ThreatIntelligence": { + "description": "ThreatIntelligence property bag.", + "properties": { + "confidence": { + "description": "Confidence (must be between 0 and 1)", + "format": "double", + "readOnly": true, + "type": "number" + }, + "providerName": { + "description": "Name of the provider from whom this Threat Intelligence information was received", + "readOnly": true, + "type": "string" }, - "readOnly": true, - "type": "array" - }, - "confidenceScore": { - "description": "The confidence score of the alert.", - "format": "double", - "readOnly": true, - "type": "number" - }, - "confidenceScoreStatus": { - "description": "The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.", - "enum": [ - "NotApplicable", - "InProcess", - "NotFinal", - "Final" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ConfidenceScoreStatus", - "values": [ - { - "description": "Score will not be calculated for this alert as it is not supported by virtual analyst", - "value": "NotApplicable" - }, - { - "description": "No score was set yet and calculation is in progress", - "value": "InProcess" - }, - { - "description": "Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data", - "value": "NotFinal" - }, - { - "description": "Final score was calculated and available", - "value": "Final" - } - ] + "reportLink": { + "description": "Report link", + "readOnly": true, + "type": "string" + }, + "threatDescription": { + "description": "Threat description (free text)", + "readOnly": true, + "type": "string" + }, + "threatName": { + "description": "Threat name (e.g. \"Jedobot malware\")", + "readOnly": true, + "type": "string" + }, + "threatType": { + "description": "Threat type (e.g. \"Botnet\")", + "readOnly": true, + "type": "string" } }, - "description": { - "description": "Alert description.", - "readOnly": true, - "type": "string" - }, - "endTimeUtc": { - "description": "The impact end time of the alert (the time of the last event contributing to the alert).", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "intent": { - "description": "Holds the alert intent stage(s) mapping for this alert.", - "enum": [ - "Unknown", - "Probing", - "Exploitation", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Execution", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "KillChainIntent", - "values": [ - { - "description": "The default value.", - "value": "Unknown" - }, - { - "description": "Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.", - "value": "Probing" - }, - { - "description": "Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.", - "value": "Exploitation" - }, - { - "description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.", - "value": "Persistence" - }, - { - "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.", - "value": "PrivilegeEscalation" - }, - { - "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ", - "value": "DefenseEvasion" - }, - { - "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.", - "value": "CredentialAccess" - }, - { - "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", - "value": "Discovery" - }, - { - "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.", - "value": "LateralMovement" - }, - { - "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.", - "value": "Execution" - }, - { - "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", - "value": "Collection" - }, - { - "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", - "value": "Exfiltration" - }, - { - "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network.", - "value": "CommandAndControl" - }, - { - "description": "The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.", - "value": "Impact" - } - ] + "type": "object" + }, + "IPSyncer": { + "allOf": [ + { + "$ref": "#/definitions/Settings" } - }, - "providerAlertId": { - "description": "The identifier of the alert inside the product which generated the alert.", - "readOnly": true, - "type": "string" - }, - "processingEndTime": { - "description": "The time the alert was made available for consumption.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "productComponentName": { - "description": "The name of a component inside the product which generated the alert.", - "readOnly": true, - "type": "string" - }, - "productName": { - "description": "The name of the product which published this alert.", - "readOnly": true, - "type": "string" - }, - "productVersion": { - "description": "The version of the product generating the alert.", - "readOnly": true, - "type": "string" - }, - "remediationSteps": { - "description": "Manual action items to take to remediate the alert.", - "items": { - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity of the alert" - }, - "startTimeUtc": { - "description": "The impact start time of the alert (the time of the first event contributing to the alert).", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "status": { - "description": "The lifecycle status of the alert.", - "enum": [ - "Unknown", - "New", - "Resolved", - "Dismissed", - "InProgress" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertStatus", - "values": [ - { - "description": "Unknown value", - "value": "Unknown" - }, - { - "description": "New alert", - "value": "New" - }, - { - "description": "Alert closed after handling", - "value": "Resolved" - }, - { - "description": "Alert dismissed as false positive", - "value": "Dismissed" - }, - { - "description": "Alert is being handled", - "value": "InProgress" - } - ] + ], + "description": "Settings with single toggle.", + "properties": { + "properties": { + "$ref": "#/definitions/IPSyncerSettingsProperties", + "description": "IPSyncer properties", + "x-ms-client-flatten": true } }, - "systemAlertId": { - "description": "Holds the product identifier of the alert for the product.", - "readOnly": true, - "type": "string" - }, - "tactics": { - "description": "The tactics of the alert", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - }, - "timeGenerated": { - "description": "The time the alert was generated.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "vendorName": { - "description": "The name of the vendor that raise the alert.", - "readOnly": true, - "type": "string" - }, - "alertLink": { - "description": "The uri link of the alert.", - "readOnly": true, - "type": "string" - }, - "resourceIdentifiers": { - "description": "The list of resource identifiers of the alert.", - "items": { - "type": "object" - }, - "readOnly": true, - "type": "array" - } + "type": "object", + "x-ms-discriminator-value": "IPSyncer" }, - "type": "object" - }, - "SecurityGroupEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a security group entity.", - "properties": { + "IPSyncerSettingsProperties": { + "description": "IPSyncer property bag.", "properties": { - "$ref": "#/definitions/SecurityGroupEntityProperties", - "description": "SecurityGroup entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "SecurityGroup" - }, - "SecurityGroupEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "SecurityGroup entity property bag.", - "properties": { - "distinguishedName": { - "description": "The group distinguished name", - "readOnly": true, - "type": "string" - }, - "objectGuid": { - "description": "A single-value attribute that is the unique identifier for the object, assigned by active directory.", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "sid": { - "description": "The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group", - "readOnly": true, - "type": "string" - } + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, + "type": "boolean" + } + }, + "type": "object" }, - "type": "object" - }, - "SettingList": { - "description": "List of all the settings.", - "properties": { - "value": { - "description": "Array of settings.", - "items": { + "EyesOn": { + "allOf": [ + { "$ref": "#/definitions/Settings" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "Settings": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - }, - { - "$ref": "#/definitions/SettingsKind" - } - ], - "description": "The Setting.", - "discriminator": "kind", - "type": "object" - }, - "SettingsKind": { - "description": "Describes an Azure resource with kind.", - "properties": { - "kind": { - "description": "The kind of the setting", - "enum": [ - "EyesOn", - "EntityAnalytics", - "Ueba" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "SettingKind" } - } - }, - "required": [ - "kind" - ], - "type": "object" - }, - "TIDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Data connector to pull threat intelligence data from TIP products.", - "properties": { - "properties": { - "$ref": "#/definitions/TIDataConnectorProperties", - "description": "Threat Intelligence Platforms data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" - }, - "TIDataConnectorDataTypes": { - "description": "The available data types for Threat Intelligence Platforms data connector.", - "properties": { - "indicators": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Data type for Threat Intelligence Platforms data connector.", - "type": "object" - } - }, - "type": "object", - "required": [ - "indicators" - ] - }, - "TIDataConnectorProperties": { - "description": "TI (Threat Intelligence) data connector properties.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - }, - "tipLookbackPeriod": { - "description": "The lookback period for the feed to be imported.", - "format": "date-time", - "type": "string", - "x-nullable": true - }, - "dataTypes": { - "$ref": "#/definitions/TIDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, - "type": "object", - "required": [ - "tenantId", - "dataTypes" - ] - }, - "TICheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Threat Intelligence Platforms data connector check requirements", - "properties": { + ], + "description": "Settings with single toggle.", "properties": { - "$ref": "#/definitions/TICheckRequirementsProperties", - "description": "Threat Intelligence Platforms data connector check required properties", - "x-ms-client-flatten": true - } + "properties": { + "$ref": "#/definitions/EyesOnSettingsProperties", + "description": "EyesOn properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "EyesOn" }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" - }, - "TICheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Threat Intelligence Platforms data connector required properties.", - "properties": {}, - "type": "object" - }, - "TiTaxiiDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server", - "properties": { + "EyesOnSettingsProperties": { + "description": "EyesOn property bag.", "properties": { - "$ref": "#/definitions/TiTaxiiDataConnectorProperties", - "description": "Threat intelligence TAXII data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligenceTaxii" - }, - "TiTaxiiDataConnectorDataTypes": { - "description": "The available data types for Threat Intelligence TAXII data connector.", - "properties": { - "taxiiClient": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Data type for TAXII connector.", - "type": "object" - } - }, - "type": "object", - "required": [ - "taxiiClient" - ] - }, - "TiTaxiiDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Threat Intelligence TAXII data connector properties.", - "properties": { - "workspaceId": { - "description": "The workspace id.", - "type": "string" - }, - "friendlyName": { - "description": "The friendly name for the TAXII server.", - "type": "string" - }, - "taxiiServer": { - "description": "The API root for the TAXII server.", - "type": "string" - }, - "collectionId": { - "description": "The collection id of the TAXII server.", - "type": "string" - }, - "userName": { - "description": "The userName for the TAXII server.", - "type": "string" - }, - "password": { - "description": "The password for the TAXII server.", - "type": "string" - }, - "taxiiLookbackPeriod": { - "description": "The lookback period for the TAXII server.", - "format": "date-time", - "type": "string", - "x-nullable": true - }, - "pollingFrequency": { - "description": "The polling frequency for the TAXII server.", - "type": "string", - "x-nullable": true, - "enum": [ - "OnceAMinute", - "OnceAnHour", - "OnceADay" - ], - "x-ms-enum": { - "modelAsString": true, - "name": "PollingFrequency", - "values": [ - { - "description": "Once a minute", - "value": "OnceAMinute" - }, - { - "description": "Once an hour", - "value": "OnceAnHour" - }, - { - "description": "Once a day", - "value": "OnceADay" - } - ] + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, + "type": "boolean" } }, - "dataTypes": { - "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes", - "description": "The available data types for Threat Intelligence TAXII data connector." - } + "type": "object" }, - "required": [ - "dataTypes", - "pollingFrequency" - ], - "type": "object" - }, - "TiTaxiiCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Threat Intelligence TAXII data connector check requirements", - "properties": { + "EntityAnalytics": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", "properties": { - "$ref": "#/definitions/TiTaxiiCheckRequirementsProperties", - "description": "Threat Intelligence TAXII check required properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligenceTaxii" - }, - "TiTaxiiCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Threat Intelligence TAXII data connector required properties.", - "type": "object" - }, - "ThreatIntelligence": { - "description": "ThreatIntelligence property bag.", - "properties": { - "confidence": { - "description": "Confidence (must be between 0 and 1)", - "format": "double", - "readOnly": true, - "type": "number" - }, - "providerName": { - "description": "Name of the provider from whom this Threat Intelligence information was received", - "readOnly": true, - "type": "string" - }, - "reportLink": { - "description": "Report link", - "readOnly": true, - "type": "string" - }, - "threatDescription": { - "description": "Threat description (free text)", - "readOnly": true, - "type": "string" - }, - "threatName": { - "description": "Threat name (e.g. \"Jedobot malware\")", - "readOnly": true, - "type": "string" - }, - "threatType": { - "description": "Threat type (e.g. \"Botnet\")", - "readOnly": true, - "type": "string" - } + "properties": { + "$ref": "#/definitions/EntityAnalyticsProperties", + "description": "EntityAnalytics properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "EntityAnalytics" }, - "type": "object" - }, - "IPSyncer": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Settings with single toggle.", - "properties": { + "EntityAnalyticsProperties": { + "description": "EntityAnalytics property bag.", "properties": { - "$ref": "#/definitions/IPSyncerSettingsProperties", - "description": "IPSyncer properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "IPSyncer" - }, - "IPSyncerSettingsProperties": { - "description": "IPSyncer property bag.", - "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "readOnly": true, - "type": "boolean" - } + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, + "type": "boolean" + } + }, + "type": "object" }, - "type": "object" - }, - "EyesOn": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Settings with single toggle.", - "properties": { + "Ueba": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", "properties": { - "$ref": "#/definitions/EyesOnSettingsProperties", - "description": "EyesOn properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "EyesOn" - }, - "EyesOnSettingsProperties": { - "description": "EyesOn property bag.", - "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "readOnly": true, - "type": "boolean" - } + "properties": { + "$ref": "#/definitions/UebaProperties", + "description": "Ueba properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Ueba" }, - "type": "object" - }, - "EntityAnalytics": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Settings with single toggle.", - "properties": { + "UebaProperties": { + "description": "Ueba property bag.", "properties": { - "$ref": "#/definitions/EntityAnalyticsProperties", - "description": "EntityAnalytics properties", - "x-ms-client-flatten": true - } + "dataSources": { + "description": "The relevant data sources that enriched by ueba", + "items": { + "$ref": "#/definitions/UebaDataSources" + }, + "type": "array" + } + }, + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "EntityAnalytics" - }, - "EntityAnalyticsProperties": { - "description": "EntityAnalytics property bag.", - "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "readOnly": true, - "type": "boolean" + "UebaDataSources": { + "description": "The data source that enriched by ueba.", + "enum": [ + "AuditLogs", + "AzureActivity", + "SecurityEvent", + "SigninLogs" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "UebaDataSources" } }, - "type": "object" - }, - "Ueba": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Settings with single toggle.", - "properties": { + "UrlEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a url entity.", "properties": { - "$ref": "#/definitions/UebaProperties", - "description": "Ueba properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Ueba" - }, - "UebaProperties": { - "description": "Ueba property bag.", - "properties": { - "dataSources": { - "description": "The relevant data sources that enriched by ueba", - "items": { - "$ref": "#/definitions/UebaDataSources" - }, - "type": "array" - } + "properties": { + "$ref": "#/definitions/UrlEntityProperties", + "description": "Url entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Url" }, - "type": "object" - }, - "UebaDataSources": { - "description": "The data source that enriched by ueba.", - "enum": [ - "AuditLogs", - "AzureActivity", - "SecurityEvent", - "SigninLogs" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "UebaDataSources" - } - }, - "UrlEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a url entity.", - "properties": { + "UrlEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Url entity property bag.", "properties": { - "$ref": "#/definitions/UrlEntityProperties", - "description": "Url entity properties", - "x-ms-client-flatten": true - } + "url": { + "description": "A full URL the entity points to", + "readOnly": true, + "type": "string" + } + }, + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "Url" - }, - "UrlEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Url entity property bag.", - "properties": { - "url": { - "description": "A full URL the entity points to", - "readOnly": true, - "type": "string" - } + "IoTDeviceEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an IoT device entity.", + "properties": { + "properties": { + "$ref": "#/definitions/IoTDeviceEntityProperties", + "description": "IoTDevice entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "IoTDevice" }, - "type": "object" - }, - "IoTDeviceEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an IoT device entity.", - "properties": { + "IoTDeviceEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "IoTDevice entity property bag.", "properties": { - "$ref": "#/definitions/IoTDeviceEntityProperties", - "description": "IoTDevice entity properties", - "x-ms-client-flatten": true - } + "deviceId": { + "description": "The ID of the IoT Device in the IoT Hub", + "readOnly": true, + "type": "string" + }, + "deviceName": { + "description": "The friendly name of the device", + "readOnly": true, + "type": "string" + }, + "source": { + "description": "The source of the device", + "readOnly": true, + "type": "string" + }, + "iotSecurityAgentId": { + "description": "The ID of the security agent running on the device", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "deviceType": { + "description": "The type of the device", + "readOnly": true, + "type": "string" + }, + "vendor": { + "description": "The vendor of the device", + "readOnly": true, + "type": "string" + }, + "edgeId": { + "description": "The ID of the edge device", + "readOnly": true, + "type": "string" + }, + "macAddress": { + "description": "The MAC address of the device", + "readOnly": true, + "type": "string" + }, + "model": { + "description": "The model of the device", + "readOnly": true, + "type": "string" + }, + "serialNumber": { + "description": "The serial number of the device", + "readOnly": true, + "type": "string" + }, + "firmwareVersion": { + "description": "The firmware version of the device", + "readOnly": true, + "type": "string" + }, + "operatingSystem": { + "description": "The operating system of the device", + "readOnly": true, + "type": "string" + }, + "iotHubEntityId": { + "description": "The AzureResource entity id of the IoT Hub", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id of this device", + "readOnly": true, + "type": "string" + }, + "ipAddressEntityId": { + "description": "The IP entity if of this device", + "readOnly": true, + "type": "string" + }, + "threatIntelligence": { + "description": "A list of TI contexts attached to the IoTDevice entity.", + "items": { + "$ref": "#/definitions/ThreatIntelligence" + }, + "readOnly": true, + "type": "array" + }, + "protocols": { + "description": "A list of protocols of the IoTDevice entity.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "IoTDevice" - }, - "IoTDeviceEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "IoTDevice entity property bag.", - "properties": { - "deviceId": { - "description": "The ID of the IoT Device in the IoT Hub", - "readOnly": true, - "type": "string" - }, - "deviceName": { - "description": "The friendly name of the device", - "readOnly": true, - "type": "string" - }, - "source": { - "description": "The source of the device", - "readOnly": true, - "type": "string" - }, - "iotSecurityAgentId": { - "description": "The ID of the security agent running on the device", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "deviceType": { - "description": "The type of the device", - "readOnly": true, - "type": "string" - }, - "vendor": { - "description": "The vendor of the device", - "readOnly": true, - "type": "string" - }, - "edgeId": { - "description": "The ID of the edge device", - "readOnly": true, - "type": "string" - }, - "macAddress": { - "description": "The MAC address of the device", - "readOnly": true, - "type": "string" - }, - "model": { - "description": "The model of the device", - "readOnly": true, - "type": "string" - }, - "serialNumber": { - "description": "The serial number of the device", - "readOnly": true, - "type": "string" - }, - "firmwareVersion": { - "description": "The firmware version of the device", - "readOnly": true, - "type": "string" - }, - "operatingSystem": { - "description": "The operating system of the device", - "readOnly": true, - "type": "string" - }, - "iotHubEntityId": { - "description": "The AzureResource entity id of the IoT Hub", - "readOnly": true, - "type": "string" - }, - "hostEntityId": { - "description": "The Host entity id of this device", - "readOnly": true, - "type": "string" - }, - "ipAddressEntityId": { - "description": "The IP entity if of this device", - "readOnly": true, - "type": "string" - }, - "threatIntelligence": { - "description": "A list of TI contexts attached to the IoTDevice entity.", - "items": { - "$ref": "#/definitions/ThreatIntelligence" - }, - "readOnly": true, - "type": "array" - }, - "protocols": { - "description": "A list of protocols of the IoTDevice entity.", - "items": { - "type": "string" - }, - "readOnly": true, - "type": "array" - } + "UserInfo": { + "description": "User information that made some action", + "properties": { + "email": { + "description": "The email of the user.", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "The name of the user.", + "readOnly": true, + "type": "string" + }, + "objectId": { + "description": "The object id of the user.", + "format": "uuid", + "type": "string", + "x-nullable": true + } + }, + "type": "object" }, - "type": "object" - }, - "UserInfo": { - "description": "User information that made some action", - "properties": { - "email": { - "description": "The email of the user.", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The name of the user.", - "readOnly": true, - "type": "string" - }, - "objectId": { - "description": "The object id of the user.", - "format": "uuid", - "type": "string", - "x-nullable": true - } + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", + "properties": { + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "title": { + "description": "The title of the incident", + "type": "string" + }, + "relationName": { + "description": "Relation Name", + "type": "string" + } + }, + "type": "object" }, - "type": "object" - }, - "IncidentInfo": { - "description": "Describes related incident information for the bookmark", - "properties": { - "incidentId": { - "description": "Incident Id", - "type": "string" - }, - "severity": { - "description": "The severity of the incident", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] + "WatchlistList": { + "description": "List all the watchlists.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of watchlists.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of watchlist.", + "items": { + "$ref": "#/definitions/Watchlist" + }, + "type": "array" } }, - "title": { - "description": "The title of the incident", - "type": "string" + "required": [ + "value" + ] + }, + "Watchlist": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Watchlist in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/WatchlistProperties", + "description": "Watchlist properties", + "x-ms-client-flatten": true + } }, - "relationName": { - "description": "Relation Name", - "type": "string" - } + "type": "object" }, - "type": "object" - }, - "WatchlistList": { - "description": "List all the watchlists.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of watchlists.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of watchlist.", - "items": { - "$ref": "#/definitions/Watchlist" - }, - "type": "array" - } + "WatchlistProperties": { + "description": "Describes watchlist properties", + "properties": { + "watchlistId": { + "description": "The id (a Guid) of the watchlist", + "type": "string" + }, + "displayName": { + "description": "The display name of the watchlist", + "type": "string" + }, + "provider": { + "description": "The provider of the watchlist", + "type": "string" + }, + "source": { + "description": "The source of the watchlist", + "enum": [ + "Local file", + "Remote storage" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "source" + } + }, + "created": { + "description": "The time the watchlist was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The last time the watchlist was updated", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist", + "type": "object" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist", + "type": "object" + }, + "description": { + "description": "A description of the watchlist", + "type": "string" + }, + "watchlistType": { + "description": "The type of the watchlist", + "type": "string" + }, + "watchlistAlias": { + "description": "The alias of the watchlist", + "type": "string" + }, + "isDeleted": { + "description": "A flag that indicates if the watchlist is deleted or not", + "type": "boolean" + }, + "labels": { + "description": "List of labels relevant to this watchlist", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + }, + "defaultDuration": { + "description": "The default duration of a watchlist (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "tenantId": { + "description": "The tenantId where the watchlist belongs to", + "type": "string" + }, + "numberOfLinesToSkip": { + "description": "The number of lines in a csv/tsv content to skip before the header", + "type": "integer", + "format": "int32" + }, + "rawContent": { + "description": "The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint", + "type": "string" + }, + "contentType": { + "description": "The content type of the raw content. Example : text/csv or text/tsv ", + "type": "string" + }, + "uploadStatus": { + "description": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted", + "type": "string" + }, + "watchlistItemsCount": { + "description": "The number of Watchlist Items in the Watchlist", + "type": "integer", + "format": "int32" + } + }, + "required": [ + "displayName", + "source", + "provider" + ], + "type": "object" }, - "required": [ - "value" - ] - }, - "Watchlist": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a Watchlist in Azure Security Insights.", - "properties": { + "WatchlistItemList": { + "description": "List all the watchlist items.", "properties": { - "$ref": "#/definitions/WatchlistProperties", - "description": "Watchlist properties", - "x-ms-client-flatten": true - } + "nextLink": { + "description": "URL to fetch the next set of watchlist item.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of watchlist items.", + "items": { + "$ref": "#/definitions/WatchlistItem" + }, + "type": "array" + } + }, + "required": [ + "value" + ] }, - "type": "object" - }, - "WatchlistProperties": { - "description": "Describes watchlist properties", - "properties": { - "watchlistId": { - "description": "The id (a Guid) of the watchlist", - "type": "string" - }, - "displayName": { - "description": "The display name of the watchlist", - "type": "string" - }, - "provider": { - "description": "The provider of the watchlist", - "type": "string" - }, - "source": { - "description": "The source of the watchlist", - "enum": [ - "Local file", - "Remote storage" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "source" - } - }, - "created": { - "description": "The time the watchlist was created", - "format": "date-time", - "type": "string" - }, - "updated": { - "description": "The last time the watchlist was updated", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the watchlist", - "type": "object" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the watchlist", - "type": "object" - }, - "description": { - "description": "A description of the watchlist", - "type": "string" - }, - "watchlistType": { - "description": "The type of the watchlist", - "type": "string" - }, - "watchlistAlias": { - "description": "The alias of the watchlist", - "type": "string" - }, - "isDeleted": { - "description": "A flag that indicates if the watchlist is deleted or not", - "type": "boolean" - }, - "labels": { - "description": "List of labels relevant to this watchlist", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - }, - "defaultDuration": { - "description": "The default duration of a watchlist (in ISO 8601 duration format)", - "format": "duration", - "type": "string" - }, - "tenantId": { - "description": "The tenantId where the watchlist belongs to", - "type": "string" - }, - "numberOfLinesToSkip": { - "description": "The number of lines in a csv/tsv content to skip before the header", - "type": "integer", - "format": "int32" - }, - "rawContent": { - "description": "The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint", - "type": "string" - }, - "contentType": { - "description": "The content type of the raw content. Example : text/csv or text/tsv ", - "type": "string" - }, - "uploadStatus": { - "description": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted", - "type": "string" - }, - "watchlistItemsCount": { - "description": "The number of Watchlist Items in the Watchlist", - "type": "integer", - "format": "int32" - } + "WatchlistItem": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Watchlist item in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/WatchlistItemProperties", + "description": "Watchlist Item properties", + "x-ms-client-flatten": true + } + }, + "type": "object" }, - "required": [ - "displayName", - "source", - "provider" - ], - "type": "object" - }, - "WatchlistItemList": { - "description": "List all the watchlist items.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of watchlist item.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of watchlist items.", - "items": { - "$ref": "#/definitions/WatchlistItem" - }, - "type": "array" - } + "WatchlistItemProperties": { + "description": "Describes watchlist item properties", + "properties": { + "watchlistItemType": { + "description": "The type of the watchlist item", + "type": "string" + }, + "watchlistItemId": { + "description": "The id (a Guid) of the watchlist item", + "type": "string" + }, + "tenantId": { + "description": "The tenantId to which the watchlist item belongs to", + "type": "string" + }, + "isDeleted": { + "description": "A flag that indicates if the watchlist item is deleted or not", + "type": "boolean" + }, + "created": { + "description": "The time the watchlist item was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The last time the watchlist item was updated", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist item", + "type": "object" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist item", + "type": "object" + }, + "itemsKeyValue": { + "description": "key-value pairs for a watchlist item", + "type": "object" + }, + "entityMapping": { + "description": "key-value pairs for a watchlist item entity mapping", + "type": "object" + } + }, + "required": [ + "itemsKeyValue" + ], + "type": "object" }, - "required": [ - "value" - ] - }, - "WatchlistItem": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a Watchlist item in Azure Security Insights.", - "properties": { + "ThreatIntelligenceInformationList": { + "description": "List of all the threat intelligence information objects.", "properties": { - "$ref": "#/definitions/WatchlistItemProperties", - "description": "Watchlist Item properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "WatchlistItemProperties": { - "description": "Describes watchlist item properties", - "properties": { - "watchlistItemType": { - "description": "The type of the watchlist item", - "type": "string" - }, - "watchlistItemId": { - "description": "The id (a Guid) of the watchlist item", - "type": "string" - }, - "tenantId": { - "description": "The tenantId to which the watchlist item belongs to", - "type": "string" - }, - "isDeleted": { - "description": "A flag that indicates if the watchlist item is deleted or not", - "type": "boolean" - }, - "created": { - "description": "The time the watchlist item was created", - "format": "date-time", - "type": "string" - }, - "updated": { - "description": "The last time the watchlist item was updated", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the watchlist item", - "type": "object" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the watchlist item", - "type": "object" - }, - "itemsKeyValue": { - "description": "key-value pairs for a watchlist item", - "type": "object" - }, - "entityMapping": { - "description": "key-value pairs for a watchlist item entity mapping", - "type": "object" - } + "nextLink": { + "description": "URL to fetch the next set of information objects.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of threat intelligence information objects.", + "items": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + }, + "type": "array" + } + }, + "required": [ + "value" + ] }, - "required": [ - "itemsKeyValue" - ], - "type": "object" - }, - "ThreatIntelligenceInformationList": { - "description": "List of all the threat intelligence information objects.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of information objects.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of threat intelligence information objects.", - "items": { - "$ref": "#/definitions/ThreatIntelligenceInformation" + "ThreatIntelligenceInformation": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" }, - "type": "array" - } + { + "$ref": "#/definitions/ThreatIntelligenceResourceKind" + } + ], + "description": "Threat intelligence information object.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] }, - "required": [ - "value" - ] - }, - "ThreatIntelligenceInformation": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - }, - { - "$ref": "#/definitions/ThreatIntelligenceResourceKind" - } - ], - "description": "Threat intelligence information object.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "ThreatIntelligenceIndicatorModel": { - "allOf": [ - { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - ], - "description": "Threat intelligence indicator entity.", - "properties": { + "ThreatIntelligenceIndicatorModel": { + "allOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + ], + "description": "Threat intelligence indicator entity.", "properties": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", - "description": "Threat Intelligence Entity properties", - "x-ms-client-flatten": true - } + "properties": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", + "description": "Threat Intelligence Entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "indicator" }, - "type": "object", - "x-ms-discriminator-value": "indicator" - }, - "ThreatIntelligenceIndicatorModelForRequestBody": { - "allOf": [ - { - "$ref": "#/definitions/ThreatIntelligenceResourceKind" - } - ], - "description": "Threat intelligence indicator entity used in request body.", - "properties": { - "etag": { - "description": "Etag of the azure resource", - "type": "string" + "ThreatIntelligenceIndicatorModelForRequestBody": { + "allOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceResourceKind" + } + ], + "description": "Threat intelligence indicator entity used in request body.", + "properties": { + "etag": { + "description": "Etag of the azure resource", + "type": "string" + }, + "properties": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", + "description": "Threat Intelligence Entity properties", + "x-ms-client-flatten": true + } }, + "type": "object", + "x-ms-discriminator-value": "indicator" + }, + "ThreatIntelligenceResourceKind": { + "description": "Describes an entity with kind.", "properties": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", - "description": "Threat Intelligence Entity properties", - "x-ms-client-flatten": true - } + "kind": { + "$ref": "#/definitions/ThreatIntelligenceResourceInnerKind", + "description": "The kind of the entity." + } + }, + "required": [ + "kind" + ], + "type": "object" }, - "type": "object", - "x-ms-discriminator-value": "indicator" - }, - "ThreatIntelligenceResourceKind": { - "description": "Describes an entity with kind.", - "properties": { - "kind": { - "$ref": "#/definitions/ThreatIntelligenceResourceInnerKind", - "description": "The kind of the entity." + "ThreatIntelligenceResourceInnerKind": { + "description": "The kind of the threat intelligence entity", + "enum": [ + "indicator" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ThreatIntelligenceResourceKind", + "values": [ + { + "description": "Entity represents threat intelligence indicator in the system.", + "value": "indicator" + } + ] } }, - "required": [ - "kind" - ], - "type": "object" - }, - "ThreatIntelligenceResourceInnerKind": { - "description": "The kind of the threat intelligence entity", - "enum": [ - "indicator" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ThreatIntelligenceResourceKind", - "values": [ - { - "description": "Entity represents threat intelligence indicator in the system.", - "value": "indicator" + "ThreatIntelligenceIndicatorProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" } - ] - } - }, - "ThreatIntelligenceIndicatorProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Describes threat intelligence entity properties", - "properties": { - "threatIntelligenceTags": { - "description": "List of tags", - "items": { - "description": "tag", + ], + "description": "Describes threat intelligence entity properties", + "properties": { + "threatIntelligenceTags": { + "description": "List of tags", + "items": { + "description": "tag", + "type": "string" + }, + "type": "array" + }, + "lastUpdatedTimeUtc": { + "description": "Last updated time in UTC", "type": "string" }, - "type": "array" - }, - "lastUpdatedTimeUtc": { - "description": "Last updated time in UTC", - "type": "string" - }, - "source": { - "description": "Source of a threat intelligence entity", - "type": "string" - }, - "displayName": { - "description": "Display name of a threat intelligence entity", - "type": "string" - }, - "description": { - "description": "Description of a threat intelligence entity", - "type": "string" - }, - "indicatorTypes": { - "description": "Indicator types of threat intelligence entities", - "items": { - "description": "Indicator type of a threat intelligence entity", + "source": { + "description": "Source of a threat intelligence entity", "type": "string" }, - "type": "array" - }, - "pattern": { - "description": "Pattern of a threat intelligence entity", - "type": "string" - }, - "patternType": { - "description": "Pattern type of a threat intelligence entity", - "type": "string" - }, - "patternVersion": { - "description": "Pattern version of a threat intelligence entity", - "type": "string" - }, - "killChainPhases": { - "description": "Kill chain phases", - "items": { - "description": "Kill chain phase", - "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" + "displayName": { + "description": "Display name of a threat intelligence entity", + "type": "string" }, - "type": "array" - }, - "parsedPattern": { - "description": "Parsed patterns", - "items": { - "description": "Parsed pattern", - "$ref": "#/definitions/ThreatIntelligenceParsedPattern" + "description": { + "description": "Description of a threat intelligence entity", + "type": "string" }, - "type": "array" - }, - "externalId": { - "description": "External ID of threat intelligence entity", - "type": "string" - }, - "createdByRef": { - "description": "Created by reference of threat intelligence entity", - "type": "string" - }, - "defanged": { - "description": "Is threat intelligence entity defanged", - "type": "boolean" - }, - "externalLastUpdatedTimeUtc": { - "description": "External last updated time in UTC", - "type": "string" - }, - "externalReferences": { - "description": "External References", - "items": { - "description": "external_reference", - "$ref": "#/definitions/ThreatIntelligenceExternalReference" + "indicatorTypes": { + "description": "Indicator types of threat intelligence entities", + "items": { + "description": "Indicator type of a threat intelligence entity", + "type": "string" + }, + "type": "array" }, - "type": "array" - }, - "granularMarkings": { - "description": "Granular Markings", - "items": { - "description": "Granular marking", - "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" + "pattern": { + "description": "Pattern of a threat intelligence entity", + "type": "string" }, - "type": "array" - }, - "labels": { - "description": "Labels of threat intelligence entity", - "items": { - "description": "label", + "patternType": { + "description": "Pattern type of a threat intelligence entity", "type": "string" }, - "type": "array" - }, - "revoked": { - "description": "Is threat intelligence entity revoked", - "type": "boolean" - }, - "confidence": { - "description": "Confidence of threat intelligence entity", - "type": "integer", - "format": "int32" + "patternVersion": { + "description": "Pattern version of a threat intelligence entity", + "type": "string" + }, + "killChainPhases": { + "description": "Kill chain phases", + "items": { + "description": "Kill chain phase", + "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" + }, + "type": "array" + }, + "parsedPattern": { + "description": "Parsed patterns", + "items": { + "description": "Parsed pattern", + "$ref": "#/definitions/ThreatIntelligenceParsedPattern" + }, + "type": "array" + }, + "externalId": { + "description": "External ID of threat intelligence entity", + "type": "string" + }, + "createdByRef": { + "description": "Created by reference of threat intelligence entity", + "type": "string" + }, + "defanged": { + "description": "Is threat intelligence entity defanged", + "type": "boolean" + }, + "externalLastUpdatedTimeUtc": { + "description": "External last updated time in UTC", + "type": "string" + }, + "externalReferences": { + "description": "External References", + "items": { + "description": "external_reference", + "$ref": "#/definitions/ThreatIntelligenceExternalReference" + }, + "type": "array" + }, + "granularMarkings": { + "description": "Granular Markings", + "items": { + "description": "Granular marking", + "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" + }, + "type": "array" + }, + "labels": { + "description": "Labels of threat intelligence entity", + "items": { + "description": "label", + "type": "string" + }, + "type": "array" + }, + "revoked": { + "description": "Is threat intelligence entity revoked", + "type": "boolean" + }, + "confidence": { + "description": "Confidence of threat intelligence entity", + "type": "integer", + "format": "int32" + }, + "objectMarkingRefs": { + "description": "Threat intelligence entity object marking references", + "items": { + "description": "Threat intelligence entity object marking reference", + "type": "string" + }, + "type": "array" + }, + "language": { + "description": "Language of threat intelligence entity", + "type": "string" + }, + "threatTypes": { + "description": "Threat types", + "items": { + "description": "Threat type", + "type": "string" + }, + "type": "array" + }, + "validFrom": { + "description": "Valid from", + "type": "string" + }, + "validUntil": { + "description": "Valid until", + "type": "string" + }, + "created": { + "description": "Created by", + "type": "string" + }, + "modified": { + "description": "Modified by", + "type": "string" + }, + "extensions": { + "description": "Extensions map", + "type": "object", + "additionalProperties": {} + } }, - "objectMarkingRefs": { - "description": "Threat intelligence entity object marking references", - "items": { - "description": "Threat intelligence entity object marking reference", + "type": "object" + }, + "ThreatIntelligenceKillChainPhase": { + "description": "Describes threat kill chain phase entity", + "properties": { + "killChainName": { + "description": "Kill chainName name", "type": "string" }, - "type": "array" + "phaseName": { + "description": "Phase name", + "type": "string" + } }, - "language": { - "description": "Language of threat intelligence entity", - "type": "string" + "type": "object" + }, + "ThreatIntelligenceParsedPattern": { + "description": "Describes parsed pattern entity", + "properties": { + "patternTypeKey": { + "description": "Pattern type key", + "type": "string" + }, + "patternTypeValues": { + "description": "Pattern type keys", + "items": { + "description": "Pattern type key", + "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" + }, + "type": "array" + } }, - "threatTypes": { - "description": "Threat types", - "items": { - "description": "Threat type", + "type": "object" + }, + "ThreatIntelligenceParsedPatternTypeValue": { + "description": "Describes threat kill chain phase entity", + "properties": { + "valueType": { + "description": "Type of the value", "type": "string" }, - "type": "array" + "value": { + "description": "Value of parsed pattern", + "type": "string" + } }, - "validFrom": { - "description": "Valid from", - "type": "string" + "type": "object" + }, + "ThreatIntelligenceGranularMarkingModel": { + "description": "Describes threat granular marking model entity", + "properties": { + "language": { + "description": "Language granular marking model", + "type": "string" + }, + "markingRef": { + "description": "marking reference granular marking model", + "type": "integer", + "format": "int32" + }, + "selectors": { + "description": "granular marking model selectors", + "items": { + "description": "granular marking model selector", + "type": "string" + }, + "type": "array" + } }, - "validUntil": { - "description": "Valid until", - "type": "string" + "type": "object" + }, + "ThreatIntelligenceExternalReference": { + "description": "Describes external reference", + "properties": { + "description": { + "description": "External reference description", + "type": "string" + }, + "externalId": { + "description": "External reference ID", + "type": "string" + }, + "sourceName": { + "description": "External reference source name", + "type": "string" + }, + "url": { + "description": "External reference URL", + "type": "string" + }, + "hashes": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "External reference hashes" + } }, - "created": { - "description": "Created by", - "type": "string" + "type": "object" + }, + "ThreatIntelligenceFilteringCriteria": { + "description": "Filtering criteria for querying threat intelligence indicators.", + "properties": { + "pageSize": { + "description": "Page size", + "type": "integer", + "format": "int32" + }, + "minConfidence": { + "description": "Minimum confidence.", + "type": "integer", + "format": "int32" + }, + "maxConfidence": { + "description": "Maximum confidence.", + "type": "integer", + "format": "int32" + }, + "minValidUntil": { + "description": "Start time for ValidUntil filter.", + "type": "string" + }, + "maxValidUntil": { + "description": "End time for ValidUntil filter.", + "type": "string" + }, + "includeDisabled": { + "description": "Parameter to include/exclude disabled indicators.", + "type": "boolean" + }, + "sortBy": { + "description": "Columns to sort by and sorting order", + "items": { + "description": "Sort By", + "$ref": "#/definitions/ThreatIntelligenceSortingCriteria" + }, + "type": "array" + }, + "sources": { + "description": "Sources of threat intelligence indicators", + "items": { + "description": "Source", + "type": "string" + }, + "type": "array" + }, + "patternTypes": { + "description": "Pattern types", + "items": { + "description": "Pattern type", + "type": "string" + }, + "type": "array" + }, + "threatTypes": { + "description": "Threat types of threat intelligence indicators", + "items": { + "description": "Threat type of a threat intelligence indicator", + "type": "string" + }, + "type": "array" + }, + "ids": { + "description": "Ids of threat intelligence indicators", + "items": { + "description": "Id of a threat intelligence indicator", + "type": "string" + }, + "type": "array" + }, + "keywords": { + "description": "Keywords for searching threat intelligence indicators", + "items": { + "description": "keyword for searching threat intelligence indicators", + "type": "string" + }, + "type": "array" + }, + "skipToken": { + "description": "Skip token.", + "type": "string" + } }, - "modified": { - "description": "Modified by", - "type": "string" + "type": "object" + }, + "ThreatIntelligenceSortingCriteria": { + "description": "List of available columns for sorting", + "properties": { + "itemKey": { + "description": "Column name", + "type": "string" + }, + "sortOrder": { + "$ref": "#/definitions/ThreatIntelligenceSortingOrder", + "description": "Sorting order (ascending/descending/unsorted)." + } }, - "extensions": { - "description": "Extensions map", - "type": "object", - "additionalProperties": {} - } + "type": "object" }, - "type": "object" - }, - "ThreatIntelligenceKillChainPhase": { - "description": "Describes threat kill chain phase entity", - "properties": { - "killChainName": { - "description": "Kill chainName name", - "type": "string" - }, - "phaseName": { - "description": "Phase name", - "type": "string" + "ThreatIntelligenceSortingOrder": { + "description": "Sorting order (ascending/descending/unsorted).", + "enum": [ + "unsorted", + "ascending", + "descending" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ThreatIntelligenceSortingCriteria", + "values": [ + { + "value": "unsorted" + }, + { + "value": "ascending" + }, + { + "value": "descending" + } + ] } }, - "type": "object" - }, - "ThreatIntelligenceParsedPattern": { - "description": "Describes parsed pattern entity", - "properties": { - "patternTypeKey": { - "description": "Pattern type key", - "type": "string" - }, - "patternTypeValues": { - "description": "Pattern type keys", - "items": { - "description": "Pattern type key", - "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" - }, - "type": "array" - } + "ThreatIntelligenceAppendTags": { + "description": "Array of tags to be appended to the threat intelligence indicator.", + "properties": { + "threatIntelligenceTags": { + "description": "List of tags to be appended.", + "items": { + "description": "parameter", + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "ThreatIntelligenceMetricsList": { + "description": "List of all the threat intelligence metric fields (type/threat type/source).", + "properties": { + "value": { + "description": "Array of threat intelligence metric fields (type/threat type/source).", + "items": { + "$ref": "#/definitions/ThreatIntelligenceMetrics" + }, + "type": "array" + } + }, + "required": [ + "value" + ] }, - "type": "object" - }, - "ThreatIntelligenceParsedPatternTypeValue": { - "description": "Describes threat kill chain phase entity", - "properties": { - "valueType": { - "description": "Type of the value", - "type": "string" - }, - "value": { - "description": "Value of parsed pattern", - "type": "string" + "ThreatIntelligenceMetrics": { + "description": "Threat intelligence metrics.", + "properties": { + "properties": { + "description": "Threat intelligence metrics.", + "$ref": "#/definitions/ThreatIntelligenceMetric" + } } }, - "type": "object" - }, - "ThreatIntelligenceGranularMarkingModel": { - "description": "Describes threat granular marking model entity", - "properties": { - "language": { - "description": "Language granular marking model", - "type": "string" - }, - "markingRef": { - "description": "marking reference granular marking model", - "type": "integer", - "format": "int32" - }, - "selectors": { - "description": "granular marking model selectors", - "items": { - "description": "granular marking model selector", + "ThreatIntelligenceMetric": { + "description": "Describes threat intelligence metric", + "properties": { + "lastUpdatedTimeUtc": { + "description": "Last updated indicator metric", "type": "string" }, - "type": "array" - } - }, - "type": "object" - }, - "ThreatIntelligenceExternalReference": { - "description": "Describes external reference", - "properties": { - "description": { - "description": "External reference description", - "type": "string" - }, - "externalId": { - "description": "External reference ID", - "type": "string" - }, - "sourceName": { - "description": "External reference source name", - "type": "string" - }, - "url": { - "description": "External reference URL", - "type": "string" - }, - "hashes": { - "type": "object", - "additionalProperties": { - "type": "string" + "threatTypeMetrics": { + "description": "Threat type metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" }, - "description": "External reference hashes" - } - }, - "type": "object" - }, - "ThreatIntelligenceFilteringCriteria": { - "description": "Filtering criteria for querying threat intelligence indicators.", - "properties": { - "pageSize": { - "description": "Page size", - "type": "integer", - "format": "int32" - }, - "minConfidence": { - "description": "Minimum confidence.", - "type": "integer", - "format": "int32" - }, - "maxConfidence": { - "description": "Maximum confidence.", - "type": "integer", - "format": "int32" - }, - "minValidUntil": { - "description": "Start time for ValidUntil filter.", - "type": "string" - }, - "maxValidUntil": { - "description": "End time for ValidUntil filter.", - "type": "string" - }, - "includeDisabled": { - "description": "Parameter to include/exclude disabled indicators.", - "type": "boolean" - }, - "sortBy": { - "description": "Columns to sort by and sorting order", - "items": { - "description": "Sort By", - "$ref": "#/definitions/ThreatIntelligenceSortingCriteria" + "patternTypeMetrics": { + "description": "Pattern type metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" }, - "type": "array" + "sourceMetrics": { + "description": "Source metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" + } }, - "sources": { - "description": "Sources of threat intelligence indicators", - "items": { - "description": "Source", + "type": "object" + }, + "ThreatIntelligenceMetricEntity": { + "description": "Describes threat intelligence metric entity", + "properties": { + "metricName": { + "description": "Metric name", "type": "string" }, - "type": "array" + "metricValue": { + "description": "Metric value", + "type": "integer", + "format": "int32" + } }, - "patternTypes": { - "description": "Pattern types", - "items": { - "description": "Pattern type", + "type": "object" + }, + "EntityGetInsightsParameters": { + "description": "The parameters required to execute insights operation on the given entity.", + "type": "object", + "properties": { + "startTime": { + "description": "The start timeline date, so the results returned are after this date.", + "format": "date-time", "type": "string" }, - "type": "array" - }, - "threatTypes": { - "description": "Threat types of threat intelligence indicators", - "items": { - "description": "Threat type of a threat intelligence indicator", + "endTime": { + "description": "The end timeline date, so the results returned are before this date.", + "format": "date-time", "type": "string" }, - "type": "array" - }, - "ids": { - "description": "Ids of threat intelligence indicators", - "items": { - "description": "Id of a threat intelligence indicator", - "type": "string" + "addDefaultExtendedTimeRange": { + "description": "Indicates if query time range should be extended with default time range of the query. Default value is false", + "type": "boolean" }, - "type": "array" + "insightQueryIds": { + "description": "List of Insights Query Id. If empty, default value is all insights of this entity", + "type": "array", + "items": { + "description": "Insight Query Id (GUID)", + "format": "uuid", + "type": "string" + } + } }, - "keywords": { - "description": "Keywords for searching threat intelligence indicators", - "items": { - "description": "keyword for searching threat intelligence indicators", - "type": "string" + "required": [ + "startTime", + "endTime" + ] + }, + "EntityGetInsightsResponse": { + "description": "The Get Insights result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/GetInsightsResultsMetadata", + "description": "The metadata from the get insights operation results." }, - "type": "array" - }, - "skipToken": { - "description": "Skip token.", - "type": "string" + "value": { + "description": "The insights result values.", + "items": { + "$ref": "#/definitions/EntityInsightItem" + }, + "type": "array" + } } }, - "type": "object" - }, - "ThreatIntelligenceSortingCriteria": { - "description": "List of available columns for sorting", - "properties": { - "itemKey": { - "description": "Column name", - "type": "string" - }, - "sortOrder": { - "$ref": "#/definitions/ThreatIntelligenceSortingOrder", - "description": "Sorting order (ascending/descending/unsorted)." - } + "GetInsightsResultsMetadata": { + "description": "Get Insights result metadata.", + "properties": { + "totalCount": { + "description": "the total items found for the insights request", + "type": "integer", + "format": "int32" + }, + "errors": { + "description": "information about the failed queries", + "items": { + "$ref": "#/definitions/GetInsightsError" + }, + "type": "array" + } + }, + "required": [ + "totalCount" + ], + "type": "object" }, - "type": "object" - }, - "ThreatIntelligenceSortingOrder": { - "description": "Sorting order (ascending/descending/unsorted).", - "enum": [ - "unsorted", - "ascending", - "descending" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ThreatIntelligenceSortingCriteria", - "values": [ - { - "value": "unsorted" + "GetInsightsError": { + "description": "GetInsights Query Errors.", + "properties": { + "kind": { + "description": "the query kind", + "type": "string", + "enum": [ + "Insight" + ] }, - { - "value": "ascending" + "queryId": { + "description": "the query id", + "type": "string" }, + "errorMessage": { + "description": "the error message", + "type": "string" + } + }, + "required": [ + "kind", + "errorMessage" + ], + "type": "object" + }, + "EntityQueryItem": { + "description": "An abstract Query item for entity", + "type": "object", + "discriminator": "kind", + "allOf": [ { - "value": "descending" + "$ref": "#/definitions/EntityQueryKind" } - ] - } - }, - "ThreatIntelligenceAppendTags": { - "description": "Array of tags to be appended to the threat intelligence indicator.", - "properties": { - "threatIntelligenceTags": { - "description": "List of tags to be appended.", - "items": { - "description": "parameter", + ], + "properties": { + "id": { + "description": "Query Template ARM ID", + "type": "string", + "readOnly": true + }, + "name": { + "description": "Query Template ARM Name", "type": "string" }, - "type": "array" - } - }, - "type": "object" - }, - "ThreatIntelligenceMetricsList": { - "description": "List of all the threat intelligence metric fields (type/threat type/source).", - "properties": { - "value": { - "description": "Array of threat intelligence metric fields (type/threat type/source).", - "items": { - "$ref": "#/definitions/ThreatIntelligenceMetrics" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "ThreatIntelligenceMetrics": { - "description": "Threat intelligence metrics.", - "properties": { - "properties": { - "description": "Threat intelligence metrics.", - "$ref": "#/definitions/ThreatIntelligenceMetric" - } - } - }, - "ThreatIntelligenceMetric": { - "description": "Describes threat intelligence metric", - "properties": { - "lastUpdatedTimeUtc": { - "description": "Last updated indicator metric", - "type": "string" - }, - "threatTypeMetrics": { - "description": "Threat type metrics", - "items": { - "description": "parameter", - "$ref": "#/definitions/ThreatIntelligenceMetricEntity" - }, - "type": "array" - }, - "patternTypeMetrics": { - "description": "Pattern type metrics", - "items": { - "description": "parameter", - "$ref": "#/definitions/ThreatIntelligenceMetricEntity" - }, - "type": "array" - }, - "sourceMetrics": { - "description": "Source metrics", - "items": { - "description": "parameter", - "$ref": "#/definitions/ThreatIntelligenceMetricEntity" - }, - "type": "array" - } - }, - "type": "object" - }, - "ThreatIntelligenceMetricEntity": { - "description": "Describes threat intelligence metric entity", - "properties": { - "metricName": { - "description": "Metric name", - "type": "string" - }, - "metricValue": { - "description": "Metric value", - "type": "integer", - "format": "int32" - } - }, - "type": "object" - }, - "EntityGetInsightsParameters": { - "description": "The parameters required to execute insights operation on the given entity.", - "type": "object", - "properties": { - "startTime": { - "description": "The start timeline date, so the results returned are after this date.", - "format": "date-time", - "type": "string" - }, - "endTime": { - "description": "The end timeline date, so the results returned are before this date.", - "format": "date-time", - "type": "string" - }, - "addDefaultExtendedTimeRange": { - "description": "Indicates if query time range should be extended with default time range of the query. Default value is false", - "type": "boolean" - }, - "insightQueryIds": { - "description": "List of Insights Query Id. If empty, default value is all insights of this entity", - "type": "array", - "items": { - "description": "Insight Query Id (GUID)", - "format": "uuid", + "type": { + "description": "ARM Type", "type": "string" } - } - }, - "required": [ - "startTime", - "endTime" - ] - }, - "EntityGetInsightsResponse": { - "description": "The Get Insights result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/GetInsightsResultsMetadata", - "description": "The metadata from the get insights operation results." - }, - "value": { - "description": "The insights result values.", - "items": { - "$ref": "#/definitions/EntityInsightItem" - }, - "type": "array" - } - } - }, - "GetInsightsResultsMetadata": { - "description": "Get Insights result metadata.", - "properties": { - "totalCount": { - "description": "the total items found for the insights request", - "type": "integer", - "format": "int32" - }, - "errors": { - "description": "information about the failed queries", - "items": { - "$ref": "#/definitions/GetInsightsError" - }, - "type": "array" - } - }, - "required": [ - "totalCount" - ], - "type": "object" - }, - "GetInsightsError": { - "description": "GetInsights Query Errors.", - "properties": { - "kind": { - "description": "the query kind", - "type": "string", - "enum": [ - "Insight" - ] - }, - "queryId": { - "description": "the query id", - "type": "string" }, - "errorMessage": { - "description": "the error message", - "type": "string" - } - }, - "required": [ - "kind", - "errorMessage" - ], - "type": "object" - }, - "EntityQueryItem": { - "description": "An abstract Query item for entity", - "type": "object", - "discriminator": "kind", - "allOf": [ - { - "$ref": "#/definitions/EntityQueryKind" - } - ], - "properties": { - "id": { - "description": "Query Template ARM ID", - "type": "string", - "readOnly": true - }, - "name": { - "description": "Query Template ARM Name", - "type": "string" - }, - "type": { - "description": "ARM Type", - "type": "string" - } + "required": [ + "kind" + ] }, - "required": [ - "kind" - ] - }, - "EntityQueryItemProperties": { - "description": "An properties abstract Query item for entity", - "type": "object", - "properties": { - "dataTypes": { - "description": "Data types for template", - "type": "array", - "items": { - "properties": { - "dataType": { - "description": "Data type name", - "type": "string" + "EntityQueryItemProperties": { + "description": "An properties abstract Query item for entity", + "type": "object", + "properties": { + "dataTypes": { + "description": "Data types for template", + "type": "array", + "items": { + "properties": { + "dataType": { + "description": "Data type name", + "type": "string" + } } } - } - }, - "inputEntityType": { - "description": "The type of the entity", - "$ref": "#/definitions/EntityInnerType" - }, - "requiredInputFieldsSets": { - "description": "Data types for template", - "type": "array", - "items": { + }, + "inputEntityType": { + "description": "The type of the entity", + "$ref": "#/definitions/EntityInnerType" + }, + "requiredInputFieldsSets": { + "description": "Data types for template", "type": "array", "items": { - "type": "string" - } - } - }, - "entitiesFilter": { - "description": "The query applied only to entities matching to all filters", - "type": "object" - } - } - }, - "EntityInsightItem": { - "description": "Entity insight Item.", - "type": "object", - "properties": { - "queryId": { - "type": "string", - "description": "The query id of the insight" - }, - "queryTimeInterval": { - "type": "object", - "description": "The Time interval that the query actually executed on.", - "properties": { - "startTime": { - "format": "date-time", - "type": "string", - "description": "Insight query start time" - }, - "endTime": { - "format": "date-time", - "type": "string", - "description": "Insight query end time" + "type": "array", + "items": { + "type": "string" + } } - } - }, - "tableQueryResults": { - "$ref": "#/definitions/InsightsTableResult", - "description": "Query results for table insights query." - }, - "chartQueryResults": { - "type": "array", - "description": "Query results for table insights query.", - "items": { - "$ref": "#/definitions/InsightsTableResult", - "description": "Query results for table insights query." + }, + "entitiesFilter": { + "description": "The query applied only to entities matching to all filters", + "type": "object" } } - } - }, - "InsightsTableResult": { - "type": "object", - "description": "Query results for table insights query.", - "properties": { - "columns": { - "type": "array", - "description": "Columns Metadata of the table", - "items": { + }, + "EntityInsightItem": { + "description": "Entity insight Item.", + "type": "object", + "properties": { + "queryId": { + "type": "string", + "description": "The query id of the insight" + }, + "queryTimeInterval": { + "type": "object", + "description": "The Time interval that the query actually executed on.", "properties": { - "type": { + "startTime": { + "format": "date-time", "type": "string", - "description": "the type of the colum" + "description": "Insight query start time" }, - "name": { + "endTime": { + "format": "date-time", "type": "string", - "description": "the name of the colum" + "description": "Insight query end time" } } + }, + "tableQueryResults": { + "$ref": "#/definitions/InsightsTableResult", + "description": "Query results for table insights query." + }, + "chartQueryResults": { + "type": "array", + "description": "Query results for table insights query.", + "items": { + "$ref": "#/definitions/InsightsTableResult", + "description": "Query results for table insights query." + } } - }, - "rows": { - "type": "array", - "description": "Rows data of the table", - "items": { + } + }, + "InsightsTableResult": { + "type": "object", + "description": "Query results for table insights query.", + "properties": { + "columns": { "type": "array", - "description": "Single row of data", + "description": "Columns Metadata of the table", "items": { - "type": "string", - "description": "Cell in the table" + "properties": { + "type": { + "type": "string", + "description": "the type of the colum" + }, + "name": { + "type": "string", + "description": "the name of the colum" + } + } + } + }, + "rows": { + "type": "array", + "description": "Rows data of the table", + "items": { + "type": "array", + "description": "Single row of data", + "items": { + "type": "string", + "description": "Cell in the table" + } } } } } - } - }, - "parameters": { - "Action": { - "description": "The action", - "in": "body", - "name": "action", - "required": true, - "schema": { - "$ref": "#/definitions/ActionRequest" - }, - "x-ms-parameter-location": "method" - }, - "ActionId": { - "description": "Action ID", - "in": "path", - "name": "actionId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "AggregationsName": { - "description": "The aggregation name. Supports - Cases", - "in": "path", - "name": "aggregationsName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" }, - "AlertRule": { - "description": "The alert rule", - "in": "body", - "name": "alertRule", - "required": true, - "schema": { - "$ref": "#/definitions/AlertRule" - }, - "x-ms-parameter-location": "method" - }, - "AlertRuleTemplateId": { - "description": "Alert rule template ID", - "in": "path", - "name": "alertRuleTemplateId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ApiVersion": { - "description": "API version for the operation", - "enum": [ - "2019-01-01-preview" - ], - "in": "query", - "name": "api-version", - "required": true, - "type": "string" - }, - "Bookmark": { - "description": "The bookmark", - "in": "body", - "name": "bookmark", - "required": true, - "schema": { - "$ref": "#/definitions/Bookmark" - }, - "x-ms-parameter-location": "method" - }, - "RelationName": { - "name": "relationName", - "in": "path", - "required": true, - "type": "string", - "description": "Relation Name", - "x-ms-parameter-location": "method" - }, - "RelationInputModel": { - "name": "relationInputModel", - "in": "body", - "description": "The relation input model", - "required": true, - "schema": { - "$ref": "#/definitions/RelationsModelInput" - }, - "x-ms-parameter-location": "method" - }, - "BookmarkId": { - "description": "Bookmark ID", - "in": "path", - "name": "bookmarkId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Case": { - "description": "The case", - "in": "body", - "name": "case", - "required": true, - "schema": { - "$ref": "#/definitions/Case" - }, - "x-ms-parameter-location": "method" - }, - "CaseComment": { - "description": "The case comment", - "in": "body", - "name": "caseComment", - "required": true, - "schema": { - "$ref": "#/definitions/CaseComment" - }, - "x-ms-parameter-location": "method" - }, - "CaseCommentId": { - "description": "Case comment ID", - "in": "path", - "name": "caseCommentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "CaseId": { - "description": "Case ID", - "in": "path", - "name": "caseId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ConsentId": { - "description": "consent ID", - "in": "path", - "name": "consentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "DataConnector": { - "description": "The data connector", - "in": "body", - "name": "dataConnector", - "required": true, - "schema": { - "$ref": "#/definitions/DataConnector" - }, - "x-ms-parameter-location": "method" - }, - "DataConnectorId": { - "description": "Connector ID", - "in": "path", - "name": "dataConnectorId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "DataConnectorsCheckRequirementsBody": { - "description": "The parameters for requirements check message", - "in": "body", - "name": "DataConnectorsCheckRequirements", - "required": true, - "schema": { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - }, - "x-ms-parameter-location": "method" - }, - "EnrichmentDomain": { - "description": "Domain name to be enriched", - "in": "query", - "name": "domain", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EnrichmentIpAddress": { - "description": "IP address (v4 or v6) to be enriched", - "in": "query", - "name": "ipAddress", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityExpandRequestBody": { - "description": "The parameters required to execute an expand operation on the given entity.", - "in": "body", - "name": "parameters", - "required": true, - "schema": { - "$ref": "#/definitions/EntityExpandParameters" - }, - "x-ms-parameter-location": "method" - }, - "BookmarkExpandRequestBody": { - "description": "The parameters required to execute an expand operation on the given bookmark.", - "in": "body", - "name": "parameters", - "required": true, - "schema": { - "$ref": "#/definitions/BookmarkExpandParameters" - }, - "x-ms-parameter-location": "method" - }, - "EntityTimelineRequestBody": { - "description": "The parameters required to execute an timeline operation on the given entity.", - "in": "body", - "name": "parameters", - "required": true, - "schema": { - "$ref": "#/definitions/EntityTimelineParameters" - }, - "x-ms-parameter-location": "method" - }, - "GetInsightsEntityQueriesRequestBody": { - "description": "The parameters required to execute insights on the given entity.", - "name": "parameters", - "in": "body", - "required": true, - "schema": { - "$ref": "#/definitions/EntityGetInsightsParameters" - }, - "x-ms-parameter-location": "method" - }, - "EntityId": { - "description": "entity ID", - "in": "path", - "name": "entityId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityQueryId": { - "description": "entity query ID", - "in": "path", - "name": "entityQueryId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Incident": { - "description": "The incident", - "in": "body", - "name": "incident", - "required": true, - "schema": { - "$ref": "#/definitions/Incident" - }, - "x-ms-parameter-location": "method" - }, - "IncidentComment": { - "description": "The incident comment", - "in": "body", - "name": "incidentComment", - "required": true, - "schema": { - "$ref": "#/definitions/IncidentComment" - }, - "x-ms-parameter-location": "method" - }, - "IncidentCommentId": { - "description": "Incident comment ID", - "in": "path", - "name": "incidentCommentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "IncidentId": { - "description": "Incident ID", - "in": "path", - "name": "incidentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityQueryKindParam": { - "description": "The Kind parameter for queries", - "in": "query", - "name": "kind", - "required": true, - "type": "string", - "enum": [ - "Insight" - ], - "x-ms-enum": { - "modelAsString": true, - "name": "EntityItemQueryKind", - "values": [ - { - "description": "insight", - "value": "Insight" - } - ] - }, - "x-ms-parameter-location": "method" - }, - "ODataFilter": { - "description": "Filters the results, based on a Boolean condition. Optional.", - "in": "query", - "name": "$filter", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataOrderBy": { - "description": "Sorts the results. Optional.", - "in": "query", - "name": "$orderby", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataSkipToken": { - "description": "Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", - "in": "query", - "name": "$skipToken", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataTop": { - "description": "Returns only the first n results. Optional.", - "format": "int32", - "in": "query", - "name": "$top", - "required": false, - "type": "integer", - "x-ms-parameter-location": "method" - }, - "OperationalInsightsResourceProvider": { - "description": "The namespace of workspaces resource provider- Microsoft.OperationalInsights.", - "in": "path", - "name": "operationalInsightsResourceProvider", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Relation": { - "name": "relation", - "in": "body", - "description": "The relation model", - "required": true, - "schema": { - "$ref": "#/definitions/Relation" - }, - "x-ms-parameter-location": "method" - }, - "ResourceGroupName": { - "description": "The name of the resource group within the user's subscription. The name is case insensitive.", - "in": "path", - "maxLength": 90, - "minLength": 1, - "name": "resourceGroupName", - "pattern": "^[-\\w\\._\\(\\)]+$", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "RuleId": { - "description": "Alert rule ID", - "in": "path", - "name": "ruleId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Settings": { - "description": "The setting", - "in": "body", - "name": "settings", - "required": true, - "schema": { - "$ref": "#/definitions/Settings" - }, - "x-ms-parameter-location": "method" - }, - "SettingsName": { - "description": "The setting name. Supports - EyesOn, EntityAnalytics, Ueba", - "in": "path", - "name": "settingsName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "WorkspaceName": { - "description": "The name of the workspace.", - "in": "path", - "maxLength": 90, - "minLength": 1, - "name": "workspaceName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "WatchlistAlias": { - "description": "Watchlist Alias", - "in": "path", - "name": "watchlistAlias", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Watchlist": { - "description": "The watchlist", - "in": "body", - "name": "watchlist", - "required": true, - "schema": { - "$ref": "#/definitions/Watchlist" - }, - "x-ms-parameter-location": "method" - }, - "WatchlistItem": { - "description": "The watchlist item", - "in": "body", - "name": "watchlistItem", - "required": true, - "schema": { - "$ref": "#/definitions/WatchlistItem" - }, - "x-ms-parameter-location": "method" - }, - "WatchlistItemId": { - "description": "Watchlist Item Id (GUID)", - "in": "path", - "name": "watchlistItemId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceName": { - "description": "Threat intelligence indicator name field.", - "in": "path", - "name": "name", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceProperties": { - "description": "Properties of threat intelligence indicators to create and update.", - "in": "body", - "name": "ThreatIntelligenceProperties", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" - }, - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceReplaceTags": { - "description": "Tags in the threat intelligence indicator to be replaced.", - "in": "body", - "name": "ThreatIntelligenceReplaceTags", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" - }, - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceFilteringCriteria": { - "description": "Filtering criteria for querying threat intelligence indicators.", - "in": "body", - "name": "ThreatIntelligenceFilteringCriteria", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceFilteringCriteria" - }, - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceIndicatorEntityKind": { - "description": "The threat intelligence entity kind", - "in": "query", - "name": "ctiEntityKind", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceAppendTags": { - "description": "The threat intelligence append tags request body", - "in": "body", - "name": "ThreatIntelligenceAppendTags", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceAppendTags" - }, - "x-ms-parameter-location": "method" + "parameters": { + "Action": { + "description": "The action", + "in": "body", + "name": "action", + "required": true, + "schema": { + "$ref": "#/definitions/ActionRequest" + }, + "x-ms-parameter-location": "method" + }, + "ActionId": { + "description": "Action ID", + "in": "path", + "name": "actionId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "AggregationsName": { + "description": "The aggregation name. Supports - Cases", + "in": "path", + "name": "aggregationsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "AlertRule": { + "description": "The alert rule", + "in": "body", + "name": "alertRule", + "required": true, + "schema": { + "$ref": "#/definitions/AlertRule" + }, + "x-ms-parameter-location": "method" + }, + "AlertRuleTemplateId": { + "description": "Alert rule template ID", + "in": "path", + "name": "alertRuleTemplateId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ApiVersion": { + "description": "API version for the operation", + "enum": [ + "2019-01-01-preview" + ], + "in": "query", + "name": "api-version", + "required": true, + "type": "string" + }, + "Bookmark": { + "description": "The bookmark", + "in": "body", + "name": "bookmark", + "required": true, + "schema": { + "$ref": "#/definitions/Bookmark" + }, + "x-ms-parameter-location": "method" + }, + "RelationName": { + "name": "relationName", + "in": "path", + "required": true, + "type": "string", + "description": "Relation Name", + "x-ms-parameter-location": "method" + }, + "RelationInputModel": { + "name": "relationInputModel", + "in": "body", + "description": "The relation input model", + "required": true, + "schema": { + "$ref": "#/definitions/RelationsModelInput" + }, + "x-ms-parameter-location": "method" + }, + "BookmarkId": { + "description": "Bookmark ID", + "in": "path", + "name": "bookmarkId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Case": { + "description": "The case", + "in": "body", + "name": "case", + "required": true, + "schema": { + "$ref": "#/definitions/Case" + }, + "x-ms-parameter-location": "method" + }, + "CaseComment": { + "description": "The case comment", + "in": "body", + "name": "caseComment", + "required": true, + "schema": { + "$ref": "#/definitions/CaseComment" + }, + "x-ms-parameter-location": "method" + }, + "CaseCommentId": { + "description": "Case comment ID", + "in": "path", + "name": "caseCommentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "CaseId": { + "description": "Case ID", + "in": "path", + "name": "caseId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ConsentId": { + "description": "consent ID", + "in": "path", + "name": "consentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "DataConnector": { + "description": "The data connector", + "in": "body", + "name": "dataConnector", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnector" + }, + "x-ms-parameter-location": "method" + }, + "DataConnectorId": { + "description": "Connector ID", + "in": "path", + "name": "dataConnectorId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "DataConnectorsCheckRequirementsBody": { + "description": "The parameters for requirements check message", + "in": "body", + "name": "DataConnectorsCheckRequirements", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + }, + "x-ms-parameter-location": "method" + }, + "EnrichmentDomain": { + "description": "Domain name to be enriched", + "in": "query", + "name": "domain", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EnrichmentIpAddress": { + "description": "IP address (v4 or v6) to be enriched", + "in": "query", + "name": "ipAddress", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityExpandRequestBody": { + "description": "The parameters required to execute an expand operation on the given entity.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/EntityExpandParameters" + }, + "x-ms-parameter-location": "method" + }, + "BookmarkExpandRequestBody": { + "description": "The parameters required to execute an expand operation on the given bookmark.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/BookmarkExpandParameters" + }, + "x-ms-parameter-location": "method" + }, + "EntityTimelineRequestBody": { + "description": "The parameters required to execute an timeline operation on the given entity.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/EntityTimelineParameters" + }, + "x-ms-parameter-location": "method" + }, + "GetInsightsEntityQueriesRequestBody": { + "description": "The parameters required to execute insights on the given entity.", + "name": "parameters", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/EntityGetInsightsParameters" + }, + "x-ms-parameter-location": "method" + }, + "EntityId": { + "description": "entity ID", + "in": "path", + "name": "entityId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityQueryId": { + "description": "entity query ID", + "in": "path", + "name": "entityQueryId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Incident": { + "description": "The incident", + "in": "body", + "name": "incident", + "required": true, + "schema": { + "$ref": "#/definitions/Incident" + }, + "x-ms-parameter-location": "method" + }, + "IncidentComment": { + "description": "The incident comment", + "in": "body", + "name": "incidentComment", + "required": true, + "schema": { + "$ref": "#/definitions/IncidentComment" + }, + "x-ms-parameter-location": "method" + }, + "IncidentCommentId": { + "description": "Incident comment ID", + "in": "path", + "name": "incidentCommentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "IncidentId": { + "description": "Incident ID", + "in": "path", + "name": "incidentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityQueryKindParam": { + "description": "The Kind parameter for queries", + "in": "query", + "name": "kind", + "required": true, + "type": "string", + "enum": [ + "Insight" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "EntityItemQueryKind", + "values": [ + { + "description": "insight", + "value": "Insight" + } + ] + }, + "x-ms-parameter-location": "method" + }, + "ODataFilter": { + "description": "Filters the results, based on a Boolean condition. Optional.", + "in": "query", + "name": "$filter", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataOrderBy": { + "description": "Sorts the results. Optional.", + "in": "query", + "name": "$orderby", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataSkipToken": { + "description": "Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + "in": "query", + "name": "$skipToken", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataTop": { + "description": "Returns only the first n results. Optional.", + "format": "int32", + "in": "query", + "name": "$top", + "required": false, + "type": "integer", + "x-ms-parameter-location": "method" + }, + "OperationalInsightsResourceProvider": { + "description": "The namespace of workspaces resource provider- Microsoft.OperationalInsights.", + "in": "path", + "name": "operationalInsightsResourceProvider", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Relation": { + "name": "relation", + "in": "body", + "description": "The relation model", + "required": true, + "schema": { + "$ref": "#/definitions/Relation" + }, + "x-ms-parameter-location": "method" + }, + "ResourceGroupName": { + "description": "The name of the resource group within the user's subscription. The name is case insensitive.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "resourceGroupName", + "pattern": "^[-\\w\\._\\(\\)]+$", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "RuleId": { + "description": "Alert rule ID", + "in": "path", + "name": "ruleId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Settings": { + "description": "The setting", + "in": "body", + "name": "settings", + "required": true, + "schema": { + "$ref": "#/definitions/Settings" + }, + "x-ms-parameter-location": "method" + }, + "SettingsName": { + "description": "The setting name. Supports - EyesOn, EntityAnalytics, Ueba", + "in": "path", + "name": "settingsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "WorkspaceName": { + "description": "The name of the workspace.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "workspaceName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "WatchlistAlias": { + "description": "Watchlist Alias", + "in": "path", + "name": "watchlistAlias", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Watchlist": { + "description": "The watchlist", + "in": "body", + "name": "watchlist", + "required": true, + "schema": { + "$ref": "#/definitions/Watchlist" + }, + "x-ms-parameter-location": "method" + }, + "WatchlistItem": { + "description": "The watchlist item", + "in": "body", + "name": "watchlistItem", + "required": true, + "schema": { + "$ref": "#/definitions/WatchlistItem" + }, + "x-ms-parameter-location": "method" + }, + "WatchlistItemId": { + "description": "Watchlist Item Id (GUID)", + "in": "path", + "name": "watchlistItemId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceName": { + "description": "Threat intelligence indicator name field.", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceProperties": { + "description": "Properties of threat intelligence indicators to create and update.", + "in": "body", + "name": "ThreatIntelligenceProperties", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceReplaceTags": { + "description": "Tags in the threat intelligence indicator to be replaced.", + "in": "body", + "name": "ThreatIntelligenceReplaceTags", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceFilteringCriteria": { + "description": "Filtering criteria for querying threat intelligence indicators.", + "in": "body", + "name": "ThreatIntelligenceFilteringCriteria", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceFilteringCriteria" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceIndicatorEntityKind": { + "description": "The threat intelligence entity kind", + "in": "query", + "name": "ctiEntityKind", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceAppendTags": { + "description": "The threat intelligence append tags request body", + "in": "body", + "name": "ThreatIntelligenceAppendTags", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceAppendTags" + }, + "x-ms-parameter-location": "method" + } } } } From 1eec4cc82aab22b84618b39fc085d34852a81e31 Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Mon, 5 Jul 2021 16:51:16 +0300 Subject: [PATCH 07/11] . --- .../2019-01-01-preview/SecurityInsights.json | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 640f116ce263..1b5a27f6dc86 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -919,25 +919,26 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter", - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/CaseCommentId" - }, - { - "$ref": "#/parameters/CaseComment" - }, + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/CaseCommentId" + }, + { + "$ref": "#/parameters/CaseComment" + }, "responses": { "201": { From dea033666d498cadd25564f4c8428ff73a204f71 Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Mon, 5 Jul 2021 16:57:36 +0300 Subject: [PATCH 08/11] . --- .../2019-01-01-preview/SecurityInsights.json | 23163 ++++++++-------- 1 file changed, 11581 insertions(+), 11582 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 1b5a27f6dc86..eb57a33bd52b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -938,12713 +938,12712 @@ }, { "$ref": "#/parameters/CaseComment" - }, - - "responses": { - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/CaseComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { - "get": { - "x-ms-examples": { - "Get all bookmarks.": { - "$ref": "./examples/bookmarks/GetBookmarks.json" + ], + "responses": { + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/CaseComment" } }, - "tags": [ - "Bookmarks" - ], - "description": "Gets all bookmarks.", - "operationId": "Bookmarks_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/BookmarkList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } - }, - "x-ms-pageable": { - "nextLinkName": "nextLink" } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}": { - "get": { - "x-ms-examples": { - "Get a bookmark.": { - "$ref": "./examples/bookmarks/GetBookmarkById.json" - } - }, - "tags": [ - "Bookmarks" - ], - "description": "Gets a bookmark.", - "operationId": "Bookmarks_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Bookmark" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks": { + "get": { + "x-ms-examples": { + "Get all bookmarks.": { + "$ref": "./examples/bookmarks/GetBookmarks.json" } }, - "put": { - "x-ms-examples": { - "Creates or updates a bookmark.": { - "$ref": "./examples/bookmarks/CreateBookmark.json" - } + "tags": [ + "Bookmarks" + ], + "description": "Gets all bookmarks.", + "operationId": "Bookmarks_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Bookmarks" - ], - "description": "Creates or updates the bookmark.", - "operationId": "Bookmarks_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/Bookmark" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/BookmarkList" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Bookmark" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Bookmark" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } }, - "delete": { - "x-ms-examples": { - "Delete a bookmark.": { - "$ref": "./examples/bookmarks/DeleteBookmark.json" - } + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}": { + "get": { + "x-ms-examples": { + "Get a bookmark.": { + "$ref": "./examples/bookmarks/GetBookmarkById.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Gets a bookmark.", + "operationId": "Bookmarks_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Bookmarks" - ], - "description": "Delete the bookmark.", - "operationId": "Bookmarks_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Bookmark" } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations": { - "get": { - "x-ms-examples": { - "Get all case relations.": { - "$ref": "./examples/cases/relations/GetAllCaseRelations.json" - } + "put": { + "x-ms-examples": { + "Creates or updates a bookmark.": { + "$ref": "./examples/bookmarks/CreateBookmark.json" + } + }, + "tags": [ + "Bookmarks" + ], + "description": "Creates or updates the bookmark.", + "operationId": "Bookmarks_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "CaseRelations" - ], - "description": "Gets all case relations.", - "deprecated": true, - "operationId": "CaseRelations_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/CaseRelationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" }, - "x-ms-odata": "#/definitions/CaseRelation", - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/Bookmark" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations/{relationName}": { - "get": { - "x-ms-examples": { - "Get a case relation.": { - "$ref": "./examples/cases/relations/GetCaseRelationByName.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Bookmark" } }, - "tags": [ - "CaseRelations" - ], - "description": "Gets a case relation.", - "deprecated": true, - "operationId": "CaseRelations_GetRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/RelationName" + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Bookmark" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/CaseRelation" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } + } + }, + "delete": { + "x-ms-examples": { + "Delete a bookmark.": { + "$ref": "./examples/bookmarks/DeleteBookmark.json" + } }, - "put": { - "x-ms-examples": { - "Creates or updates a case relation.": { - "$ref": "./examples/cases/relations/CreateCaseRelation.json" - } - }, - "tags": [ - "CaseRelations" - ], - "description": "Creates or updates the case relation.", - "deprecated": true, - "operationId": "CaseRelations_CreateOrUpdateRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/RelationName" - }, - { - "$ref": "#/parameters/RelationInputModel" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/CaseRelation" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/CaseRelation" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "tags": [ + "Bookmarks" + ], + "description": "Delete the bookmark.", + "operationId": "Bookmarks_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations": { + "get": { + "x-ms-examples": { + "Get all case relations.": { + "$ref": "./examples/cases/relations/GetAllCaseRelations.json" + } }, - "delete": { - "x-ms-examples": { - "Delete the case relation.": { - "$ref": "./examples/cases/relations/DeleteCaseRelation.json" - } + "tags": [ + "CaseRelations" + ], + "description": "Gets all case relations.", + "deprecated": true, + "operationId": "CaseRelations_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "CaseRelations" - ], - "description": "Delete the case relation.", - "deprecated": true, - "operationId": "CaseRelations_DeleteRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/CaseId" - }, - { - "$ref": "#/parameters/RelationName" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseRelationList" } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } + }, + "x-ms-odata": "#/definitions/CaseRelation", + "x-ms-pageable": { + "nextLinkName": "nextLink" } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations": { - "get": { - "x-ms-examples": { - "Get all bookmark relations.": { - "$ref": "./examples/bookmarks/relations/GetAllBookmarkRelations.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases/{caseId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get a case relation.": { + "$ref": "./examples/cases/relations/GetCaseRelationByName.json" + } + }, + "tags": [ + "CaseRelations" + ], + "description": "Gets a case relation.", + "deprecated": true, + "operationId": "CaseRelations_GetRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "BookmarkRelations" - ], - "description": "Gets all bookmark relations.", - "operationId": "BookmarkRelations_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/RelationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" }, - "x-ms-odata": "#/definitions/Relation", - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/RelationName" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/expand": { - "post": { - "x-ms-examples": { - "Expand an bookmark": { - "$ref": "./examples/bookmarks/expand/PostExpandBookmark.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseRelation" } }, - "description": "Expand an bookmark", - "operationId": "Bookmark_Expand", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/BookmarkExpandRequestBody" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/BookmarkExpandResponse" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } - }, - "tags": [ - "Bookmark" - ] + } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}": { - "get": { - "x-ms-examples": { - "Get a bookmark relation.": { - "$ref": "./examples/bookmarks/relations/GetBookmarkRelationByName.json" - } - }, - "tags": [ - "BookmarkRelations" - ], - "description": "Gets a bookmark relation.", - "operationId": "BookmarkRelations_GetRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "put": { + "x-ms-examples": { + "Creates or updates a case relation.": { + "$ref": "./examples/cases/relations/CreateCaseRelation.json" } }, - "put": { - "x-ms-examples": { - "Creates or updates a bookmark relation.": { - "$ref": "./examples/bookmarks/relations/CreateBookmarkRelation.json" - } + "tags": [ + "CaseRelations" + ], + "description": "Creates or updates the case relation.", + "deprecated": true, + "operationId": "CaseRelations_CreateOrUpdateRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "BookmarkRelations" - ], - "description": "Creates the bookmark relation.", - "operationId": "BookmarkRelations_CreateOrUpdateRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/RelationName" - }, - { - "$ref": "#/parameters/Relation" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Relation" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/RelationName" + }, + { + "$ref": "#/parameters/RelationInputModel" } - }, - "delete": { - "x-ms-examples": { - "Delete the bookmark relation.": { - "$ref": "./examples/bookmarks/relations/DeleteBookmarkRelation.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/CaseRelation" } }, - "tags": [ - "BookmarkRelations" - ], - "description": "Delete the bookmark relation.", - "operationId": "BookmarkRelations_DeleteRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/BookmarkId" - }, - { - "$ref": "#/parameters/RelationName" + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/CaseRelation" } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/": { - "get": { - "x-ms-examples": { - "Get geodata for a single IP address": { - "$ref": "./examples/enrichment/GetGeodataByIp.json" - } + "delete": { + "x-ms-examples": { + "Delete the case relation.": { + "$ref": "./examples/cases/relations/DeleteCaseRelation.json" + } + }, + "tags": [ + "CaseRelations" + ], + "description": "Delete the case relation.", + "deprecated": true, + "operationId": "CaseRelations_DeleteRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Enrichment" - ], - "description": "Get geodata for a single IP address", - "operationId": "IPGeodata_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/EnrichmentIpAddress" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EnrichmentIpGeodata" - } - }, - "default": { - "description": "Error response describing why the operation failed to enrich this ip.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/CaseId" + }, + { + "$ref": "#/parameters/RelationName" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/domain/whois/": { - "get": { - "x-ms-examples": { - "Get whois information for a single domain name": { - "$ref": "./examples/enrichment/GetWhoisByDomainName.json" - } + ], + "responses": { + "200": { + "description": "OK" }, - "tags": [ - "Enrichment" - ], - "description": "Get whois information for a single domain name", - "operationId": "DomainWhois_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/EnrichmentDomain" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EnrichmentDomainWhois" - } - }, - "default": { - "description": "Error response describing why the operation failed to enrich this domain.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { - "get": { - "x-ms-examples": { - "Get all data connectors.": { - "$ref": "./examples/dataConnectors/GetDataConnectors.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations": { + "get": { + "x-ms-examples": { + "Get all bookmark relations.": { + "$ref": "./examples/bookmarks/relations/GetAllBookmarkRelations.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Gets all bookmark relations.", + "operationId": "BookmarkRelations_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Data Connectors" - ], - "description": "Gets all data connectors.", - "operationId": "DataConnectors_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/DataConnectorList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { - "get": { - "x-ms-examples": { - "Get an Office365 data connector.": { - "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" - }, - "Get a TI data connector.": { - "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" - }, - "Get a TI Taxii data connector.": { - "$ref": "./examples/dataConnectors/GetThreatIntelligenceTaxiiById.json" - }, - "Get a MCAS data connector.": { - "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" - }, - "Get a ASC data connector.": { - "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" - }, - "Get an AAD data connector.": { - "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" - }, - "Get an AwsCloudTrail data connector.": { - "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" - }, - "Get an AATP data connector.": { - "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" - }, - "Get a MDATP data connector": { - "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" - }, - "Get a Office ATP data connector": { - "$ref": "./examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json" - }, - "Get a Dynamics365 data connector": { - "$ref": "./examples/dataConnectors/GetDynamics365DataConnectorById.json" - }, - "Get a MicrosoftThreatProtection data connector": { - "$ref": "./examples/dataConnectors/GetMicrosoftThreatProtectionById.json" - }, - "Get a MicrosoftThreatIntelligence data connector": { - "$ref": "./examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json" - } + { + "$ref": "#/parameters/ResourceGroupName" }, - "tags": [ - "Data Connectors" - ], - "description": "Gets a data connector.", - "operationId": "DataConnectors_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/DataConnectorId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/DataConnector" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" } - }, - "put": { - "x-ms-examples": { - "Creates or updates an Office365 data connector.": { - "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" - }, - "Creates or updates a Threat Intelligence Taxii data connector.": { - "$ref": "./examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json" - }, - "Creates or updates an Threat Intelligence Platform data connector.": { - "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" - }, - "Creates or updates a Dynamics365 data connector.": { - "$ref": "./examples/dataConnectors/CreateDynamics365DataConnetor.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/RelationList" } }, - "tags": [ - "Data Connectors" - ], - "description": "Creates or updates the data connector.", - "operationId": "DataConnectors_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/DataConnectorId" - }, - { - "$ref": "#/parameters/DataConnector" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/DataConnector" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/DataConnector" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } }, - "delete": { - "x-ms-examples": { - "Delete an Office365 data connector.": { - "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" - } - }, - "tags": [ - "Data Connectors" - ], - "description": "Delete the data connector.", - "operationId": "DataConnectors_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/DataConnectorId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } + "x-ms-odata": "#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements": { - "post": { - "x-ms-examples": { - "Check requirements for TI.": { - "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligence.json" - }, - "Check requirements for TI Taxii.": { - "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json" - }, - "Check requirements for AAD.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json" - }, - "Check requirements for AAD - no license.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json" - }, - "Check requirements for AAD - no authorization.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json" - }, - "Check requirements for ASC.": { - "$ref": "./examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json" - }, - "Check requirements for Mcas.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json" - }, - "Check requirements for Mdatp.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMdatp.json" - }, - "Check requirements for OfficeATP.": { - "$ref": "./examples/dataConnectors/CheckRequirementsOfficeATP.json" - }, - "Check requirements for Dynamics365.": { - "$ref": "./examples/dataConnectors/CheckRequirementsDynamics365.json" - }, - "Check requirements for MicrosoftThreatProtection.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json" - }, - "Check requirements for MicrosoftThreatIntelligence.": { - "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/expand": { + "post": { + "x-ms-examples": { + "Expand an bookmark": { + "$ref": "./examples/bookmarks/expand/PostExpandBookmark.json" + } + }, + "description": "Expand an bookmark", + "operationId": "Bookmark_Expand", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Check Data Connector Requirements" - ], - "description": "Get requirements state for a data connector type.", - "operationId": "DataConnectorsCheckRequirements_Post", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/DataConnectorsCheckRequirementsBody" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/DataConnectorRequirementsState" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/BookmarkExpandRequestBody" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities": { - "get": { - "x-ms-examples": { - "Get all entities.": { - "$ref": "./examples/entities/GetEntities.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/BookmarkExpandResponse" } }, - "tags": [ - "Entities" - ], - "description": "Gets all entities.", - "operationId": "Entities_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } + } + }, + "tags": [ + "Bookmark" + ] + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get a bookmark relation.": { + "$ref": "./examples/bookmarks/relations/GetBookmarkRelationByName.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Gets a bookmark relation.", + "operationId": "BookmarkRelations_GetRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/RelationName" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}": { - "get": { - "x-ms-examples": { - "Get an account entity.": { - "$ref": "./examples/entities/GetAccountEntityById.json" - }, - "Get a host entity.": { - "$ref": "./examples/entities/GetHostEntityById.json" - }, - "Get a file entity.": { - "$ref": "./examples/entities/GetFileEntityById.json" - }, - "Get a security alert entity.": { - "$ref": "./examples/entities/GetSecurityAlertEntityById.json" - }, - "Get a file hash entity.": { - "$ref": "./examples/entities/GetFileHashEntityById.json" - }, - "Get a malware entity.": { - "$ref": "./examples/entities/GetMalwareEntityById.json" - }, - "Get a security group entity.": { - "$ref": "./examples/entities/GetSecurityGroupEntityById.json" - }, - "Get an azure resource entity.": { - "$ref": "./examples/entities/GetAzureResourceEntityById.json" - }, - "Get a cloud application entity.": { - "$ref": "./examples/entities/GetCloudApplicationEntityById.json" - }, - "Get a process entity.": { - "$ref": "./examples/entities/GetProcessEntityById.json" - }, - "Get a dns entity.": { - "$ref": "./examples/entities/GetDnsEntityById.json" - }, - "Get an ip entity.": { - "$ref": "./examples/entities/GetIpEntityById.json" - }, - "Get a registry key entity.": { - "$ref": "./examples/entities/GetRegistryKeyEntityById.json" - }, - "Get a registry value entity.": { - "$ref": "./examples/entities/GetRegistryValueEntityById.json" - }, - "Get a url entity.": { - "$ref": "./examples/entities/GetUrlEntityById.json" - }, - "Get an IoT device entity.": { - "$ref": "./examples/entities/GetIoTDeviceEntityById.json" - }, - "Get a mailCluster entity.": { - "$ref": "./examples/entities/GetMailClusterEntityById.json" - }, - "Get a mailbox entity.": { - "$ref": "./examples/entities/GetMailboxEntityById.json" - }, - "Get a mailMessage entity.": { - "$ref": "./examples/entities/GetMailMessageEntityById.json" - }, - "Get a submissionMail entity.": { - "$ref": "./examples/entities/GetSubmissionMailEntityById.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Relation" } }, - "tags": [ - "Entities" - ], - "description": "Gets an entity.", - "operationId": "Entities_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Entity" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/expand": { - "post": { - "x-ms-examples": { - "Expand an entity": { - "$ref": "./examples/entities/expand/PostExpandEntity.json" + "put": { + "x-ms-examples": { + "Creates or updates a bookmark relation.": { + "$ref": "./examples/bookmarks/relations/CreateBookmarkRelation.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Creates the bookmark relation.", + "operationId": "BookmarkRelations_CreateOrUpdateRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/RelationName" + }, + { + "$ref": "#/parameters/Relation" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Relation" } }, - "tags": [ - "Entities" - ], - "description": "Expands an entity.", - "operationId": "Entities_Expand", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" - }, - { - "$ref": "#/parameters/EntityExpandRequestBody" + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Relation" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityExpandResponse" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getTimeline": { - "post": { - "x-ms-examples": { - "Entity timeline": { - "$ref": "./examples/entities/timeline/PostTimelineEntity.json" - } + "delete": { + "x-ms-examples": { + "Delete the bookmark relation.": { + "$ref": "./examples/bookmarks/relations/DeleteBookmarkRelation.json" + } + }, + "tags": [ + "BookmarkRelations" + ], + "description": "Delete the bookmark relation.", + "operationId": "BookmarkRelations_DeleteRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Entities" - ], - "description": "Timeline for an entity.", - "operationId": "EntitiesGetTimeline_list", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" - }, - { - "$ref": "#/parameters/EntityTimelineRequestBody" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityTimelineResponse" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/BookmarkId" + }, + { + "$ref": "#/parameters/RelationName" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/queries": { - "get": { - "x-ms-examples": { - "Get Entity Query": { - "$ref": "./examples/entities/GetQueries.json" - } + ], + "responses": { + "200": { + "description": "OK" }, - "tags": [ - "Entities" - ], - "description": "Get Insights and Activities for an entity.", - "operationId": "Entities_Queries", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" - }, - { - "$ref": "#/parameters/EntityQueryKindParam" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/GetQueriesResponse" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getInsights": { - "post": { - "x-ms-examples": { - "Entity Insight": { - "$ref": "./examples/entities/insights/PostGetInsights.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/": { + "get": { + "x-ms-examples": { + "Get geodata for a single IP address": { + "$ref": "./examples/enrichment/GetGeodataByIp.json" + } + }, + "tags": [ + "Enrichment" + ], + "description": "Get geodata for a single IP address", + "operationId": "IPGeodata_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Entities" - ], - "description": "Execute Insights for an entity.", - "operationId": "Entities_GetInsights", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" - }, - { - "$ref": "#/parameters/GetInsightsEntityQueriesRequestBody" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/EnrichmentIpAddress" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EnrichmentIpGeodata" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityGetInsightsResponse" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed to enrich this ip.", + "schema": { + "$ref": "#/definitions/CloudError" } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations": { - "get": { - "x-ms-examples": { - "Get all relations of an entity.": { - "$ref": "./examples/entities/relations/GetAllEntityRelations.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.SecurityInsights/enrichment/domain/whois/": { + "get": { + "x-ms-examples": { + "Get whois information for a single domain name": { + "$ref": "./examples/enrichment/GetWhoisByDomainName.json" + } + }, + "tags": [ + "Enrichment" + ], + "description": "Get whois information for a single domain name", + "operationId": "DomainWhois_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "EntityRelations" - ], - "description": "Gets all relations of an entity.", - "operationId": "EntitiesRelations_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/RelationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" }, - "x-ms-odata": "#/definitions/Relation", - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/EnrichmentDomain" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations/{relationName}": { - "get": { - "x-ms-examples": { - "Get an entity relation.": { - "$ref": "./examples/entities/relations/GetEntityRelationByName.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EnrichmentDomainWhois" } }, - "tags": [ - "EntityRelations" - ], - "description": "Gets an entity relation.", - "operationId": "EntityRelations_GetRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityId" - }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed to enrich this domain.", + "schema": { + "$ref": "#/definitions/CloudError" } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents": { - "get": { - "x-ms-examples": { - "Get all office consents.": { - "$ref": "./examples/officeConsents/GetOfficeConsents.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors": { + "get": { + "x-ms-examples": { + "Get all data connectors.": { + "$ref": "./examples/dataConnectors/GetDataConnectors.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Gets all data connectors.", + "operationId": "DataConnectors_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Office Consents" - ], - "description": "Gets all office365 consents.", - "operationId": "OfficeConsents_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/OfficeConsentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/WorkspaceName" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents/{consentId}": { - "get": { - "x-ms-examples": { - "Get an office consent.": { - "$ref": "./examples/officeConsents/GetOfficeConsentsById.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnectorList" } }, - "tags": [ - "Office Consents" - ], - "description": "Gets an office365 consent.", - "operationId": "OfficeConsents_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ConsentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/OfficeConsent" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } }, - "delete": { - "x-ms-examples": { - "Delete an office consent.": { - "$ref": "./examples/officeConsents/DeleteOfficeConsents.json" - } - }, - "tags": [ - "Office Consents" - ], - "description": "Delete the office365 consent.", - "operationId": "OfficeConsents_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ConsentId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } + "x-ms-pageable": { + "nextLinkName": "nextLink" } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings": { - "get": { - "x-ms-examples": { - "Get EyesOn settings.": { - "$ref": "./examples/settings/GetAllSettings.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}": { + "get": { + "x-ms-examples": { + "Get an Office365 data connector.": { + "$ref": "./examples/dataConnectors/GetOfficeDataConnetorById.json" }, - "tags": [ - "Settings" - ], - "description": "List of all the settings", - "operationId": "ProductSettings_GetAll", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/SettingList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}": { - "get": { - "x-ms-examples": { - "Get EyesOn settings.": { - "$ref": "./examples/settings/GetEyesOnSetting.json" - } + "Get a TI data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceById.json" }, - "tags": [ - "Settings" - ], - "description": "Gets a setting.", - "operationId": "ProductSettings_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/SettingsName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Settings" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "Get a TI Taxii data connector.": { + "$ref": "./examples/dataConnectors/GetThreatIntelligenceTaxiiById.json" + }, + "Get a MCAS data connector.": { + "$ref": "./examples/dataConnectors/GetMicrosoftCloudAppSecurityById.json" + }, + "Get a ASC data connector.": { + "$ref": "./examples/dataConnectors/GetAzureSecurityCenterById.json" + }, + "Get an AAD data connector.": { + "$ref": "./examples/dataConnectors/GetAzureActiveDirectoryById.json" + }, + "Get an AwsCloudTrail data connector.": { + "$ref": "./examples/dataConnectors/GetAmazonWebServicesCloudTrailById.json" + }, + "Get an AATP data connector.": { + "$ref": "./examples/dataConnectors/GetAzureAdvancedThreatProtectionById.json" + }, + "Get a MDATP data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftDefenderAdvancedThreatProtectionById.json" + }, + "Get a Office ATP data connector": { + "$ref": "./examples/dataConnectors/GetOffice365AdvancedThreatProtectionById.json" + }, + "Get a Dynamics365 data connector": { + "$ref": "./examples/dataConnectors/GetDynamics365DataConnectorById.json" + }, + "Get a MicrosoftThreatProtection data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftThreatProtectionById.json" + }, + "Get a MicrosoftThreatIntelligence data connector": { + "$ref": "./examples/dataConnectors/GetMicrosoftThreatIntelligenceById.json" } }, - "delete": { - "x-ms-examples": { - "Delete EyesOn settings.": { - "$ref": "./examples/settings/DeleteEyesOnSetting.json" - } + "tags": [ + "Data Connectors" + ], + "description": "Gets a data connector.", + "operationId": "DataConnectors_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Settings" - ], - "description": "Delete setting of the product.", - "operationId": "ProductSettings_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/SettingsName" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" } - }, - "put": { - "x-ms-examples": { - "Update EyesOn settings.": { - "$ref": "./examples/settings/UpdateEyesOnSetting.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnector" } }, - "tags": [ - "Settings" - ], - "description": "Updates setting.", - "operationId": "ProductSettings_Update", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/SettingsName" - }, - { - "$ref": "#/parameters/Settings" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Settings" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/aggregations/{aggregationsName}": { - "get": { - "x-ms-examples": { - "Get aggregative data for all cases under the defined workspace, between the time range if specified.": { - "$ref": "./examples/aggregations/GetCasesAggregations.json" - } + "put": { + "x-ms-examples": { + "Creates or updates an Office365 data connector.": { + "$ref": "./examples/dataConnectors/CreateOfficeDataConnetor.json" }, - "tags": [ - "Aggregations" - ], - "description": "Get aggregative result for the given resources under the defined workspace", - "operationId": "CasesAggregations_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/AggregationsName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Aggregations" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "Creates or updates a Threat Intelligence Taxii data connector.": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceTaxiiDataConnector.json" + }, + "Creates or updates an Threat Intelligence Platform data connector.": { + "$ref": "./examples/dataConnectors/CreateThreatIntelligenceDataConnector.json" + }, + "Creates or updates a Dynamics365 data connector.": { + "$ref": "./examples/dataConnectors/CreateDynamics365DataConnetor.json" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries": { - "get": { - "x-ms-examples": { - "Get all entity queries.": { - "$ref": "./examples/entityQueries/GetEntityQueries.json" - } + }, + "tags": [ + "Data Connectors" + ], + "description": "Creates or updates the data connector.", + "operationId": "DataConnectors_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "EntityQueries" - ], - "description": "Gets all entity queries.", - "operationId": "EntityQueries_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityQueryList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/DataConnector" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}": { - "get": { - "x-ms-examples": { - "Get an entity query.": { - "$ref": "./examples/entityQueries/GetExpansionEntityQueryById.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnector" } }, - "tags": [ - "EntityQueries" - ], - "description": "Gets an entity query.", - "operationId": "EntityQueries_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/EntityQueryId" + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/DataConnector" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/EntityQuery" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { - "get": { - "x-ms-examples": { - "Get all incidents.": { - "$ref": "./examples/incidents/GetIncidents.json" - } + "delete": { + "x-ms-examples": { + "Delete an Office365 data connector.": { + "$ref": "./examples/dataConnectors/DeleteOfficeDataConnetor.json" + } + }, + "tags": [ + "Data Connectors" + ], + "description": "Delete the data connector.", + "operationId": "DataConnectors_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Incidents" - ], - "description": "Gets all incidents.", - "operationId": "Incidents_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/DataConnectorId" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { - "get": { - "x-ms-examples": { - "Get an incident.": { - "$ref": "./examples/incidents/GetIncidentById.json" - } + ], + "responses": { + "200": { + "description": "OK" }, - "tags": [ - "Incidents" - ], - "description": "Gets an incident.", - "operationId": "Incidents_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } - }, - "put": { - "x-ms-examples": { - "Creates or updates an incident.": { - "$ref": "./examples/incidents/CreateIncident.json" - } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements": { + "post": { + "x-ms-examples": { + "Check requirements for TI.": { + "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligence.json" }, - "tags": [ - "Incidents" - ], - "description": "Creates or updates the incident.", - "operationId": "Incidents_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/Incident" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Incident" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "Check requirements for TI Taxii.": { + "$ref": "./examples/dataConnectors/CheckRequirementsThreatIntelligenceTaxii.json" + }, + "Check requirements for AAD.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectory.json" + }, + "Check requirements for AAD - no license.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoLicense.json" + }, + "Check requirements for AAD - no authorization.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureActiveDirectoryNoAuthorization.json" + }, + "Check requirements for ASC.": { + "$ref": "./examples/dataConnectors/CheckRequirementsAzureSecurityCenter.json" + }, + "Check requirements for Mcas.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftCloudAppSecurity.json" + }, + "Check requirements for Mdatp.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMdatp.json" + }, + "Check requirements for OfficeATP.": { + "$ref": "./examples/dataConnectors/CheckRequirementsOfficeATP.json" + }, + "Check requirements for Dynamics365.": { + "$ref": "./examples/dataConnectors/CheckRequirementsDynamics365.json" + }, + "Check requirements for MicrosoftThreatProtection.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatProtection.json" + }, + "Check requirements for MicrosoftThreatIntelligence.": { + "$ref": "./examples/dataConnectors/CheckRequirementsMicrosoftThreatIntelligence.json" } }, - "delete": { - "x-ms-examples": { - "Delete an incident.": { - "$ref": "./examples/incidents/DeleteIncident.json" - } + "tags": [ + "Check Data Connector Requirements" + ], + "description": "Get requirements state for a data connector type.", + "operationId": "DataConnectorsCheckRequirements_Post", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Incidents" - ], - "description": "Delete the incident.", - "operationId": "Incidents_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/DataConnectorsCheckRequirementsBody" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts": { - "post": { - "x-ms-examples": { - "Get all incident alerts.": { - "$ref": "./examples/incidents/GetAllIncidentAlerts.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/DataConnectorRequirementsState" } }, - "tags": [ - "IncidentAlerts" - ], - "description": "Gets all incident alerts.", - "operationId": "Incidents_ListOfAlerts", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentAlertList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks": { - "post": { - "x-ms-examples": { - "Get all incident bookmarks.": { - "$ref": "./examples/incidents/GetAllIncidentBookmarks.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities": { + "get": { + "x-ms-examples": { + "Get all entities.": { + "$ref": "./examples/entities/GetEntities.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Gets all entities.", + "operationId": "Entities_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "IncidentBookmarks" - ], - "description": "Gets all incident bookmarks.", - "operationId": "Incidents_ListOfBookmarks", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentBookmarkList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { - "get": { - "x-ms-examples": { - "Get all incident comments.": { - "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityList" } }, - "tags": [ - "IncidentComments" - ], - "description": "Gets all incident comments.", - "operationId": "IncidentComments_ListByIncident", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentCommentList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } - }, - "x-ms-odata": "#/definitions/IncidentComment", - "x-ms-pageable": { - "nextLinkName": "nextLink" } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { - "get": { - "x-ms-examples": { - "Get an incident comment.": { - "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}": { + "get": { + "x-ms-examples": { + "Get an account entity.": { + "$ref": "./examples/entities/GetAccountEntityById.json" }, - "tags": [ - "IncidentComments" - ], - "description": "Gets an incident comment.", - "operationId": "IncidentComments_GetComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "Get a host entity.": { + "$ref": "./examples/entities/GetHostEntityById.json" + }, + "Get a file entity.": { + "$ref": "./examples/entities/GetFileEntityById.json" + }, + "Get a security alert entity.": { + "$ref": "./examples/entities/GetSecurityAlertEntityById.json" + }, + "Get a file hash entity.": { + "$ref": "./examples/entities/GetFileHashEntityById.json" + }, + "Get a malware entity.": { + "$ref": "./examples/entities/GetMalwareEntityById.json" + }, + "Get a security group entity.": { + "$ref": "./examples/entities/GetSecurityGroupEntityById.json" + }, + "Get an azure resource entity.": { + "$ref": "./examples/entities/GetAzureResourceEntityById.json" + }, + "Get a cloud application entity.": { + "$ref": "./examples/entities/GetCloudApplicationEntityById.json" + }, + "Get a process entity.": { + "$ref": "./examples/entities/GetProcessEntityById.json" + }, + "Get a dns entity.": { + "$ref": "./examples/entities/GetDnsEntityById.json" + }, + "Get an ip entity.": { + "$ref": "./examples/entities/GetIpEntityById.json" + }, + "Get a registry key entity.": { + "$ref": "./examples/entities/GetRegistryKeyEntityById.json" + }, + "Get a registry value entity.": { + "$ref": "./examples/entities/GetRegistryValueEntityById.json" + }, + "Get a url entity.": { + "$ref": "./examples/entities/GetUrlEntityById.json" + }, + "Get an IoT device entity.": { + "$ref": "./examples/entities/GetIoTDeviceEntityById.json" + }, + "Get a mailCluster entity.": { + "$ref": "./examples/entities/GetMailClusterEntityById.json" + }, + "Get a mailbox entity.": { + "$ref": "./examples/entities/GetMailboxEntityById.json" + }, + "Get a mailMessage entity.": { + "$ref": "./examples/entities/GetMailMessageEntityById.json" + }, + "Get a submissionMail entity.": { + "$ref": "./examples/entities/GetSubmissionMailEntityById.json" } }, - "put": { - "x-ms-examples": { - "Creates or updates an incident comment.": { - "$ref": "./examples/incidents/comments/CreateIncidentComment.json" - } + "tags": [ + "Entities" + ], + "description": "Gets an entity.", + "operationId": "Entities_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "IncidentComments" - ], - "description": "Creates or updates the incident comment.", - "operationId": "IncidentComments_CreateComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - }, - { - "$ref": "#/parameters/IncidentComment" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/IncidentComment" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" } - }, - "delete": { - "x-ms-examples": { - "Delete the incident comment.": { - "$ref": "./examples/incidents/comments/DeleteIncidentComment.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Entity" } }, - "tags": [ - "IncidentComments" - ], - "description": "Delete the incident comment.", - "operationId": "IncidentComments_DeleteComment", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/IncidentCommentId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities": { - "post": { - "x-ms-examples": { - "Gets all incident related entities": { - "$ref": "./examples/incidents/entities/GetAllIncidentEntities.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/expand": { + "post": { + "x-ms-examples": { + "Expand an entity": { + "$ref": "./examples/entities/expand/PostExpandEntity.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Expands an entity.", + "operationId": "Entities_Expand", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "IncidentEntities" - ], - "description": "Gets all incident related entities.", - "operationId": "Incidents_ListOfEntities", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityExpandRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityExpandResponse" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/IncidentEntitiesResponse" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations": { - "get": { - "x-ms-examples": { - "Get all incident relations.": { - "$ref": "./examples/incidents/relations/GetAllIncidentRelations.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getTimeline": { + "post": { + "x-ms-examples": { + "Entity timeline": { + "$ref": "./examples/entities/timeline/PostTimelineEntity.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Timeline for an entity.", + "operationId": "EntitiesGetTimeline_list", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "IncidentRelations" - ], - "description": "Gets all incident relations.", - "operationId": "IncidentRelations_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataOrderBy" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/RelationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "x-ms-odata": "#/definitions/Relation", - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityTimelineRequestBody" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}": { - "get": { - "x-ms-examples": { - "Get an incident relation.": { - "$ref": "./examples/incidents/relations/GetIncidentRelationByName.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityTimelineResponse" } }, - "tags": [ - "IncidentRelations" - ], - "description": "Gets an incident relation.", - "operationId": "IncidentRelations_GetRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/queries": { + "get": { + "x-ms-examples": { + "Get Entity Query": { + "$ref": "./examples/entities/GetQueries.json" + } }, - "put": { - "x-ms-examples": { - "Creates or updates an incident relation.": { - "$ref": "./examples/incidents/relations/CreateIncidentRelation.json" - } + "tags": [ + "Entities" + ], + "description": "Get Insights and Activities for an entity.", + "operationId": "Entities_Queries", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "IncidentRelations" - ], - "description": "Creates or updates the incident relation.", - "operationId": "IncidentRelations_CreateOrUpdateRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/RelationName" - }, - { - "$ref": "#/parameters/Relation" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Relation" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Relation" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntityQueryKindParam" } - }, - "delete": { - "x-ms-examples": { - "Delete the incident relation.": { - "$ref": "./examples/incidents/relations/DeleteIncidentRelation.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/GetQueriesResponse" } }, - "tags": [ - "IncidentRelations" - ], - "description": "Delete the incident relation.", - "operationId": "IncidentRelations_DeleteRelation", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/IncidentId" - }, - { - "$ref": "#/parameters/RelationName" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists": { - "get": { - "x-ms-examples": { - "Get all watchlists.": { - "$ref": "./examples/watchlists/GetWatchlists.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getInsights": { + "post": { + "x-ms-examples": { + "Entity Insight": { + "$ref": "./examples/entities/insights/PostGetInsights.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Execute Insights for an entity.", + "operationId": "Entities_GetInsights", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Watchlists" - ], - "description": "Gets all watchlists, without watchlist items.", - "operationId": "Watchlists_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/GetInsightsEntityQueriesRequestBody" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}": { - "get": { - "x-ms-examples": { - "Get a watchlist.": { - "$ref": "./examples/watchlists/GetWatchlistByAlias.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityGetInsightsResponse" } }, - "tags": [ - "Watchlists" - ], - "description": "Gets a watchlist, without its watchlist items.", - "operationId": "Watchlists_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Watchlist" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations": { + "get": { + "x-ms-examples": { + "Get all relations of an entity.": { + "$ref": "./examples/entities/relations/GetAllEntityRelations.json" + } }, - "delete": { - "x-ms-examples": { - "Delete a watchlist.": { - "$ref": "./examples/watchlists/DeleteWatchlist.json" - } + "tags": [ + "EntityRelations" + ], + "description": "Gets all relations of an entity.", + "operationId": "EntitiesRelations_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Watchlists" - ], - "description": "Delete a watchlist.", - "operationId": "Watchlists_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/RelationList" } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } }, - "put": { - "x-ms-examples": { - "Creates a watchlist.": { - "$ref": "./examples/watchlists/CreateWatchlist.json" - } + "x-ms-odata": "#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get an entity relation.": { + "$ref": "./examples/entities/relations/GetEntityRelationByName.json" + } + }, + "tags": [ + "EntityRelations" + ], + "description": "Gets an entity relation.", + "operationId": "EntityRelations_GetRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "Watchlists" - ], - "description": "Creates a watchlist and its watchlist items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint twice : the first call will create an empty Watchlist, and the second one will create its Items.", - "operationId": "Watchlists_Create", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - }, - { - "$ref": "#/parameters/Watchlist" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/RelationName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Relation" } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/Watchlist" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/Watchlist" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems": { - "get": { - "x-ms-examples": { - "Get all watchlist Items.": { - "$ref": "./examples/watchlists/GetWatchlistItems.json" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents": { + "get": { + "x-ms-examples": { + "Get all office consents.": { + "$ref": "./examples/officeConsents/GetOfficeConsents.json" + } + }, + "tags": [ + "Office Consents" + ], + "description": "Gets all office365 consents.", + "operationId": "OfficeConsents_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "WatchlistItems" - ], - "description": "Gets all watchlist Items.", - "operationId": "WatchlistItems_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistItemList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}": { - "get": { - "x-ms-examples": { - "Get a watchlist item.": { - "$ref": "./examples/watchlists/GetWatchlistItemById.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/OfficeConsentList" } }, - "tags": [ - "WatchlistItems" - ], - "description": "Gets a watchlist, without its watchlist items.", - "operationId": "WatchlistItems_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - }, - { - "$ref": "#/parameters/WatchlistItemId" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistItem" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } }, - "delete": { - "x-ms-examples": { - "Delete a watchlist Item.": { - "$ref": "./examples/watchlists/DeleteWatchlistItem.json" - } - }, - "tags": [ - "WatchlistItems" - ], - "description": "Delete a watchlist item.", - "operationId": "WatchlistItems_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - }, - { - "$ref": "#/parameters/WatchlistItemId" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/officeConsents/{consentId}": { + "get": { + "x-ms-examples": { + "Get an office consent.": { + "$ref": "./examples/officeConsents/GetOfficeConsentsById.json" } }, - "put": { - "x-ms-examples": { - "Creates or updates a watchlist item.": { - "$ref": "./examples/watchlists/CreateWatchlistItem.json" - } + "tags": [ + "Office Consents" + ], + "description": "Gets an office365 consent.", + "operationId": "OfficeConsents_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "WatchlistItems" - ], - "description": "Creates or updates a watchlist item.", - "operationId": "WatchlistItems_CreateOrUpdate", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/WatchlistAlias" - }, - { - "$ref": "#/parameters/WatchlistItemId" - }, - { - "$ref": "#/parameters/WatchlistItem" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/WatchlistItem" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/WatchlistItem" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ConsentId" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator": { - "post": { - "x-ms-examples": { - "Create a new Threat Intelligence": { - "$ref": "./examples/threatintelligence/CreateThreatIntelligence.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/OfficeConsent" } }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Create a new threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_CreateIndicator", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceProperties" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "default": { - "description": "Error response describing why the operation failed to create indicators.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators": { - "get": { - "x-ms-examples": { - "Get all threat intelligence indicators": { - "$ref": "./examples/threatintelligence/GetThreatIntelligence.json" - } + "delete": { + "x-ms-examples": { + "Delete an office consent.": { + "$ref": "./examples/officeConsents/DeleteOfficeConsents.json" + } + }, + "tags": [ + "Office Consents" + ], + "description": "Delete the office365 consent.", + "operationId": "OfficeConsents_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Get all threat intelligence indicators.", - "operationId": "ThreatIntelligenceIndicators_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ODataFilter" - }, - { - "$ref": "#/parameters/ODataTop" - }, - { - "$ref": "#/parameters/ODataSkipToken" - }, - { - "$ref": "#/parameters/ODataOrderBy" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformationList" - } - }, - "default": { - "description": "Error response describing why the operation failed to get indicators.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" + { + "$ref": "#/parameters/ConsentId" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}": { - "get": { - "x-ms-examples": { - "View a threat intelligence indicator by name": { - "$ref": "./examples/threatintelligence/GetThreatIntelligenceById.json" - } + ], + "responses": { + "200": { + "description": "OK" }, - "tags": [ - "ThreatIntelligence" - ], - "description": "View a threat intelligence indicator by name.", - "operationId": "ThreatIntelligenceIndicator_Get", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "default": { - "description": "Error response describing why the operation failed to view an indicator.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } - }, - "put": { - "x-ms-examples": { - "Update a threat Intelligence indicator": { - "$ref": "./examples/threatintelligence/UpdateThreatIntelligence.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Update a threat Intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_Create", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceProperties" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "201": { - "description": "Created", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "default": { - "description": "Error response describing why the operation failed to update an indicator.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings": { + "get": { + "x-ms-examples": { + "Get EyesOn settings.": { + "$ref": "./examples/settings/GetAllSettings.json" } }, - "delete": { - "x-ms-examples": { - "Delete a threat intelligence indicator": { - "$ref": "./examples/threatintelligence/DeleteThreatIntelligence.json" - } - }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Delete a threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_Delete", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceName" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "204": { - "description": "No Content" - }, - "default": { - "description": "Error response describing why the operation failed to delete an indicator.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators": { - "post": { - "x-ms-examples": { - "Query threat intelligence indicators as per filtering criteria": { - "$ref": "./examples/threatintelligence/QueryThreatIntelligence.json" - } + "tags": [ + "Settings" + ], + "description": "List of all the settings", + "operationId": "ProductSettings_GetAll", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Query threat intelligence indicators as per filtering criteria.", - "operationId": "ThreatIntelligenceIndicator_QueryIndicators", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceFilteringCriteria" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformationList" - } - }, - "default": { - "description": "Error response describing why the operation failed.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics": { - "get": { - "x-ms-examples": { - "Get threat intelligence indicators metrics.": { - "$ref": "./examples/threatintelligence/CollectThreatIntelligenceMetrics.json" - } + { + "$ref": "#/parameters/ResourceGroupName" }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source).", - "operationId": "ThreatIntelligenceIndicatorMetrics_List", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceMetricsList" - } - }, - "default": { - "description": "Error response describing why the operation failed to get metrics.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags": { - "post": { - "x-ms-examples": { - "Append tags to a threat intelligence indicator": { - "$ref": "./examples/threatintelligence/AppendTagsThreatIntelligence.json" - } + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Append tags to a threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_AppendTags", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceAppendTags" - } - ], - "responses": { - "200": { - "description": "OK" - }, - "default": { - "description": "Error response describing why the operation failed to append tags.", - "schema": { - "$ref": "#/definitions/CloudError" - } - } + { + "$ref": "#/parameters/WorkspaceName" } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags": { - "post": { - "x-ms-examples": { - "Replace tags to a Threat Intelligence": { - "$ref": "./examples/threatintelligence/ReplaceTagsThreatIntelligence.json" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/SettingList" } }, - "tags": [ - "ThreatIntelligence" - ], - "description": "Replace tags added to a threat intelligence indicator.", - "operationId": "ThreatIntelligenceIndicator_ReplaceTags", - "parameters": [ - { - "$ref": "#/parameters/ApiVersion" - }, - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" - }, - { - "$ref": "#/parameters/ResourceGroupName" - }, - { - "$ref": "#/parameters/OperationalInsightsResourceProvider" - }, - { - "$ref": "#/parameters/WorkspaceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceName" - }, - { - "$ref": "#/parameters/ThreatIntelligenceReplaceTags" - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - } - }, - "default": { - "description": "Error response describing why the operation failed to replace tags.", - "schema": { - "$ref": "#/definitions/CloudError" - } + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } } }, - "definitions": { - "MLBehaviorAnalyticsAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents MLBehaviorAnalytics alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/MLBehaviorAnalyticsAlertRuleProperties", - "description": "MLBehaviorAnalytics alert rule properties", - "x-ms-client-flatten": true + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/settings/{settingsName}": { + "get": { + "x-ms-examples": { + "Get EyesOn settings.": { + "$ref": "./examples/settings/GetEyesOnSetting.json" } }, - "type": "object", - "x-ms-discriminator-value": "MLBehaviorAnalytics" - }, - "MLBehaviorAnalyticsAlertRuleProperties": { - "description": "MLBehaviorAnalytics alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "readOnly": true, - "type": "string" + "tags": [ + "Settings" + ], + "description": "Gets a setting.", + "operationId": "ProductSettings_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "readOnly": true, - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" + { + "$ref": "#/parameters/ResourceGroupName" }, - "lastModifiedUtc": { - "description": "The last time that this alert rule has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule.", - "readOnly": true + { + "$ref": "#/parameters/WorkspaceName" }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } - }, - "required": [ - "alertRuleTemplateName", - "enabled" - ], - "type": "object" - }, - "MLBehaviorAnalyticsAlertRuleTemplate": { - "allOf": [ { - "$ref": "#/definitions/AlertRuleTemplate" + "$ref": "#/parameters/SettingsName" } ], - "description": "Represents MLBehaviorAnalytics alert rule template.", - "properties": { - "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - } - ], - "description": "MLBehaviorAnalytics alert rule template properties.", - "properties": { - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "tactics": { - "description": "The tactics of the alert rule template.", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "required": [ - "displayName", - "description", - "status", - "severity", - "alertRulesCreatedByTemplateCount" - ], - "x-ms-client-flatten": true + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Settings" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - }, - "type": "object", - "x-ms-discriminator-value": "MLBehaviorAnalytics" + } }, - "AADDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents AAD (Azure Active Directory) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/AADDataConnectorProperties", - "description": "AAD (Azure Active Directory) data connector properties.", - "x-ms-client-flatten": true + "delete": { + "x-ms-examples": { + "Delete EyesOn settings.": { + "$ref": "./examples/settings/DeleteEyesOnSetting.json" } }, - "type": "object", - "x-ms-discriminator-value": "AzureActiveDirectory" - }, - "AADDataConnectorProperties": { - "allOf": [ + "tags": [ + "Settings" + ], + "description": "Delete setting of the product.", + "operationId": "ProductSettings_Delete", + "parameters": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "AAD (Azure Active Directory) data connector properties.", - "type": "object" - }, - "AADCheckRequirements": { - "allOf": [ + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents AAD (Azure Active Directory) requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/AADCheckRequirementsProperties", - "description": "AAD (Azure Active Directory) requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureActiveDirectory" - }, - "AADCheckRequirementsProperties": { - "allOf": [ + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsName" } ], - "description": "AAD (Azure Active Directory) requirements check properties.", - "type": "object" - }, - "AATPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - ], - "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/AATPDataConnectorProperties", - "description": "AATP (Azure Advanced Threat Protection) data connector properties.", - "x-ms-client-flatten": true + } + }, + "put": { + "x-ms-examples": { + "Update EyesOn settings.": { + "$ref": "./examples/settings/UpdateEyesOnSetting.json" } }, - "type": "object", - "x-ms-discriminator-value": "AzureAdvancedThreatProtection" - }, - "AATPDataConnectorProperties": { - "allOf": [ + "tags": [ + "Settings" + ], + "description": "Updates setting.", + "operationId": "ProductSettings_Update", + "parameters": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "AATP (Azure Advanced Threat Protection) data connector properties.", - "type": "object" - }, - "AATPCheckRequirements": { - "allOf": [ + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents AATP (Azure Advanced Threat Protection) requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/AATPCheckRequirementsProperties", - "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureAdvancedThreatProtection" - }, - "AATPCheckRequirementsProperties": { - "allOf": [ + "$ref": "#/parameters/ResourceGroupName" + }, { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", - "type": "object" - }, - "MSTIDataConnector": { - "allOf": [ + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents Microsoft Threat Intelligence data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/MSTIDataConnectorProperties", - "description": "Microsoft Threat Intelligence data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatIntelligence" - }, - "MSTIDataConnectorDataTypes": { - "description": "The available data types for Microsoft Threat Intelligence Platforms data connector.", - "properties": { - "bingSafetyPhishingURL": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "properties": { - "lookbackPeriod": { - "description": "lookback period", - "type": "string" - } - }, - "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", - "type": "object", - "required": [ - "lookbackPeriod" - ] + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/SettingsName" }, - "microsoftEmergingThreatFeed": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "properties": { - "lookbackPeriod": { - "description": "lookback period", - "type": "string" - } - }, - "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", - "type": "object", - "required": [ - "lookbackPeriod" - ] - } - }, - "type": "object", - "required": [ - "bingSafetyPhishingURL", - "microsoftEmergingThreatFeed" - ] - }, - "MSTIDataConnectorProperties": { - "allOf": [ { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/parameters/Settings" } ], - "description": "Microsoft Threat Intelligence data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/MSTIDataConnectorDataTypes", - "description": "The available data types for the connector." + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Settings" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/aggregations/{aggregationsName}": { + "get": { + "x-ms-examples": { + "Get aggregative data for all cases under the defined workspace, between the time range if specified.": { + "$ref": "./examples/aggregations/GetCasesAggregations.json" } }, - "required": [ - "dataTypes" + "tags": [ + "Aggregations" ], - "type": "object" - }, - "MSTICheckRequirements": { - "allOf": [ + "description": "Get aggregative result for the given resources under the defined workspace", + "operationId": "CasesAggregations_Get", + "parameters": [ { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents Microsoft Threat Intelligence requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/MSTICheckRequirementsProperties", - "description": "Microsoft Threat Intelligence requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatIntelligence" - }, - "MSTICheckRequirementsProperties": { - "allOf": [ + "$ref": "#/parameters/ApiVersion" + }, { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Microsoft Threat Intelligence requirements check properties.", - "type": "object" - }, - "MTPDataConnector": { - "allOf": [ + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents MTP (Microsoft Threat Protection) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/MTPDataConnectorProperties", - "description": "MTP (Microsoft Threat Protection) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatProtection" - }, - "MTPDataConnectorDataTypes": { - "description": "The available data types for Microsoft Threat Protection Platforms data connector.", - "properties": { - "incidents": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Data type for Microsoft Threat Protection Platforms data connector.", - "type": "object" - } - }, - "type": "object", - "required": [ - "incidents" - ] - }, - "MTPDataConnectorProperties": { - "allOf": [ + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, { - "$ref": "#/definitions/DataConnectorTenantId" + "$ref": "#/parameters/AggregationsName" } ], - "description": "MTP (Microsoft Threat Protection) data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/MTPDataConnectorDataTypes", - "description": "The available data types for the connector." + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Aggregations" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries": { + "get": { + "x-ms-examples": { + "Get all entity queries.": { + "$ref": "./examples/entityQueries/GetEntityQueries.json" } }, - "required": [ - "dataTypes" + "tags": [ + "EntityQueries" ], - "type": "object" - }, - "MtpCheckRequirements": { - "allOf": [ + "description": "Gets all entity queries.", + "operationId": "EntityQueries_List", + "parameters": [ { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents MTP (Microsoft Threat Protection) requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/MTPCheckRequirementsProperties", - "description": "MTP (Microsoft Threat Protection) requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftThreatProtection" - }, - "MTPCheckRequirementsProperties": { - "allOf": [ + "$ref": "#/parameters/ApiVersion" + }, { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MTP (Microsoft Threat Protection) requirements check properties.", - "type": "object" - }, - "ASCDataConnector": { - "allOf": [ + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents ASC (Azure Security Center) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/ASCDataConnectorProperties", - "description": "ASC (Azure Security Center) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureSecurityCenter" - }, - "ASCDataConnectorProperties": { - "allOf": [ + "$ref": "#/parameters/ResourceGroupName" + }, { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "ASC (Azure Security Center) data connector properties.", - "properties": { - "subscriptionId": { - "description": "The subscription id to connect to, and get the data from.", - "type": "string" - } - }, - "type": "object" - }, - "ASCCheckRequirements": { - "allOf": [ + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, { - "$ref": "#/definitions/DataConnectorsCheckRequirements" + "$ref": "#/parameters/WorkspaceName" } ], - "description": "Represents ASC (Azure Security Center) requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/ASCCheckRequirementsProperties", - "description": "ASC (Azure Security Center) requirements check properties.", - "x-ms-client-flatten": true + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityQueryList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } }, - "type": "object", - "x-ms-discriminator-value": "AzureSecurityCenter" - }, - "ASCCheckRequirementsProperties": { - "description": "ASC (Azure Security Center) requirements check properties.", - "properties": { - "subscriptionId": { - "description": "The subscription id to connect to, and get the data from.", - "type": "string" + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entityQueries/{entityQueryId}": { + "get": { + "x-ms-examples": { + "Get an entity query.": { + "$ref": "./examples/entityQueries/GetExpansionEntityQueryById.json" } }, - "type": "object" - }, - "AccountEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } + "tags": [ + "EntityQueries" ], - "description": "Represents an account entity.", - "properties": { - "properties": { - "$ref": "#/definitions/AccountEntityProperties", - "description": "Account entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Account" - }, - "AccountEntityProperties": { - "allOf": [ + "description": "Gets an entity query.", + "operationId": "EntityQueries_Get", + "parameters": [ { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Account entity property bag.", - "properties": { - "aadTenantId": { - "description": "The Azure Active Directory tenant id.", - "readOnly": true, - "type": "string" - }, - "aadUserId": { - "description": "The Azure Active Directory user id.", - "readOnly": true, - "type": "string" + "$ref": "#/parameters/ApiVersion" }, - "accountName": { - "description": "The name of the account. This field should hold only the name without any domain added to it, i.e. administrator.", - "readOnly": true, - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "displayName": { - "description": "The display name of the account.", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "hostEntityId": { - "description": "The Host entity id that contains the account in case it is a local account (not domain joined)", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "isDomainJoined": { - "description": "Determines whether this is a domain account.", - "readOnly": true, - "type": "boolean" + { + "$ref": "#/parameters/WorkspaceName" }, - "ntDomain": { - "description": "The NetBIOS domain name as it appears in the alert format – domain\\username. Examples: NT AUTHORITY.", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/EntityQueryId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityQuery" + } }, - "objectGuid": { - "description": "The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory.", - "format": "uuid", - "readOnly": true, - "type": "string" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { + "get": { + "x-ms-examples": { + "Get all incidents.": { + "$ref": "./examples/incidents/GetIncidents.json" + } + }, + "tags": [ + "Incidents" + ], + "description": "Gets all incidents.", + "operationId": "Incidents_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "puid": { - "description": "The Azure Active Directory Passport User ID.", - "readOnly": true, - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "sid": { - "description": "The account security identifier, e.g. S-1-5-18.", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "upnSuffix": { - "description": "The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com.", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "dnsDomain": { - "description": "The fully qualified domain DNS name.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "ActionRequest": { - "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/ODataFilter" + }, + { + "$ref": "#/parameters/ODataOrderBy" + }, + { + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" } ], - "description": "Action for alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/ActionRequestProperties", - "description": "Action properties for put request", - "x-ms-client-flatten": true + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } }, - "type": "object" - }, - "ActionPropertiesBase": { - "description": "Action property bag base.", - "properties": { - "logicAppResourceId": { - "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", - "type": "string" + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { + "get": { + "x-ms-examples": { + "Get an incident.": { + "$ref": "./examples/incidents/GetIncidentById.json" } }, - "required": [ - "logicAppResourceId" + "tags": [ + "Incidents" ], - "type": "object" - }, - "ActionRequestProperties": { - "allOf": [ + "description": "Gets an incident.", + "operationId": "Incidents_Get", + "parameters": [ { - "$ref": "#/definitions/ActionPropertiesBase" - } - ], - "description": "Action property bag.", - "properties": { - "triggerUri": { - "description": "Logic App Callback URL for this specific workflow.", - "type": "string" - } - }, - "required": [ - "triggerUri" - ], - "type": "object" - }, - "ActionResponse": { - "allOf": [ + "$ref": "#/parameters/ApiVersion" + }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" - } - ], - "description": "Action for alert rule.", - "properties": { - "etag": { - "description": "Etag of the action.", - "type": "string" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "properties": { - "$ref": "#/definitions/ActionResponseProperties", - "description": "Action properties for get request", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "ActionResponseProperties": { - "allOf": [ { - "$ref": "#/definitions/ActionPropertiesBase" - } - ], - "description": "Action property bag.", - "properties": { - "workflowId": { - "description": "The name of the logic app's workflow.", - "type": "string" - } - }, - "type": "object" - }, - "ActionsList": { - "description": "List all the actions.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of actions.", - "readOnly": true, - "type": "string" + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "value": { - "description": "Array of actions.", - "items": { - "$ref": "#/definitions/ActionResponse" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "Aggregations": { - "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/definitions/AggregationsKind" + "$ref": "#/parameters/IncidentId" } ], - "description": "The aggregation.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "AggregationsKind": { - "description": "Describes an Azure resource with kind.", - "properties": { - "kind": { - "description": "The kind of the setting", - "enum": [ - "CasesAggregation" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AggregationsKind" + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an incident.": { + "$ref": "./examples/incidents/CreateIncident.json" + } }, - "required": [ - "kind" + "tags": [ + "Incidents" ], - "type": "object" - }, - "AlertRule": { - "allOf": [ + "description": "Creates or updates the incident.", + "operationId": "Incidents_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" }, { - "$ref": "#/definitions/AlertRuleKind" + "$ref": "#/parameters/Incident" } ], - "description": "Alert rule.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "AlertRuleKind": { - "description": "Describes an Azure resource with kind.", - "properties": { - "kind": { - "description": "The kind of the alert rule", - "enum": [ - "Scheduled", - "MicrosoftSecurityIncidentCreation", - "Fusion", - "MLBehaviorAnalytics", - "ThreatIntelligence" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertRuleKind", - "values": [ - { - "value": "Scheduled" - }, - { - "value": "MicrosoftSecurityIncidentCreation" - }, - { - "value": "Fusion" - }, - { - "value": "MLBehaviorAnalytics" - }, - { - "value": "ThreatIntelligence" - } - ] + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Incident" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Incident" } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an incident.": { + "$ref": "./examples/incidents/DeleteIncident.json" } }, - "required": [ - "kind" + "tags": [ + "Incidents" ], - "type": "object" - }, - "AlertRuleTemplate": { - "allOf": [ + "description": "Delete the incident.", + "operationId": "Incidents_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/parameters/WorkspaceName" }, { - "$ref": "#/definitions/AlertRuleKind" + "$ref": "#/parameters/IncidentId" } ], - "description": "Alert rule template.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "AlertRuleTemplateDataSource": { - "description": "alert rule template data sources", - "properties": { - "connectorId": { - "description": "The connector id that provides the following data types", - "type": "string" + "responses": { + "200": { + "description": "OK" }, - "dataTypes": { - "description": "The data types used by the alert rule template", - "items": { - "type": "string" - }, - "type": "array" + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts": { + "post": { + "x-ms-examples": { + "Get all incident alerts.": { + "$ref": "./examples/incidents/GetAllIncidentAlerts.json" } }, - "type": "object" - }, - "AlertRuleTemplatePropertiesBase": { - "description": "Base alert rule template property bag.", - "properties": { - "alertRulesCreatedByTemplateCount": { - "description": "the number of alert rules that were created by this template", - "type": "integer" - }, - "lastUpdatedDateUTC": { - "description": "The last time that this alert rule template has been updated.", - "format": "date-time", - "readOnly": true, - "type": "string" + "tags": [ + "IncidentAlerts" + ], + "description": "Gets all incident alerts.", + "operationId": "Incidents_ListOfAlerts", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "createdDateUTC": { - "description": "The time that this alert rule template has been added.", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "description": { - "description": "The description of the alert rule template.", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "displayName": { - "description": "The display name for alert rule template.", - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "requiredDataConnectors": { - "description": "The required data sources for this template", - "items": { - "$ref": "#/definitions/AlertRuleTemplateDataSource" - }, - "type": "array" + { + "$ref": "#/parameters/WorkspaceName" }, - "status": { - "description": "The alert rule template status.", - "enum": [ - "Installed", - "Available", - "NotAvailable" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TemplateStatus", - "values": [ - { - "description": "Alert rule template installed. and can not use more then once", - "value": "Installed" - }, - { - "description": "Alert rule template is available.", - "value": "Available" - }, - { - "description": "Alert rule template is not available", - "value": "NotAvailable" - } - ] - } - } - }, - "type": "object" - }, - "AlertRuleTemplatesList": { - "description": "List all the alert rule templates.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rule templates.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of alert rule templates.", - "items": { - "$ref": "#/definitions/AlertRuleTemplate" - }, - "type": "array" + { + "$ref": "#/parameters/IncidentId" } - }, - "required": [ - "value" - ] - }, - "AlertRuleTriggerOperator": { - "description": "The operation against the threshold that triggers alert rule.", - "enum": [ - "GreaterThan", - "LessThan", - "Equal", - "NotEqual" ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "TriggerOperator" - } - }, - "AlertRulesList": { - "description": "List all the alert rules.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of alert rules.", - "readOnly": true, - "type": "string" + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentAlertList" + } }, - "value": { - "description": "Array of alert rules.", - "items": { - "$ref": "#/definitions/AlertRule" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "AlertSeverity": { - "description": "The severity of the alert", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } - ] + } } - }, - "AlertsDataTypeOfDataConnector": { - "description": "Alerts data type for data connectors.", - "properties": { - "alerts": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Alerts data type connection.", - "type": "object" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks": { + "post": { + "x-ms-examples": { + "Get all incident bookmarks.": { + "$ref": "./examples/incidents/GetAllIncidentBookmarks.json" } }, - "type": "object", - "required": [ - "alerts" - ] - }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact", - "PreAttack" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, - "AwsCloudTrailDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } + "tags": [ + "IncidentBookmarks" ], - "description": "Represents Amazon Web Services CloudTrail data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", - "description": "Amazon Web Services CloudTrail data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" - }, - "AwsCloudTrailDataConnectorDataTypes": { - "description": "The available data types for Amazon Web Services CloudTrail data connector.", - "properties": { - "logs": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Logs data type.", - "type": "object" - } - }, - "type": "object", - "required": [ - "logs" - ] - }, - "AwsCloudTrailDataConnectorProperties": { - "description": "Amazon Web Services CloudTrail data connector properties.", - "properties": { - "awsRoleArn": { - "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", - "type": "string" + "description": "Gets all incident bookmarks.", + "operationId": "Incidents_ListOfBookmarks", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "dataTypes": { - "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", - "description": "The available data types for the connector." - } - }, - "required": [ - "dataTypes" - ], - "type": "object" - }, - "AwsCloudTrailCheckRequirements": { - "allOf": [ { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Amazon Web Services CloudTrail requirements check request.", - "type": "object", - "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" - }, - "AzureResourceEntity": { - "allOf": [ + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an azure resource entity.", - "properties": { - "properties": { - "$ref": "#/definitions/AzureResourceEntityProperties", - "description": "AzureResource entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "AzureResource" - }, - "AzureResourceEntityProperties": { - "allOf": [ + "$ref": "#/parameters/ResourceGroupName" + }, { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "AzureResource entity property bag.", - "properties": { - "resourceId": { - "description": "The azure resource id of the resource", - "readOnly": true, - "type": "string" + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "subscriptionId": { - "description": "The subscription id of the resource", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "RelationBase": { - "type": "object", - "description": "Represents a relation", - "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/parameters/WorkspaceName" }, { - "type": "object", - "properties": { - "kind": { - "type": "string", - "description": "The type of relation node", - "readOnly": true, - "enum": [ - "CasesToBookmarks" - ], - "x-ms-enum": { - "name": "RelationTypes", - "modelAsString": true, - "values": [ - { - "value": "CasesToBookmarks", - "description": "Relations between cases and bookmarks" - } - ] - } - }, - "etag": { - "type": "string", - "description": "ETag for relation" - } - } + "$ref": "#/parameters/IncidentId" } - ] - }, - "CaseRelationList": { - "description": "List of case relations.", - "properties": { - "nextLink": { - "readOnly": true, - "description": "URL to fetch the next set of relations.", - "type": "string" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentBookmarkList" + } }, - "value": { - "description": "Array of relations.", - "type": "array", - "items": { - "$ref": "#/definitions/CaseRelation" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } - }, - "required": [ - "value" - ] - }, - "CaseRelation": { - "type": "object", - "description": "Represents a case relation", - "allOf": [ - { - "$ref": "#/definitions/RelationBase" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { + "get": { + "x-ms-examples": { + "Get all incident comments.": { + "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" } + }, + "tags": [ + "IncidentComments" ], - "properties": { - "properties": { - "x-ms-client-flatten": true, - "description": "Case relation properties", - "$ref": "#/definitions/CaseRelationProperties" - } - } - }, - "CaseRelationProperties": { - "type": "object", - "description": "Case relation properties", - "properties": { - "relationName": { - "type": "string", - "description": "Name of relation" + "description": "Gets all incident comments.", + "operationId": "IncidentComments_ListByIncident", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "bookmarkId": { - "type": "string", - "description": "The case related bookmark id" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "caseIdentifier": { - "type": "string", - "description": "The case identifier" + { + "$ref": "#/parameters/ResourceGroupName" }, - "bookmarkName": { - "type": "string", - "description": "The case related bookmark name" - } - }, - "required": [ - "relationName", - "caseIdentifier", - "bookmarkId" - ] - }, - "RelationsModelInput": { - "type": "object", - "description": "Relation input model", - "allOf": [ { - "$ref": "#/definitions/RelationBase" - } - ], - "properties": { - "properties": { - "x-ms-client-flatten": true, - "description": "Relation input properties", - "$ref": "#/definitions/RelationsModelInputProperties" - } - } - }, - "RelationsModelInputProperties": { - "type": "object", - "description": "Relation input properties", - "properties": { - "relationName": { - "type": "string", - "description": "Name of relation" + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "sourceRelationNode": { - "type": "object", - "description": "Relation source node", - "$ref": "#/definitions/RelationNode" + { + "$ref": "#/parameters/WorkspaceName" }, - "targetRelationNode": { - "type": "object", - "description": "Relation target node", - "$ref": "#/definitions/RelationNode" - } - } - }, - "RelationNode": { - "type": "object", - "description": "Relation node", - "properties": { - "relationNodeId": { - "type": "string", - "description": "Relation Node Id" + { + "$ref": "#/parameters/IncidentId" }, - "relationNodeKind": { - "type": "string", - "description": "The type of relation node", - "readOnly": true, - "enum": [ - "Case", - "Bookmark" - ], - "x-ms-enum": { - "name": "RelationNodeKind", - "modelAsString": true, - "values": [ - { - "value": "Case", - "description": "Case node part of the relation" - }, - { - "value": "Bookmark", - "description": "Bookmark node part of the relation" - } - ] - } + { + "$ref": "#/parameters/ODataFilter" }, - "etag": { - "type": "string", - "description": "Etag for relation node" + { + "$ref": "#/parameters/ODataOrderBy" }, - "relationAdditionalProperties": { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "description": "Additional set of properties" - } - } - }, - "Bookmark": { - "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ODataTop" + }, + { + "$ref": "#/parameters/ODataSkipToken" } ], - "description": "Represents a bookmark in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/BookmarkProperties", - "description": "Bookmark properties", - "x-ms-client-flatten": true + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentCommentList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } }, - "type": "object" - }, - "BookmarkList": { - "description": "List all the bookmarks.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of cases.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of bookmarks.", - "items": { - "$ref": "#/definitions/Bookmark" - }, - "type": "array" + "x-ms-odata": "#/definitions/IncidentComment", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { + "get": { + "x-ms-examples": { + "Get an incident comment.": { + "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" } }, - "required": [ - "value" - ] - }, - "BookmarkProperties": { - "description": "Describes bookmark properties", - "properties": { - "created": { - "description": "The time the bookmark was created", - "format": "date-time", - "type": "string" + "tags": [ + "IncidentComments" + ], + "description": "Gets an incident comment.", + "operationId": "IncidentComments_GetComment", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "displayName": { - "description": "The display name of the bookmark", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "notes": { - "description": "The notes of the bookmark", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "query": { - "description": "The query of the bookmark.", - "type": "string" + { + "$ref": "#/parameters/IncidentId" }, - "queryResult": { - "description": "The query result of the bookmark.", - "type": "string" + { + "$ref": "#/parameters/IncidentCommentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentComment" + } }, - "updated": { - "description": "The last time the bookmark was updated", - "format": "date-time", - "type": "string" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an incident comment.": { + "$ref": "./examples/incidents/comments/CreateIncidentComment.json" + } + }, + "tags": [ + "IncidentComments" + ], + "description": "Creates or updates the incident comment.", + "operationId": "IncidentComments_CreateComment", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the bookmark", - "type": "object" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "eventTime": { - "description": "The bookmark event time", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "queryStartTime": { - "description": "The start time for the query", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "queryEndTime": { - "description": "The end time for the query", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "incidentInfo": { - "$ref": "#/definitions/IncidentInfo", - "description": "Describes an incident that relates to bookmark", - "type": "object" - } - }, - "required": [ - "displayName", - "query" - ], - "type": "object" - }, - "BookmarkExpandParameters": { - "description": "The parameters required to execute an expand operation on the given bookmark.", - "properties": { - "endTime": { - "description": "The end date filter, so the only expansion results returned are before this date.", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/IncidentId" }, - "expansionId": { - "description": "The Id of the expansion to perform.", - "format": "uuid", - "type": "string" + { + "$ref": "#/parameters/IncidentCommentId" }, - "startTime": { - "description": "The start date filter, so the only expansion results returned are after this date.", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/IncidentComment" } - } - }, - "BookmarkExpandResponse": { - "description": "The entity expansion result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/ExpansionResultsMetadata", - "description": "The metadata from the expansion operation results." + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentComment" + } }, - "value": { - "description": "The expansion result values.", - "properties": { - "entities": { - "description": "Array of the expansion result entities.", - "items": { - "$ref": "#/definitions/Entity" - }, - "type": "array" - }, - "edges": { - "description": "Array of expansion result connected entities", - "items": { - "$ref": "#/definitions/ConnectedEntity" - }, - "type": "array" - } - }, - "type": "object" + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/IncidentComment" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } }, - "Case": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a case in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/CaseProperties", - "description": "Case properties", - "x-ms-client-flatten": true + "delete": { + "x-ms-examples": { + "Delete the incident comment.": { + "$ref": "./examples/incidents/comments/DeleteIncidentComment.json" } }, - "type": "object" - }, - "CaseComment": { - "allOf": [ - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" - } + "tags": [ + "IncidentComments" ], - "description": "Represents a case comment", - "properties": { - "properties": { - "$ref": "#/definitions/CaseCommentProperties", - "description": "Case comment properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "CaseCommentList": { - "description": "List of case comments.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of comments.", - "readOnly": true, - "type": "string" + "description": "Delete the incident comment.", + "operationId": "IncidentComments_DeleteComment", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "value": { - "description": "Array of comments.", - "items": { - "$ref": "#/definitions/CaseComment" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "CaseCommentProperties": { - "description": "Case comment property bag.", - "properties": { - "createdTimeUtc": { - "description": "The time the comment was created", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "message": { - "description": "The comment message", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "userInfo": { - "$ref": "#/definitions/UserInfo", - "description": "Describes the user that created the comment", - "readOnly": true, - "type": "object" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentCommentId" } - }, - "required": [ - "message" ], - "type": "object" - }, - "CaseList": { - "description": "List all the cases.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of cases.", - "readOnly": true, - "type": "string" + "responses": { + "200": { + "description": "OK" }, - "value": { - "description": "Array of cases.", - "items": { - "$ref": "#/definitions/Case" - }, - "type": "array" + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities": { + "post": { + "x-ms-examples": { + "Gets all incident related entities": { + "$ref": "./examples/incidents/entities/GetAllIncidentEntities.json" } }, - "required": [ - "value" - ] - }, - "CaseProperties": { - "description": "Describes case properties", - "properties": { - "caseNumber": { - "description": "a sequential number", - "readOnly": true, - "type": "integer" + "tags": [ + "IncidentEntities" + ], + "description": "Gets all incident related entities.", + "operationId": "Incidents_ListOfEntities", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "closeReason": { - "description": "The reason the case was closed", - "enum": [ - "Resolved", - "Dismissed", - "TruePositive", - "FalsePositive", - "Other" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CloseReason", - "values": [ - { - "description": "Case was resolved", - "value": "Resolved" - }, - { - "description": "Case was dismissed", - "value": "Dismissed" - }, - { - "description": "Case was true positive", - "value": "TruePositive" - }, - { - "description": "Case was false positive", - "value": "FalsePositive" - }, - { - "description": "Case was closed for another reason", - "value": "Other" - } - ] - } + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "closedReasonText": { - "description": "the case close reason details", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "createdTimeUtc": { - "description": "The time the case was created", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "description": { - "description": "The description of the case", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "endTimeUtc": { - "description": "The end time of the case", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentEntitiesResponse" + } }, - "labels": { - "description": "List of labels relevant to this case", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations": { + "get": { + "x-ms-examples": { + "Get all incident relations.": { + "$ref": "./examples/incidents/relations/GetAllIncidentRelations.json" + } + }, + "tags": [ + "IncidentRelations" + ], + "description": "Gets all incident relations.", + "operationId": "IncidentRelations_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "lastComment": { - "description": "the last comment in the case", - "readOnly": true, - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "lastUpdatedTimeUtc": { - "description": "The last time the case was updated", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "metrics": { - "description": "Dictionary of metrics, for example the number of alerts in the case", - "type": "object", - "additionalProperties": { - "type": "integer", - "format": "int32" - }, - "readOnly": true + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "owner": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that the case is assigned to", - "type": "object" + { + "$ref": "#/parameters/WorkspaceName" }, - "relatedAlertIds": { - "description": "List of related alert identifiers", - "items": { - "description": "related alert id", - "type": "string" - }, - "readOnly": true, - "type": "array" + { + "$ref": "#/parameters/IncidentId" }, - "relatedAlertProductNames": { - "description": "List of related alert product names", - "items": { - "description": "related alert product name", - "type": "string" - }, - "readOnly": true, - "type": "array" + { + "$ref": "#/parameters/ODataFilter" }, - "tactics": { - "description": "The tactics associated with case", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" + { + "$ref": "#/parameters/ODataOrderBy" }, - "severity": { - "description": "The severity of the case", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "startTimeUtc": { - "description": "The start time of the case", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/ODataTop" }, - "status": { - "description": "The status of the case", - "enum": [ - "Draft", - "New", - "InProgress", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseStatus", - "values": [ - { - "description": "Case that wasn't promoted yet to active", - "value": "Draft" - }, - { - "description": "An active case which isn't handled currently", - "value": "New" - }, - { - "description": "An active case which is handled", - "value": "InProgress" - }, - { - "description": "A non active case", - "value": "Closed" - } - ] + { + "$ref": "#/parameters/ODataSkipToken" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/RelationList" } }, - "title": { - "description": "The title of the case", - "type": "string" - }, - "totalComments": { - "description": "the number of total comments in the case", - "readOnly": true, - "type": "integer" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } }, - "required": [ - "title", - "severity", - "status" - ], - "type": "object" - }, - "CasesAggregation": { - "allOf": [ - { - "$ref": "#/definitions/Aggregations" - } - ], - "description": "Represents aggregations results for cases.", - "properties": { - "properties": { - "$ref": "#/definitions/CasesAggregationProperties", - "description": "Properties of aggregations results of cases.", - "x-ms-client-flatten": true + "x-ms-odata": "#/definitions/Relation", + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}": { + "get": { + "x-ms-examples": { + "Get an incident relation.": { + "$ref": "./examples/incidents/relations/GetIncidentRelationByName.json" } }, - "type": "object", - "x-ms-discriminator-value": "CasesAggregation" - }, - "CasesAggregationBySeverityProperties": { - "description": "Aggregative results of cases by severity property bag.", - "properties": { - "totalCriticalSeverity": { - "description": "Total amount of open cases with severity Critical", - "readOnly": true, - "type": "integer" + "tags": [ + "IncidentRelations" + ], + "description": "Gets an incident relation.", + "operationId": "IncidentRelations_GetRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "totalHighSeverity": { - "description": "Total amount of open cases with severity High", - "readOnly": true, - "type": "integer" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "totalInformationalSeverity": { - "description": "Total amount of open cases with severity Informational", - "readOnly": true, - "type": "integer" + { + "$ref": "#/parameters/WorkspaceName" }, - "totalLowSeverity": { - "description": "Total amount of open cases with severity Low", - "readOnly": true, - "type": "integer" + { + "$ref": "#/parameters/IncidentId" }, - "totalMediumSeverity": { - "description": "Total amount of open cases with severity medium", - "readOnly": true, - "type": "integer" + { + "$ref": "#/parameters/RelationName" } - }, - "type": "object" - }, - "CasesAggregationByStatusProperties": { - "description": "Aggregative results of cases by status property bag.", - "properties": { - "totalDismissedStatus": { - "description": "Total amount of closed cases with status Dismissed", - "readOnly": true, - "type": "integer" - }, - "totalInProgressStatus": { - "description": "Total amount of open cases with status InProgress", - "readOnly": true, - "type": "integer" - }, - "totalNewStatus": { - "description": "Total amount of open cases with status New", - "readOnly": true, - "type": "integer" - }, - "totalResolvedStatus": { - "description": "Total amount of closed cases with status Resolved", - "readOnly": true, - "type": "integer" - }, - "totalFalsePositiveStatus": { - "description": "Total amount of closed cases with status Closed and Close reason of False positive", - "readOnly": true, - "type": "integer", - "format": "int32" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Relation" + } }, - "totalTruePositiveStatus": { - "description": "Total amount of closed cases with status Closed and Close reason of True positive", - "readOnly": true, - "type": "integer", - "format": "int32" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - }, - "type": "object" + } }, - "CasesAggregationProperties": { - "description": "Aggregative results of cases property bag.", - "properties": { - "aggregationBySeverity": { - "$ref": "#/definitions/CasesAggregationBySeverityProperties", - "description": "Aggregations results by case severity." - }, - "aggregationByStatus": { - "$ref": "#/definitions/CasesAggregationByStatusProperties", - "description": "Aggregations results by case status." + "put": { + "x-ms-examples": { + "Creates or updates an incident relation.": { + "$ref": "./examples/incidents/relations/CreateIncidentRelation.json" } }, - "type": "object" - }, - "ClientInfo": { - "description": "Information on the client (user or application) that made some action", - "properties": { - "email": { - "description": "The email of the client.", - "type": "string" + "tags": [ + "IncidentRelations" + ], + "description": "Creates or updates the incident relation.", + "operationId": "IncidentRelations_CreateOrUpdateRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "name": { - "description": "The name of the client.", - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "objectId": { - "description": "The object id of the client.", - "format": "uuid", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "userPrincipalName": { - "description": "The user principal name of the client.", - "type": "string" - } - }, - "type": "object" - }, - "CloudApplicationEntity": { - "allOf": [ { - "$ref": "#/definitions/Entity" + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/RelationName" + }, + { + "$ref": "#/parameters/Relation" } ], - "description": "Represents a cloud application entity.", - "properties": { - "properties": { - "$ref": "#/definitions/CloudApplicationEntityProperties", - "description": "CloudApplication entity properties", - "x-ms-client-flatten": true + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Relation" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Relation" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - }, - "type": "object", - "x-ms-discriminator-value": "CloudApplication" + } }, - "CloudApplicationEntityProperties": { - "allOf": [ + "delete": { + "x-ms-examples": { + "Delete the incident relation.": { + "$ref": "./examples/incidents/relations/DeleteIncidentRelation.json" + } + }, + "tags": [ + "IncidentRelations" + ], + "description": "Delete the incident relation.", + "operationId": "IncidentRelations_DeleteRelation", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, { - "$ref": "#/definitions/EntityCommonProperties" + "$ref": "#/parameters/RelationName" } ], - "description": "CloudApplication entity property bag.", - "properties": { - "appId": { - "description": "The technical identifier of the application.", - "readOnly": true, - "type": "integer" - }, - "appName": { - "description": "The name of the related cloud application.", - "readOnly": true, - "type": "string" + "responses": { + "200": { + "description": "OK" }, - "instanceName": { - "description": "The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.", - "readOnly": true, - "type": "string" + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - }, - "type": "object" - }, - "CloudError": { - "description": "Error response structure.", - "properties": { - "error": { - "$ref": "#/definitions/CloudErrorBody", - "description": "Error data", - "x-ms-client-flatten": true + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists": { + "get": { + "x-ms-examples": { + "Get all watchlists.": { + "$ref": "./examples/watchlists/GetWatchlists.json" } }, - "type": "object", - "x-ms-external": true - }, - "CloudErrorBody": { - "description": "Error details.", - "properties": { - "code": { - "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", - "readOnly": true, - "type": "string" + "tags": [ + "Watchlists" + ], + "description": "Gets all watchlists, without watchlist items.", + "operationId": "Watchlists_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" }, - "message": { - "description": "A message describing the error, intended to be suitable for display in a user interface.", - "readOnly": true, - "type": "string" - } - }, - "type": "object", - "x-ms-external": true - }, - "DataConnector": { - "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "#/definitions/DataConnectorKind" + "$ref": "#/parameters/WorkspaceName" } ], - "description": "Data connector.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "DataConnectorsCheckRequirements": { - "description": "Data connector requirements properties.", - "properties": { - "kind": { - "$ref": "#/definitions/DataConnectorKind", - "description": "Describes the kind of connector to be checked." + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } }, - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "DataConnectorAuthorizationState": { - "description": "Describes the state of user's authorization for a connector kind.", - "enum": [ - "Valid", - "Invalid" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataConnectorAuthorizationState", - "values": [ - { - "value": "Valid" - }, - { - "value": "Invalid" - } - ] + "x-ms-pageable": { + "nextLinkName": "nextLink" } - }, - "DataConnectorLicenseState": { - "description": "Describes the state of user's license for a connector kind.", - "enum": [ - "Valid", - "Invalid", - "Unknown" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataConnectorLicenseState", - "values": [ - { - "value": "Valid" - }, - { - "value": "Invalid" - }, - { - "value": "Unknown" - } - ] - } - }, - "DataConnectorDataTypeCommon": { - "description": "Common field for data type in data connectors.", - "properties": { - "state": { - "description": "Describe whether this data type connection is enabled or not.", - "enum": [ - "Enabled", - "Disabled" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataTypeState" - } - } - }, - "type": "object", - "required": [ - "state" - ] - }, - "DataConnectorKind": { - "description": "Describes an Azure resource with kind.", - "properties": { - "kind": { - "description": "The kind of the data connector", - "enum": [ - "AzureActiveDirectory", - "AzureSecurityCenter", - "MicrosoftCloudAppSecurity", - "ThreatIntelligence", - "ThreatIntelligenceTaxii", - "Office365", - "OfficeATP", - "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", - "MicrosoftDefenderAdvancedThreatProtection", - "Dynamics365", - "MicrosoftThreatProtection", - "MicrosoftThreatIntelligence" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "DataConnectorKind", - "values": [ - { - "value": "AzureActiveDirectory" - }, - { - "value": "AzureSecurityCenter" - }, - { - "value": "MicrosoftCloudAppSecurity" - }, - { - "value": "ThreatIntelligence" - }, - { - "value": "ThreatIntelligenceTaxii" - }, - { - "value": "Office365" - }, - { - "value": "OfficeATP" - }, - { - "value": "AmazonWebServicesCloudTrail" - }, - { - "value": "AzureAdvancedThreatProtection" - }, - { - "value": "MicrosoftDefenderAdvancedThreatProtection" - }, - { - "value": "Dynamics365" - }, - { - "value": "MicrosoftThreatProtection" - }, - { - "value": "MicrosoftThreatIntelligence" - } - ] - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}": { + "get": { + "x-ms-examples": { + "Get a watchlist.": { + "$ref": "./examples/watchlists/GetWatchlistByAlias.json" } }, - "required": [ - "kind" + "tags": [ + "Watchlists" ], - "type": "object" - }, - "DataConnectorList": { - "description": "List all the data connectors.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of data connectors.", - "readOnly": true, - "type": "string" + "description": "Gets a watchlist, without its watchlist items.", + "operationId": "Watchlists_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "value": { - "description": "Array of data connectors.", - "items": { - "$ref": "#/definitions/DataConnector" - }, - "type": "array" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" } - }, - "required": [ - "value" - ] - }, - "DataConnectorRequirementsState": { - "description": "Data connector requirements status.", - "properties": { - "authorizationState": { - "description": "Authorization state for this connector", - "$ref": "#/definitions/DataConnectorAuthorizationState" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Watchlist" + } }, - "licenseState": { - "description": "License state for this connector", - "$ref": "#/definitions/DataConnectorLicenseState" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - }, - "type": "object" + } }, - "DataConnectorTenantId": { - "description": "Properties data connector on tenant level.", - "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" + "delete": { + "x-ms-examples": { + "Delete a watchlist.": { + "$ref": "./examples/watchlists/DeleteWatchlist.json" } }, - "required": [ - "tenantId" + "tags": [ + "Watchlists" ], - "type": "object" - }, - "DataConnectorWithAlertsProperties": { - "description": "Data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector", - "description": "The available data types for the connector." - } - }, - "type": "object" - }, - "DnsEntity": { - "allOf": [ + "description": "Delete a watchlist.", + "operationId": "Watchlists_Delete", + "parameters": [ { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a dns entity.", - "properties": { - "properties": { - "$ref": "#/definitions/DnsEntityProperties", - "description": "Dns entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "DnsResolution" - }, - "DnsEntityProperties": { - "allOf": [ + "$ref": "#/parameters/ApiVersion" + }, { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Dns entity property bag.", - "properties": { - "dnsServerIpEntityId": { - "description": "An ip entity id for the dns server resolving the request", - "readOnly": true, - "type": "string" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "domainName": { - "description": "The name of the dns record associated with the alert", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "hostIpAddressEntityId": { - "description": "An ip entity id for the dns request client", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "ipAddressEntityIds": { - "description": "Ip entity identifiers for the resolved ip address.", - "items": { - "description": "Ip entity id", - "type": "string" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "Dynamics365DataConnector": { - "allOf": [ { - "$ref": "#/definitions/DataConnector" + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" } ], - "description": "Represents Dynamics365 data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/Dynamics365DataConnectorProperties", - "description": "Dynamics365 data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Dynamics365" - }, - "Dynamics365DataConnectorDataTypes": { - "description": "The available data types for Dynamics365 data connector.", - "properties": { - "dynamics365CdsActivities": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Common Data Service data type connection.", - "type": "object" + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - }, - "type": "object", - "required": [ - "dynamics365CdsActivities" - ] + } }, - "Dynamics365DataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Dynamics365 data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/Dynamics365DataConnectorDataTypes", - "description": "The available data types for the connector." + "put": { + "x-ms-examples": { + "Creates a watchlist.": { + "$ref": "./examples/watchlists/CreateWatchlist.json" } }, - "required": [ - "dataTypes" + "tags": [ + "Watchlists" ], - "type": "object" - }, - "Dynamics365CheckRequirements": { - "allOf": [ + "description": "Creates a watchlist and its watchlist items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint twice : the first call will create an empty Watchlist, and the second one will create its Items.", + "operationId": "Watchlists_Create", + "parameters": [ { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents Dynamics365 requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/Dynamics365CheckRequirementsProperties", - "description": "Dynamics365 requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Dynamics365" - }, - "Dynamics365CheckRequirementsProperties": { - "allOf": [ + "$ref": "#/parameters/ApiVersion" + }, { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Dynamics365 requirements check properties.", - "type": "object" - }, - "EnrichmentDomainWhois": { - "description": "Whois information for a given domain and associated metadata", - "properties": { - "domain": { - "description": "The domain for this whois record", - "type": "string" + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "server": { - "description": "The hostname of this registrar's whois server", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "created": { - "description": "The timestamp at which this record was created", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "updated": { - "description": "The timestamp at which this record was last updated", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "expires": { - "description": "The timestamp at which this record will expire", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/WatchlistAlias" }, - "parsedWhois": { - "description": "The whois record for a given domain", - "$ref": "#/definitions/EnrichmentDomainWhoisDetails" + { + "$ref": "#/parameters/Watchlist" } - } - }, - "EnrichmentDomainWhoisDetails": { - "description": "The whois record for a given domain", - "properties": { - "registrar": { - "description": "The registrar associated with this domain", - "$ref": "#/definitions/EnrichmentDomainWhoisRegistrarDetails" - }, - "contacts": { - "description": "The set of contacts associated with this domain", - "$ref": "#/definitions/EnrichmentDomainWhoisContacts" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Watchlist" + } }, - "nameServers": { - "description": "A list of name servers associated with this domain", - "type": "array", - "items": { - "type": "string" + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Watchlist" } }, - "statuses": { - "description": "The set of status flags for this whois record", - "type": "array", - "items": { - "type": "string" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" } } } - }, - "EnrichmentDomainWhoisRegistrarDetails": { - "description": "The registrar associated with this domain", - "properties": { - "name": { - "description": "The name of this registrar", - "type": "string" + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems": { + "get": { + "x-ms-examples": { + "Get all watchlist Items.": { + "$ref": "./examples/watchlists/GetWatchlistItems.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Gets all watchlist Items.", + "operationId": "WatchlistItems_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "abuseContactEmail": { - "description": "This registrar's abuse contact email", - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "abuseContactPhone": { - "description": "This registrar's abuse contact phone number", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "ianaId": { - "description": "This registrar's Internet Assigned Numbers Authority id", - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "url": { - "description": "This registrar's URL", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "whoisServer": { - "description": "The hostname of this registrar's whois server", - "type": "string" + { + "$ref": "#/parameters/WatchlistAlias" } - } - }, - "EnrichmentDomainWhoisContacts": { - "description": "The set of contacts associated with this domain", - "properties": { - "admin": { - "description": "The admin contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" - }, - "billing": { - "description": "The billing contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" - }, - "registrant": { - "description": "The registrant contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItemList" + } }, - "tech": { - "description": "The technical contact for this whois record", - "$ref": "#/definitions/EnrichmentDomainWhoisContact" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" } - }, - "EnrichmentDomainWhoisContact": { - "description": "An individual contact associated with this domain", - "properties": { - "name": { - "description": "The name of this contact", - "type": "string" - }, - "org": { - "description": "The organization for this contact", - "type": "string" - }, - "street": { - "description": "A list describing the street address for this contact", - "type": "array", - "items": { - "type": "string" - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}": { + "get": { + "x-ms-examples": { + "Get a watchlist item.": { + "$ref": "./examples/watchlists/GetWatchlistItemById.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Gets a watchlist, without its watchlist items.", + "operationId": "WatchlistItems_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "city": { - "description": "The city for this contact", - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "state": { - "description": "The state for this contact", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "postal": { - "description": "The postal code for this contact", - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "country": { - "description": "The country for this contact", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "phone": { - "description": "The phone number for this contact", - "type": "string" + { + "$ref": "#/parameters/WatchlistAlias" }, - "fax": { - "description": "The fax number for this contact", - "type": "string" + { + "$ref": "#/parameters/WatchlistItemId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } }, - "email": { - "description": "The email address for this contact", - "type": "string" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } }, - "EnrichmentIpGeodata": { - "description": "Geodata information for a given IP address", - "properties": { - "asn": { - "description": "The autonomous system number associated with this IP address", - "type": "string" - }, - "carrier": { - "description": "The name of the carrier for this IP address", - "type": "string" - }, - "city": { - "description": "The city this IP address is located in", - "type": "string" + "delete": { + "x-ms-examples": { + "Delete a watchlist Item.": { + "$ref": "./examples/watchlists/DeleteWatchlistItem.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Delete a watchlist item.", + "operationId": "WatchlistItems_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "cityCf": { - "description": "A numeric rating of confidence that the value in the 'city' field is correct, on a scale of 0-100", - "type": "integer", - "format": "int32" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "continent": { - "description": "The continent this IP address is located on", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "country": { - "description": "The county this IP address is located in", - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "countryCf": { - "description": "A numeric rating of confidence that the value in the 'country' field is correct on a scale of 0-100", - "type": "integer", - "format": "int32" + { + "$ref": "#/parameters/WorkspaceName" }, - "ipAddr": { - "description": "The dotted-decimal or colon-separated string representation of the IP address", - "type": "string" + { + "$ref": "#/parameters/WatchlistAlias" }, - "ipRoutingType": { - "description": "A description of the connection type of this IP address", - "type": "string" + { + "$ref": "#/parameters/WatchlistItemId" + } + ], + "responses": { + "200": { + "description": "OK" }, - "latitude": { - "description": "The latitude of this IP address", - "type": "string" + "204": { + "description": "No Content" }, - "longitude": { - "description": "The longitude of this IP address", - "type": "string" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates a watchlist item.": { + "$ref": "./examples/watchlists/CreateWatchlistItem.json" + } + }, + "tags": [ + "WatchlistItems" + ], + "description": "Creates or updates a watchlist item.", + "operationId": "WatchlistItems_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "organization": { - "description": "The name of the organization for this IP address", - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "organizationType": { - "description": "The type of the organization for this IP address", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "region": { - "description": "The geographic region this IP address is located in", - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "state": { - "description": "The state this IP address is located in", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "stateCf": { - "description": "A numeric rating of confidence that the value in the 'state' field is correct on a scale of 0-100", - "type": "integer", - "format": "int32" + { + "$ref": "#/parameters/WatchlistAlias" }, - "stateCode": { - "description": "The abbreviated name for the state this IP address is located in", - "type": "string" - } - } - }, - "Entity": { - "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/parameters/WatchlistItemId" }, { - "$ref": "#/definitions/EntityKind" + "$ref": "#/parameters/WatchlistItem" } ], - "description": "Specific entity.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "EntityEdges": { - "description": "The edge that connects the entity to the other entity.", - "properties": { - "targetEntityId": { - "description": "The target entity Id.", - "type": "string" + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } }, - "additionalData": { - "additionalProperties": { - "type": "object" - }, - "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", - "type": "object" - } - }, - "type": "object" - }, - "EntityCommonProperties": { - "description": "Entity common property bag.", - "properties": { - "additionalData": { - "additionalProperties": { - "type": "object" - }, - "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", - "readOnly": true, - "type": "object" + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/WatchlistItem" + } }, - "friendlyName": { - "description": "The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.", - "readOnly": true, - "type": "string" + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator": { + "post": { + "x-ms-examples": { + "Create a new Threat Intelligence": { + "$ref": "./examples/threatintelligence/CreateThreatIntelligence.json" } }, - "type": "object" - }, - "EntityExpandParameters": { - "description": "The parameters required to execute an expand operation on the given entity.", - "properties": { - "endTime": { - "description": "The end date filter, so the only expansion results returned are before this date.", - "format": "date-time", - "type": "string" + "tags": [ + "ThreatIntelligence" + ], + "description": "Create a new threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_CreateIndicator", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "expansionId": { - "description": "The Id of the expansion to perform.", - "format": "uuid", - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "startTime": { - "description": "The start date filter, so the only expansion results returned are after this date.", - "format": "date-time", - "type": "string" - } - } - }, - "EntityTimelineParameters": { - "description": "The parameters required to execute s timeline operation on the given entity.", - "properties": { - "kinds": { - "description": "Array of timeline Item kinds.", - "items": { - "$ref": "#/definitions/EntityTimelineKind" - }, - "type": "array" + { + "$ref": "#/parameters/ResourceGroupName" }, - "startTime": { - "description": "The start timeline date, so the results returned are after this date.", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "endTime": { - "description": "The end timeline date, so the results returned are before this date.", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "numberOfBucket": { - "description": "The number of bucket for timeline queries aggregation.", - "type": "integer", - "format": "int32" + { + "$ref": "#/parameters/ThreatIntelligenceProperties" } - }, - "required": [ - "startTime", - "endTime" - ] - }, - "EntityExpandResponse": { - "description": "The entity expansion result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/ExpansionResultsMetadata", - "description": "The metadata from the expansion operation results." + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } }, - "value": { - "description": "The expansion result values.", - "properties": { - "entities": { - "description": "Array of the expansion result entities.", - "items": { - "$ref": "#/definitions/Entity" - }, - "type": "array" - }, - "edges": { - "description": "Array of edges that connects the entity to the list of entities.", - "items": { - "$ref": "#/definitions/EntityEdges" - }, - "type": "array" - } - }, - "type": "object" - } - } - }, - "EntityTimelineResponse": { - "description": "The entity timeline result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/TimelineResultsMetadata", - "description": "The metadata from the timeline operation results." + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } }, - "value": { - "description": "The timeline result values.", - "items": { - "$ref": "#/definitions/EntityTimelineItem" - }, - "type": "array" + "default": { + "description": "Error response describing why the operation failed to create indicators.", + "schema": { + "$ref": "#/definitions/CloudError" + } } } - }, - "GetQueriesResponse": { - "description": "Retrieve queries for entity result operation response.", - "properties": { - "value": { - "description": "The query result values.", - "items": { - "$ref": "#/definitions/EntityQueryItem" - }, - "type": "array" - } - } - }, - "EntityInnerKind": { - "description": "The kind of the entity", - "enum": [ - "Account", - "Host", - "File", - "AzureResource", - "CloudApplication", - "DnsResolution", - "FileHash", - "Ip", - "Malware", - "Process", - "RegistryKey", - "RegistryValue", - "SecurityGroup", - "Url", - "IoTDevice", - "SecurityAlert", - "Bookmark", - "Mailbox", - "MailCluster", - "MailMessage", - "SubmissionMail" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityKind", - "values": [ - { - "description": "Entity represents account in the system.", - "value": "Account" - }, - { - "description": "Entity represents host in the system.", - "value": "Host" - }, - { - "description": "Entity represents file in the system.", - "value": "File" - }, - { - "description": "Entity represents azure resource in the system.", - "value": "AzureResource" - }, - { - "description": "Entity represents cloud application in the system.", - "value": "CloudApplication" - }, - { - "description": "Entity represents dns resolution in the system.", - "value": "DnsResolution" - }, - { - "description": "Entity represents file hash in the system.", - "value": "FileHash" - }, - { - "description": "Entity represents ip in the system.", - "value": "Ip" - }, - { - "description": "Entity represents malware in the system.", - "value": "Malware" - }, - { - "description": "Entity represents process in the system.", - "value": "Process" - }, - { - "description": "Entity represents registry key in the system.", - "value": "RegistryKey" - }, - { - "description": "Entity represents registry value in the system.", - "value": "RegistryValue" - }, - { - "description": "Entity represents security group in the system.", - "value": "SecurityGroup" - }, - { - "description": "Entity represents url in the system.", - "value": "Url" - }, - { - "description": "Entity represents IoT device in the system.", - "value": "IoTDevice" - }, - { - "description": "Entity represents security alert in the system.", - "value": "SecurityAlert" - }, - { - "description": "Entity represents bookmark in the system.", - "value": "Bookmark" - }, - { - "description": "Entity represents mail cluster in the system.", - "value": "MailCluster" - }, - { - "description": "Entity represents mail message in the system.", - "value": "MailMessage" - }, - { - "description": "Entity represents mailbox in the system.", - "value": "Mailbox" - }, - { - "description": "Entity represents submission mail in the system.", - "value": "SubmissionMail" - } - ] - } - }, - "EntityInnerType": { - "description": "The type of the entity", - "enum": [ - "Account", - "Host", - "File", - "AzureResource", - "CloudApplication", - "DNS", - "FileHash", - "IP", - "Malware", - "Process", - "RegistryKey", - "RegistryValue", - "SecurityGroup", - "URL", - "IoTDevice", - "SecurityAlert", - "HuntingBookmark", - "MailCluster", - "MailMessage", - "Mailbox", - "SubmissionMail" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityType", - "values": [ - { - "description": "Entity represents account in the system.", - "value": "Account" - }, - { - "description": "Entity represents host in the system.", - "value": "Host" - }, - { - "description": "Entity represents file in the system.", - "value": "File" - }, - { - "description": "Entity represents azure resource in the system.", - "value": "AzureResource" - }, - { - "description": "Entity represents cloud application in the system.", - "value": "CloudApplication" - }, - { - "description": "Entity represents dns in the system.", - "value": "DNS" - }, - { - "description": "Entity represents file hash in the system.", - "value": "FileHash" - }, - { - "description": "Entity represents ip in the system.", - "value": "IP" - }, - { - "description": "Entity represents malware in the system.", - "value": "Malware" - }, - { - "description": "Entity represents process in the system.", - "value": "Process" - }, - { - "description": "Entity represents registry key in the system.", - "value": "RegistryKey" - }, - { - "description": "Entity represents registry value in the system.", - "value": "RegistryValue" - }, - { - "description": "Entity represents security group in the system.", - "value": "SecurityGroup" - }, - { - "description": "Entity represents url in the system.", - "value": "URL" - }, - { - "description": "Entity represents IoT device in the system.", - "value": "IoTDevice" - }, - { - "description": "Entity represents security alert in the system.", - "value": "SecurityAlert" - }, - { - "description": "Entity represents HuntingBookmark in the system.", - "value": "HuntingBookmark" - }, - { - "description": "Entity represents mail cluster in the system.", - "value": "MailCluster" - }, - { - "description": "Entity represents mail message in the system.", - "value": "MailMessage" - }, - { - "description": "Entity represents mailbox in the system.", - "value": "Mailbox" - }, - { - "description": "Entity represents submission mail in the system.", - "value": "SubmissionMail" - } - ] - } - }, - "EntityKind": { - "description": "Describes an entity with kind.", - "properties": { - "kind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the entity." - } - }, - "required": [ - "kind" - ], - "type": "object" - }, - "EntityList": { - "description": "List of all the entities.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of entities.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of entities.", - "items": { - "$ref": "#/definitions/Entity" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "EntityQueryKind": { - "description": "Describes an Entity query resource with kind.", - "properties": { - "kind": { - "description": "The kind of the entity query", - "enum": [ - "Expansion", - "Insight" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityQueryKind", - "values": [ - { - "value": "Expansion" - }, - { - "value": "Insight" - } - ] - } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators": { + "get": { + "x-ms-examples": { + "Get all threat intelligence indicators": { + "$ref": "./examples/threatintelligence/GetThreatIntelligence.json" } }, - "required": [ - "kind" + "tags": [ + "ThreatIntelligence" ], - "type": "object" - }, - "EntityQuery": { - "allOf": [ + "description": "Get all threat intelligence indicators.", + "operationId": "ThreatIntelligenceIndicators_List", + "parameters": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ApiVersion" }, { - "$ref": "#/definitions/EntityQueryKind" - } - ], - "description": "Specific entity query.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] - }, - "ExpansionEntityQuery": { - "description": "Represents Expansion entity query.", - "allOf": [ + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, { - "$ref": "#/definitions/EntityQuery" - } - ], - "properties": { - "properties": { - "$ref": "#/definitions/ExpansionEntityQueriesProperties", - "description": "Expansion entity query properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Expansion" - }, - "EntityTimelineKind": { - "description": "The entity query kind", - "enum": [ - "Activity", - "Bookmark", - "SecurityAlert" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntityTimelineKind", - "values": [ - { - "description": "activity", - "value": "Activity" - }, - { - "description": "bookmarks", - "value": "Bookmark" - }, - { - "description": "security alerts", - "value": "SecurityAlert" - } - ] - } - }, - "EntityQueryList": { - "description": "List of all the entity queries.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of entity queries.", - "readOnly": true, - "type": "string" + "$ref": "#/parameters/ResourceGroupName" }, - "value": { - "description": "Array of entity queries.", - "items": { - "$ref": "#/definitions/EntityQuery" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "ExpansionEntityQueriesProperties": { - "description": "Describes expansion entity query properties", - "properties": { - "dataSources": { - "description": "List of the data sources that are required to run the query", - "items": { - "description": "data source", - "type": "string" - }, - "type": "array" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "displayName": { - "description": "The query display name", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "inputEntityType": { - "$ref": "#/definitions/EntityInnerType", - "description": "The type of the query's source entity" + { + "$ref": "#/parameters/ODataFilter" }, - "inputFields": { - "description": "List of the fields of the source entity that are required to run the query", - "items": { - "description": "input field", - "type": "string" - }, - "type": "array" + { + "$ref": "#/parameters/ODataTop" }, - "outputEntityTypes": { - "description": "List of the desired output types to be constructed from the result", - "items": { - "$ref": "#/definitions/EntityInnerType", - "description": "output entity type" - }, - "type": "array" + { + "$ref": "#/parameters/ODataSkipToken" }, - "queryTemplate": { - "description": "The template query string to be parsed and formatted", - "type": "string" + { + "$ref": "#/parameters/ODataOrderBy" } - }, - "type": "object" - }, - "ExpansionResultAggregation": { - "description": "Information of a specific aggregation in the expansion result.", - "properties": { - "aggregationType": { - "description": "The common type of the aggregation. (for e.g. entity field name)", - "type": "string" - }, - "count": { - "description": "Total number of aggregations of the given kind (and aggregationType if given) in the expansion result.", - "type": "integer" - }, - "displayName": { - "description": "The display name of the aggregation by type.", - "type": "string" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformationList" + } }, - "entityKind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the aggregated entity." + "default": { + "description": "Error response describing why the operation failed to get indicators.", + "schema": { + "$ref": "#/definitions/CloudError" + } } }, - "required": [ - "entityKind", - "count" - ], - "type": "object" - }, - "ExpansionResultsMetadata": { - "description": "Expansion result metadata.", - "properties": { - "aggregations": { - "description": "Information of the aggregated nodes in the expansion result.", - "items": { - "$ref": "#/definitions/ExpansionResultAggregation" - }, - "type": "array" + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}": { + "get": { + "x-ms-examples": { + "View a threat intelligence indicator by name": { + "$ref": "./examples/threatintelligence/GetThreatIntelligenceById.json" } }, - "type": "object" - }, - "ConnectedEntity": { - "description": "Expansion result connected entities", - "properties": { - "targetEntityId": { - "description": "Entity Id of the connected entity", - "type": "string" + "tags": [ + "ThreatIntelligence" + ], + "description": "View a threat intelligence indicator by name.", + "operationId": "ThreatIntelligenceIndicator_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "additionalData": { - "description": "key-value pairs for a connected entity mapping", - "type": "object" - } - } - }, - "TimelineResultsMetadata": { - "description": "Expansion result metadata.", - "properties": { - "totalCount": { - "description": "the total items found for the timeline request", - "type": "integer", - "format": "int32" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "aggregations": { - "description": "timeline aggregation per kind", - "items": { - "$ref": "#/definitions/TimelineAggregation" - }, - "type": "array" + { + "$ref": "#/parameters/ResourceGroupName" }, - "errors": { - "description": "information about the failure queries", - "items": { - "$ref": "#/definitions/TimelineError" - }, - "type": "array" - } - }, - "required": [ - "totalCount", - "aggregations" - ], - "type": "object" - }, - "TimelineError": { - "description": "Timeline Query Errors.", - "properties": { - "kind": { - "description": "the query kind", - "$ref": "#/definitions/EntityTimelineKind" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "queryId": { - "description": "the query id", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "errorMessage": { - "description": "the error message", - "type": "string" + { + "$ref": "#/parameters/ThreatIntelligenceName" } - }, - "required": [ - "kind", - "errorMessage" ], - "type": "object" - }, - "TimelineAggregation": { - "description": "timeline aggregation information per kind", - "properties": { - "count": { - "description": "the total items found for a kind", - "type": "integer", - "format": "int32" + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } }, - "kind": { - "description": "the query kind", - "$ref": "#/definitions/EntityTimelineKind" + "default": { + "description": "Error response describing why the operation failed to view an indicator.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - }, - "required": [ - "kind", - "count" - ], - "type": "object" + } }, - "EntityTimelineItem": { - "description": "Entity timeline Item.", - "discriminator": "kind", - "type": "object", - "properties": { - "kind": { - "$ref": "#/definitions/EntityTimelineKind", - "description": "The entity query kind type." + "put": { + "x-ms-examples": { + "Update a threat Intelligence indicator": { + "$ref": "./examples/threatintelligence/UpdateThreatIntelligence.json" } }, - "required": [ - "kind" - ] - }, - "FileEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } + "tags": [ + "ThreatIntelligence" ], - "description": "Represents a file entity.", - "properties": { - "properties": { - "$ref": "#/definitions/FileEntityProperties", - "description": "File entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "File" - }, - "FileEntityProperties": { - "allOf": [ + "description": "Update a threat Intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_Create", + "parameters": [ { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "File entity property bag.", - "properties": { - "directory": { - "description": "The full path to the file.", - "readOnly": true, - "type": "string" + "$ref": "#/parameters/ApiVersion" }, - "fileHashEntityIds": { - "description": "The file hash entity identifiers associated with this file", - "items": { - "description": "file hash id", - "type": "string" - }, - "readOnly": true, - "type": "array" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "fileName": { - "description": "The file name without path (some alerts might not include path).", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "hostEntityId": { - "description": "The Host entity id which the file belongs to", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "FileHashEntity": { - "allOf": [ { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a file hash entity.", - "properties": { - "properties": { - "$ref": "#/definitions/FileHashEntityProperties", - "description": "FileHash entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "FileHash" - }, - "FileHashEntityProperties": { - "allOf": [ + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "FileHash entity property bag.", - "properties": { - "algorithm": { - "description": "The hash algorithm type.", - "enum": [ - "Unknown", - "MD5", - "SHA1", - "SHA256", - "SHA256AC" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "FileHashAlgorithm", - "values": [ - { - "description": "Unknown hash algorithm", - "value": "Unknown" - }, - { - "description": "MD5 hash type", - "value": "MD5" - }, - { - "description": "SHA1 hash type", - "value": "SHA1" - }, - { - "description": "SHA256 hash type", - "value": "SHA256" - }, - { - "description": "SHA256 Authenticode hash type", - "value": "SHA256AC" - } - ] - } + "$ref": "#/parameters/WorkspaceName" }, - "hashValue": { - "description": "The file hash value.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "InsightQueryItem": { - "allOf": [ { - "$ref": "#/definitions/EntityQueryItem" - } - ], - "description": "Represents Insight Query.", - "properties": { - "properties": { - "description": "Properties bag for InsightQueryItem", - "$ref": "#/definitions/InsightQueryItemProperties" - } - }, - "type": "object", - "x-ms-discriminator-value": "Insight" - }, - "InsightQueryItemProperties": { - "allOf": [ + "$ref": "#/parameters/ThreatIntelligenceName" + }, { - "$ref": "#/definitions/EntityQueryItemProperties" + "$ref": "#/parameters/ThreatIntelligenceProperties" } ], - "description": "Represents Insight Query.", - "properties": { - "displayName": { - "type": "string", - "description": "The insight display name." - }, - "description": { - "type": "string", - "description": "The insight description." - }, - "baseQuery": { - "type": "string", - "description": "The base query of the insight." - }, - "tableQuery": { - "type": "object", - "description": "The insight table query.", - "properties": { - "columnsDefinitions": { - "type": "array", - "description": "List of insight column definitions.", - "items": { - "properties": { - "header": { - "type": "string", - "description": "Insight column header." - }, - "outputType": { - "type": "string", - "description": "Insights Column type.", - "enum": [ - "Number", - "String", - "Date", - "Entity" - ], - "x-ms-enum": { - "modelAsString": true, - "name": "outputType" - } - }, - "supportDeepLink": { - "type": "boolean", - "description": "Is query supports deep-link." - } - } - } - }, - "queriesDefinitions": { - "type": "array", - "description": "List of insight queries definitions.", - "items": { - "properties": { - "filter": { - "type": "string", - "description": "Insight column header." - }, - "summarize": { - "type": "string", - "description": "Insight column header." - }, - "project": { - "type": "string", - "description": "Insight column header." - }, - "linkColumnsDefinitions": { - "type": "array", - "description": "Insight column header.", - "items": { - "properties": { - "projectedName": { - "type": "string", - "description": "Insight Link Definition Projected Name." - }, - "Query": { - "type": "string", - "description": "Insight Link Definition Query." - } - } - } - } - } - } - } - } - }, - "chartQuery": { - "type": "object", - "description": "The insight chart query." - }, - "additionalQuery": { - "type": "object", - "description": "The activity query definitions.", - "properties": { - "query": { - "type": "string", - "description": "The insight query." - }, - "text": { - "type": "string", - "description": "The insight text." - } + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" } }, - "defaultTimeRange": { - "type": "object", - "description": "The insight chart query.", - "properties": { - "beforeRange": { - "type": "string", - "description": "The padding for the start time of the query." - }, - "afterRange": { - "type": "string", - "description": "The padding for the end time of the query." - } + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" } }, - "referenceTimeRange": { - "type": "object", - "description": "The insight chart query.", - "properties": { - "beforeRange": { - "type": "string", - "description": "Additional query time for looking back." - } + "default": { + "description": "Error response describing why the operation failed to update an indicator.", + "schema": { + "$ref": "#/definitions/CloudError" } } - }, - "type": "object", - "x-ms-discriminator-value": "Insight" + } }, - "ActivityTimelineItem": { - "allOf": [ - { - "$ref": "#/definitions/EntityTimelineItem" + "delete": { + "x-ms-examples": { + "Delete a threat intelligence indicator": { + "$ref": "./examples/threatintelligence/DeleteThreatIntelligence.json" } + }, + "tags": [ + "ThreatIntelligence" ], - "description": "Represents Activity timeline item.", - "properties": { - "queryId": { - "type": "string", - "description": "The activity query id." - }, - "bucketStartTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The grouping bucket start time." + "description": "Delete a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "bucketEndTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The grouping bucket end time." + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "firstActivityTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The time of the first activity in the grouping bucket." + { + "$ref": "#/parameters/ResourceGroupName" }, - "lastActivityTimeUTC": { - "format": "date-time", - "type": "string", - "description": "The time of the last activity in the grouping bucket." + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "content": { - "type": "string", - "description": "The activity timeline content." + { + "$ref": "#/parameters/WorkspaceName" }, - "title": { - "type": "string", - "description": "The activity timeline title." - } - }, - "required": [ - "queryId", - "bucketStartTimeUTC", - "bucketEndTimeUTC", - "firstActivityTimeUTC", - "lastActivityTimeUTC", - "content", - "title" - ], - "type": "object", - "x-ms-discriminator-value": "Activity" - }, - "SecurityAlertTimelineItem": { - "allOf": [ { - "$ref": "#/definitions/EntityTimelineItem" + "$ref": "#/parameters/ThreatIntelligenceName" } ], - "description": "Represents security alert timeline item.", - "properties": { - "azureResourceId": { - "type": "string", - "description": "The alert azure resource id." - }, - "productName": { - "type": "string", - "description": "The alert product name." - }, - "description": { - "type": "string", - "description": "The alert description." - }, - "displayName": { - "type": "string", - "description": "The alert name." - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The alert severity." - }, - "endTimeUtc": { - "format": "date-time", - "type": "string", - "description": "The alert end time." - }, - "startTimeUtc": { - "format": "date-time", - "type": "string", - "description": "The alert start time." + "responses": { + "200": { + "description": "OK" }, - "timeGenerated": { - "format": "date-time", - "type": "string", - "description": "The alert generated time." + "204": { + "description": "No Content" }, - "alertType": { - "type": "string", - "description": "The name of the alert type." + "default": { + "description": "Error response describing why the operation failed to delete an indicator.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators": { + "post": { + "x-ms-examples": { + "Query threat intelligence indicators as per filtering criteria": { + "$ref": "./examples/threatintelligence/QueryThreatIntelligence.json" } }, - "required": [ - "azureResourceId", - "displayName", - "severity", - "endTimeUtc", - "startTimeUtc", - "timeGenerated", - "alertType" + "tags": [ + "ThreatIntelligence" ], - "type": "object", - "x-ms-discriminator-value": "SecurityAlert" - }, - "BookmarkTimelineItem": { - "allOf": [ + "description": "Query threat intelligence indicators as per filtering criteria.", + "operationId": "ThreatIntelligenceIndicator_QueryIndicators", + "parameters": [ { - "$ref": "#/definitions/EntityTimelineItem" - } - ], - "description": "Represents bookmark timeline item.", - "properties": { - "azureResourceId": { - "type": "string", - "description": "The bookmark azure resource id." - }, - "displayName": { - "type": "string", - "description": "The bookmark display name." - }, - "notes": { - "type": "string", - "description": "The notes of the bookmark" + "$ref": "#/parameters/ApiVersion" }, - "endTimeUtc": { - "format": "date-time", - "type": "string", - "description": "The bookmark end time." + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "startTimeUtc": { - "format": "date-time", - "type": "string", - "description": "TThe bookmark start time." + { + "$ref": "#/parameters/ResourceGroupName" }, - "eventTime": { - "format": "date-time", - "type": "string", - "description": "The bookmark event time." + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" + { + "$ref": "#/parameters/WorkspaceName" }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - } - }, - "required": [ - "azureResourceId" - ], - "type": "object", - "x-ms-discriminator-value": "Bookmark" - }, - "FusionAlertRule": { - "allOf": [ { - "$ref": "#/definitions/AlertRule" + "$ref": "#/parameters/ThreatIntelligenceFilteringCriteria" } ], - "description": "Represents Fusion alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/FusionAlertRuleProperties", - "description": "Fusion alert rule properties", - "x-ms-client-flatten": true + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformationList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } } }, - "type": "object", - "x-ms-discriminator-value": "Fusion" - }, - "FusionAlertRuleProperties": { - "description": "Fusion alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "readOnly": true, - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule.", - "readOnly": true - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics": { + "get": { + "x-ms-examples": { + "Get threat intelligence indicators metrics.": { + "$ref": "./examples/threatintelligence/CollectThreatIntelligenceMetrics.json" } }, - "required": [ - "alertRuleTemplateName", - "enabled" + "tags": [ + "ThreatIntelligence" ], - "type": "object" - }, - "FusionAlertRuleTemplate": { - "allOf": [ + "description": "Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source).", + "operationId": "ThreatIntelligenceIndicatorMetrics_List", + "parameters": [ { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents Fusion alert rule template.", - "properties": { - "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - } - ], - "description": "Fusion alert rule template properties", - "properties": { - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "required": [ - "displayName", - "description", - "status", - "severity", - "alertRulesCreatedByTemplateCount" - ], - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Fusion" - }, - "ThreatIntelligenceAlertRule": { - "allOf": [ - { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents Threat Intelligence alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/ThreatIntelligenceAlertRuleProperties", - "description": "Threat Intelligence alert rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" - }, - "ThreatIntelligenceAlertRuleProperties": { - "description": "Threat Intelligence alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "readOnly": true, - "type": "string" + "$ref": "#/parameters/ApiVersion" }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule.", - "readOnly": true + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } - }, - "required": [ - "alertRuleTemplateName", - "enabled" - ], - "type": "object" - }, - "ThreatIntelligenceAlertRuleTemplate": { - "allOf": [ { - "$ref": "#/definitions/AlertRuleTemplate" + "$ref": "#/parameters/WorkspaceName" } ], - "description": "Represents Threat Intelligence alert rule template.", - "properties": { - "properties": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" - } - ], - "description": "Threat Intelligence alert rule template properties", - "properties": { - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." - }, - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" - } - }, - "required": [ - "displayName", - "description", - "status", - "severity", - "alertRulesCreatedByTemplateCount" - ], - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" - }, - "GeoLocation": { - "description": "The geo-location context attached to the ip entity", - "properties": { - "asn": { - "description": "Autonomous System Number", - "readOnly": true, - "type": "integer" - }, - "city": { - "description": "City name", - "readOnly": true, - "type": "string" - }, - "countryCode": { - "description": "The country code according to ISO 3166 format", - "readOnly": true, - "type": "string" - }, - "countryName": { - "description": "Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name", - "readOnly": true, - "type": "string" + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceMetricsList" + } }, - "latitude": { - "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.", - "format": "double", - "readOnly": true, - "type": "number" - }, - "longitude": { - "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.", - "format": "double", - "readOnly": true, - "type": "number" - }, - "state": { - "description": "State name", - "readOnly": true, - "type": "string" - } - }, - "readOnly": true, - "type": "object" - }, - "HostEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" + "default": { + "description": "Error response describing why the operation failed to get metrics.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - ], - "description": "Represents a host entity.", - "properties": { - "properties": { - "$ref": "#/definitions/HostEntityProperties", - "description": "Host entity properties", - "x-ms-client-flatten": true + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags": { + "post": { + "x-ms-examples": { + "Append tags to a threat intelligence indicator": { + "$ref": "./examples/threatintelligence/AppendTagsThreatIntelligence.json" } }, - "type": "object", - "x-ms-discriminator-value": "Host" - }, - "HostEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } + "tags": [ + "ThreatIntelligence" ], - "description": "Host entity property bag.", - "properties": { - "azureID": { - "description": "The azure resource id of the VM.", - "readOnly": true, - "type": "string" - }, - "dnsDomain": { - "description": "The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain", - "readOnly": true, - "type": "string" - }, - "hostName": { - "description": "The hostname without the domain suffix.", - "readOnly": true, - "type": "string" + "description": "Append tags to a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_AppendTags", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "isDomainJoined": { - "description": "Determines whether this host belongs to a domain.", - "readOnly": true, - "type": "boolean" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "netBiosName": { - "description": "The host name (pre-windows2000).", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "ntDomain": { - "description": "The NT domain that this host belongs to.", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "omsAgentID": { - "description": "The OMS agent id, if the host has OMS agent installed.", - "readOnly": true, - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "osFamily": { - "description": "The operating system type.", - "enum": [ - "Linux", - "Windows", - "Android", - "IOS", - "Unknown" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "OSFamily", - "values": [ - { - "description": "Host with Linux operating system.", - "value": "Linux" - }, - { - "description": "Host with Windows operating system.", - "value": "Windows" - }, - { - "description": "Host with Android operating system.", - "value": "Android" - }, - { - "description": "Host with IOS operating system.", - "value": "IOS" - }, - { - "description": "Host with Unknown operating system.", - "value": "Unknown" - } - ] - } + { + "$ref": "#/parameters/ThreatIntelligenceName" }, - "osVersion": { - "description": "A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "Incident": { - "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ThreatIntelligenceAppendTags" } ], - "description": "Represents an incident in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentProperties", - "description": "Incident properties", - "x-ms-client-flatten": true - } - }, - "type": "object" - }, - "HuntingBookmark": { - "allOf": [ - { - "$ref": "#/definitions/Entity" + "responses": { + "200": { + "description": "OK" + }, + "default": { + "description": "Error response describing why the operation failed to append tags.", + "schema": { + "$ref": "#/definitions/CloudError" + } } - ], - "description": "Represents a Hunting bookmark entity.", - "properties": { - "properties": { - "$ref": "#/definitions/HuntingBookmarkProperties", - "description": "HuntingBookmark entity properties", - "x-ms-client-flatten": true + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags": { + "post": { + "x-ms-examples": { + "Replace tags to a Threat Intelligence": { + "$ref": "./examples/threatintelligence/ReplaceTagsThreatIntelligence.json" } }, - "type": "object", - "x-ms-discriminator-value": "Bookmark" - }, - "HuntingBookmarkProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } + "tags": [ + "ThreatIntelligence" ], - "description": "Describes bookmark properties", - "properties": { - "created": { - "description": "The time the bookmark was created", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the bookmark", - "type": "object" - }, - "displayName": { - "description": "The display name of the bookmark", - "type": "string" - }, - "eventTime": { - "description": "The time of the event", - "format": "date-time", - "type": "string" - }, - "labels": { - "description": "List of labels relevant to this bookmark", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" + "description": "Replace tags added to a threat intelligence indicator.", + "operationId": "ThreatIntelligenceIndicator_ReplaceTags", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" }, - "notes": { - "description": "The notes of the bookmark", - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" }, - "query": { - "description": "The query of the bookmark.", - "type": "string" + { + "$ref": "#/parameters/ResourceGroupName" }, - "queryResult": { - "description": "The query result of the bookmark.", - "type": "string" + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" }, - "updated": { - "description": "The last time the bookmark was updated", - "format": "date-time", - "type": "string" + { + "$ref": "#/parameters/WorkspaceName" }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the bookmark", - "type": "object" + { + "$ref": "#/parameters/ThreatIntelligenceName" }, - "incidentInfo": { - "$ref": "#/definitions/IncidentInfo", - "description": "Describes an incident that relates to bookmark", - "type": "object" + { + "$ref": "#/parameters/ThreatIntelligenceReplaceTags" } - }, - "required": [ - "displayName", - "query" ], - "type": "object" - }, - "IncidentAdditionalData": { - "description": "Incident additional data property bag.", - "properties": { - "alertsCount": { - "description": "The number of alerts in the incident", - "readOnly": true, - "type": "integer" - }, - "bookmarksCount": { - "description": "The number of bookmarks in the incident", - "readOnly": true, - "type": "integer" - }, - "commentsCount": { - "description": "The number of comments in the incident", - "readOnly": true, - "type": "integer" - }, - "alertProductNames": { - "description": "List of product names of alerts in the incident", - "items": { - "description": "Alert product name", - "type": "string" - }, - "readOnly": true, - "type": "array" + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } }, - "tactics": { - "description": "The tactics associated with incident", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "IncidentAlertList": { - "description": "List of incident alerts.", - "properties": { - "value": { - "description": "Array of incident alerts.", - "type": "array", - "items": { - "$ref": "#/definitions/SecurityAlert" + "default": { + "description": "Error response describing why the operation failed to replace tags.", + "schema": { + "$ref": "#/definitions/CloudError" } } - }, - "required": [ - "value" - ] - }, - "IncidentBookmarkList": { - "description": "List of incident bookmarks.", + } + } + } + }, + "definitions": { + "MLBehaviorAnalyticsAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents MLBehaviorAnalytics alert rule.", + "properties": { "properties": { - "value": { - "description": "Array of incident bookmarks.", - "type": "array", - "items": { - "$ref": "#/definitions/HuntingBookmark" - } - } - }, - "required": [ - "value" - ] + "$ref": "#/definitions/MLBehaviorAnalyticsAlertRuleProperties", + "description": "MLBehaviorAnalytics alert rule properties", + "x-ms-client-flatten": true + } }, - "IncidentComment": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an incident comment", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentCommentProperties", - "description": "Incident comment properties", - "x-ms-client-flatten": true - } - }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "MLBehaviorAnalytics" + }, + "MLBehaviorAnalyticsAlertRuleProperties": { + "description": "MLBehaviorAnalytics alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } }, - "IncidentCommentList": { - "description": "List of incident comments.", + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "MLBehaviorAnalyticsAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MLBehaviorAnalytics alert rule template.", + "properties": { "properties": { - "nextLink": { - "description": "URL to fetch the next set of comments.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of comments.", - "items": { - "$ref": "#/definitions/IncidentComment" + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + } + ], + "description": "MLBehaviorAnalytics alert rule template properties.", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "IncidentCommentProperties": { - "description": "Incident comment property bag.", - "properties": { - "createdTimeUtc": { - "description": "The time the comment was created", - "format": "date-time", - "readOnly": true, - "type": "string" + "tactics": { + "description": "The tactics of the alert rule template.", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } }, - "lastModifiedTimeUtc": { - "description": "The time the comment was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "The comment message", - "type": "string" - }, - "author": { - "$ref": "#/definitions/ClientInfo", - "description": "Describes the client that created the comment", - "readOnly": true, - "type": "object" - } - }, - "required": [ - "message" - ], - "type": "object" + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true + } }, - "IncidentEntitiesResponse": { - "description": "The incident related entities response.", + "type": "object", + "x-ms-discriminator-value": "MLBehaviorAnalytics" + }, + "AADDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AAD (Azure Active Directory) data connector.", + "properties": { "properties": { - "entities": { - "description": "Array of the incident related entities.", - "type": "array", - "items": { - "$ref": "#/definitions/Entity" - } - }, - "metaData": { - "description": "The metadata from the incident related entities results.", - "type": "array", - "items": { - "$ref": "#/definitions/IncidentEntitiesResultsMetadata" - } - } + "$ref": "#/definitions/AADDataConnectorProperties", + "description": "AAD (Azure Active Directory) data connector properties.", + "x-ms-client-flatten": true } }, - "IncidentEntitiesResultsMetadata": { - "description": "Information of a specific aggregation in the incident related entities result.", - "properties": { - "count": { - "description": "Total number of aggregations of the given kind in the incident related entities result.", - "type": "integer", - "format": "int32" - }, - "entityKind": { - "$ref": "#/definitions/EntityInnerKind", - "description": "The kind of the aggregated entity." - } + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" }, - "required": [ - "entityKind", - "count" - ], - "type": "object" - }, - "IncidentLabel": { - "description": "Represents an incident label", + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "AAD (Azure Active Directory) data connector properties.", + "type": "object" + }, + "AADCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents AAD (Azure Active Directory) requirements check request.", + "properties": { "properties": { - "labelName": { - "description": "The name of the label", - "type": "string" - }, - "labelType": { - "description": "The type of the label", - "enum": [ - "User", - "System" - ], - "type": "string", - "readOnly": true, - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentLabelType", - "values": [ - { - "description": "Label manually created by a user", - "value": "User" - }, - { - "description": "Label automatically created by the system", - "value": "System" - } - ] - } - } - }, - "required": [ - "labelName" - ], - "type": "object" + "$ref": "#/definitions/AADCheckRequirementsProperties", + "description": "AAD (Azure Active Directory) requirements check properties.", + "x-ms-client-flatten": true + } }, - "IncidentList": { - "description": "List all the incidents.", + "type": "object", + "x-ms-discriminator-value": "AzureActiveDirectory" + }, + "AADCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "AAD (Azure Active Directory) requirements check properties.", + "type": "object" + }, + "AATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector.", + "properties": { "properties": { - "nextLink": { - "description": "URL to fetch the next set of incidents.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of incidents.", - "items": { - "$ref": "#/definitions/Incident" - }, - "type": "array" - } + "$ref": "#/definitions/AATPDataConnectorProperties", + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + }, + "AATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" }, - "required": [ - "value" - ] + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "AATP (Azure Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "AATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents AATP (Azure Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/AATPCheckRequirementsProperties", + "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } }, - "IncidentOwnerInfo": { - "description": "Information on the user an incident is assigned to", + "type": "object", + "x-ms-discriminator-value": "AzureAdvancedThreatProtection" + }, + "AATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "AATP (Azure Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "MSTIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Microsoft Threat Intelligence data connector.", + "properties": { "properties": { - "email": { - "description": "The email of the user the incident is assigned to.", - "type": "string" - }, - "assignedTo": { - "description": "The name of the user the incident is assigned to.", - "type": "string" - }, - "objectId": { - "description": "The object id of the user the incident is assigned to.", - "format": "uuid", - "type": "string" - }, - "userPrincipalName": { - "description": "The user principal name of the user the incident is assigned to.", - "type": "string" - } - }, - "type": "object" + "$ref": "#/definitions/MSTIDataConnectorProperties", + "description": "Microsoft Threat Intelligence data connector properties.", + "x-ms-client-flatten": true + } }, - "IncidentClassification": { - "description": "The reason the incident was closed", - "enum": [ - "Undetermined", - "TruePositive", - "BenignPositive", - "FalsePositive" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassification", - "values": [ - { - "description": "Incident classification was undetermined", - "value": "Undetermined" - }, - { - "description": "Incident was true positive", - "value": "TruePositive" - }, - { - "description": "Incident was benign positive", - "value": "BenignPositive" - }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatIntelligence" + }, + "MSTIDataConnectorDataTypes": { + "description": "The available data types for Microsoft Threat Intelligence Platforms data connector.", + "properties": { + "bingSafetyPhishingURL": { + "allOf": [ { - "description": "Incident was false positive", - "value": "FalsePositive" + "$ref": "#/definitions/DataConnectorDataTypeCommon" } + ], + "properties": { + "lookbackPeriod": { + "description": "lookback period", + "type": "string" + } + }, + "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", + "type": "object", + "required": [ + "lookbackPeriod" ] - } - }, - "IncidentClassificationReason": { - "description": "The classification reason the incident was closed with", - "enum": [ - "SuspiciousActivity", - "SuspiciousButExpected", - "IncorrectAlertLogic", - "InaccurateData" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassificationReason", - "values": [ - { - "description": "Classification reason was suspicious activity", - "value": "SuspiciousActivity" - }, - { - "description": "Classification reason was suspicious but expected", - "value": "SuspiciousButExpected" - }, - { - "description": "Classification reason was incorrect alert logic", - "value": "IncorrectAlertLogic" - }, + }, + "microsoftEmergingThreatFeed": { + "allOf": [ { - "description": "Classification reason was inaccurate data", - "value": "InaccurateData" + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "properties": { + "lookbackPeriod": { + "description": "lookback period", + "type": "string" } + }, + "description": "Data type for Microsoft Threat Intelligence Platforms data connector.", + "type": "object", + "required": [ + "lookbackPeriod" ] } }, - "IncidentSeverity": { - "description": "The severity of the incident", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] + "type": "object", + "required": [ + "bingSafetyPhishingURL", + "microsoftEmergingThreatFeed" + ] + }, + "MSTIDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Microsoft Threat Intelligence data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MSTIDataConnectorDataTypes", + "description": "The available data types for the connector." } }, - "IncidentStatus": { - "description": "The status of the incident", - "enum": [ - "New", - "Active", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentStatus", - "values": [ - { - "description": "An active incident which isn't being handled currently", - "value": "New" - }, - { - "description": "An active incident which is being handled", - "value": "Active" - }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "MSTICheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents Microsoft Threat Intelligence requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MSTICheckRequirementsProperties", + "description": "Microsoft Threat Intelligence requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatIntelligence" + }, + "MSTICheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Microsoft Threat Intelligence requirements check properties.", + "type": "object" + }, + "MTPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MTP (Microsoft Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MTPDataConnectorProperties", + "description": "MTP (Microsoft Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatProtection" + }, + "MTPDataConnectorDataTypes": { + "description": "The available data types for Microsoft Threat Protection Platforms data connector.", + "properties": { + "incidents": { + "allOf": [ { - "description": "A non-active incident", - "value": "Closed" + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - ] + ], + "description": "Data type for Microsoft Threat Protection Platforms data connector.", + "type": "object" } }, - "IncidentProperties": { - "description": "Describes incident properties", - "properties": { - "additionalData": { - "$ref": "#/definitions/IncidentAdditionalData", - "description": "Additional data on the incident", - "readOnly": true, - "type": "object" - }, - "classification": { - "$ref": "#/definitions/IncidentClassification", - "description": "The reason the incident was closed" - }, - "classificationComment": { - "description": "Describes the reason the incident was closed", - "type": "string" - }, - "classificationReason": { - "$ref": "#/definitions/IncidentClassificationReason", - "description": "The classification reason the incident was closed with" - }, - "createdTimeUtc": { - "description": "The time the incident was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the incident", - "type": "string" - }, - "firstActivityTimeUtc": { - "description": "The time of the first activity in the incident", - "format": "date-time", - "type": "string" - }, - "incidentUrl": { - "description": "The deep-link url to the incident in Azure portal", - "readOnly": true, - "type": "string" - }, - "incidentNumber": { - "description": "A sequential number", - "readOnly": true, - "type": "integer" - }, - "labels": { - "description": "List of labels relevant to this incident", - "items": { - "$ref": "#/definitions/IncidentLabel" - }, - "type": "array" - }, - "providerName": { - "description": "The name of the source provider that generated the incident", - "type": "string" - }, - "providerIncidentId": { - "description": "The incident ID assigned by the incident provider", - "type": "string" - }, - "lastActivityTimeUtc": { - "description": "The time of the last activity in the incident", - "format": "date-time", - "type": "string" - }, - "lastModifiedTimeUtc": { - "description": "The last time the incident was updated", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "owner": { - "$ref": "#/definitions/IncidentOwnerInfo", - "description": "Describes a user that the incident is assigned to", - "type": "object" - }, - "relatedAnalyticRuleIds": { - "description": "List of resource ids of Analytic rules related to the incident", - "items": { - "description": "Related Analytic rule resource id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "severity": { - "$ref": "#/definitions/IncidentSeverity", - "description": "The severity of the incident" - }, - "status": { - "$ref": "#/definitions/IncidentStatus", - "description": "The status of the incident" - }, - "title": { - "description": "The title of the incident", - "type": "string" - } - }, - "required": [ - "title", - "severity", - "status" - ], - "type": "object" + "type": "object", + "required": [ + "incidents" + ] + }, + "MTPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MTP (Microsoft Threat Protection) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MTPDataConnectorDataTypes", + "description": "The available data types for the connector." + } }, - "IpEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an ip entity.", + "required": [ + "dataTypes" + ], + "type": "object" + }, + "MtpCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MTP (Microsoft Threat Protection) requirements check request.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/IpEntityProperties", - "description": "Ip entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Ip" + "$ref": "#/definitions/MTPCheckRequirementsProperties", + "description": "MTP (Microsoft Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } }, - "IpEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Ip entity property bag.", + "type": "object", + "x-ms-discriminator-value": "MicrosoftThreatProtection" + }, + "MTPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MTP (Microsoft Threat Protection) requirements check properties.", + "type": "object" + }, + "ASCDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents ASC (Azure Security Center) data connector.", + "properties": { "properties": { - "address": { - "description": "The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6)", - "readOnly": true, - "type": "string" - }, - "location": { - "$ref": "#/definitions/GeoLocation", - "description": "The geo-location context attached to the ip entity" - }, - "threatIntelligence": { - "description": "A list of TI contexts attached to the ip entity.", - "items": { - "$ref": "#/definitions/ThreatIntelligence" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" + "$ref": "#/definitions/ASCDataConnectorProperties", + "description": "ASC (Azure Security Center) data connector properties.", + "x-ms-client-flatten": true + } }, - "Label": { - "description": "Label that will be used to tag and filter on.", - "type": "string" + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "ASC (Azure Security Center) data connector properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } }, - "MailboxEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mailbox entity.", + "type": "object" + }, + "ASCCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents ASC (Azure Security Center) requirements check request.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/MailboxEntityProperties", - "description": "Mailbox entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Mailbox" + "$ref": "#/definitions/ASCCheckRequirementsProperties", + "description": "ASC (Azure Security Center) requirements check properties.", + "x-ms-client-flatten": true + } }, - "MailboxEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Mailbox entity property bag.", + "type": "object", + "x-ms-discriminator-value": "AzureSecurityCenter" + }, + "ASCCheckRequirementsProperties": { + "description": "ASC (Azure Security Center) requirements check properties.", + "properties": { + "subscriptionId": { + "description": "The subscription id to connect to, and get the data from.", + "type": "string" + } + }, + "type": "object" + }, + "AccountEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an account entity.", + "properties": { "properties": { - "mailboxPrimaryAddress": { - "description": "The mailbox's primary address", - "readOnly": true, - "type": "string" - }, - "displayName": { - "description": "The mailbox's display name", - "readOnly": true, - "type": "string" - }, - "upn": { - "description": "The mailbox's UPN", - "readOnly": true, - "type": "string" - }, - "externalDirectoryObjectId": { - "description": "The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side", - "format": "uuid", - "readOnly": true, - "type": "string" - } - }, - "type": "object" + "$ref": "#/definitions/AccountEntityProperties", + "description": "Account entity properties", + "x-ms-client-flatten": true + } }, - "MailClusterEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a mail cluster entity.", + "type": "object", + "x-ms-discriminator-value": "Account" + }, + "AccountEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Account entity property bag.", + "properties": { + "aadTenantId": { + "description": "The Azure Active Directory tenant id.", + "readOnly": true, + "type": "string" + }, + "aadUserId": { + "description": "The Azure Active Directory user id.", + "readOnly": true, + "type": "string" + }, + "accountName": { + "description": "The name of the account. This field should hold only the name without any domain added to it, i.e. administrator.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name of the account.", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id that contains the account in case it is a local account (not domain joined)", + "readOnly": true, + "type": "string" + }, + "isDomainJoined": { + "description": "Determines whether this is a domain account.", + "readOnly": true, + "type": "boolean" + }, + "ntDomain": { + "description": "The NetBIOS domain name as it appears in the alert format – domain\\username. Examples: NT AUTHORITY.", + "readOnly": true, + "type": "string" + }, + "objectGuid": { + "description": "The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory.", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "puid": { + "description": "The Azure Active Directory Passport User ID.", + "readOnly": true, + "type": "string" + }, + "sid": { + "description": "The account security identifier, e.g. S-1-5-18.", + "readOnly": true, + "type": "string" + }, + "upnSuffix": { + "description": "The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com.", + "readOnly": true, + "type": "string" + }, + "dnsDomain": { + "description": "The fully qualified domain DNS name.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "ActionRequest": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Action for alert rule.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/MailClusterEntityProperties", - "description": "Mail cluster entity properties", - "x-ms-client-flatten": true - } + "$ref": "#/definitions/ActionRequestProperties", + "description": "Action properties for put request", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "ActionPropertiesBase": { + "description": "Action property bag base.", + "properties": { + "logicAppResourceId": { + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.", + "type": "string" + } + }, + "required": [ + "logicAppResourceId" + ], + "type": "object" + }, + "ActionRequestProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "triggerUri": { + "description": "Logic App Callback URL for this specific workflow.", + "type": "string" + } + }, + "required": [ + "triggerUri" + ], + "type": "object" + }, + "ActionResponse": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + } + ], + "description": "Action for alert rule.", + "properties": { + "etag": { + "description": "Etag of the action.", + "type": "string" }, - "type": "object", - "x-ms-discriminator-value": "MailCluster" + "properties": { + "$ref": "#/definitions/ActionResponseProperties", + "description": "Action properties for get request", + "x-ms-client-flatten": true + } }, - "MailClusterEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" + "type": "object" + }, + "ActionResponseProperties": { + "allOf": [ + { + "$ref": "#/definitions/ActionPropertiesBase" + } + ], + "description": "Action property bag.", + "properties": { + "workflowId": { + "description": "The name of the logic app's workflow.", + "type": "string" + } + }, + "type": "object" + }, + "ActionsList": { + "description": "List all the actions.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of actions.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of actions.", + "items": { + "$ref": "#/definitions/ActionResponse" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Aggregations": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + }, + { + "$ref": "#/definitions/AggregationsKind" + } + ], + "description": "The aggregation.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "AggregationsKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the setting", + "enum": [ + "CasesAggregation" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AggregationsKind" } - ], - "description": "Mail cluster entity property bag.", - "properties": { - "networkMessageIds": { - "description": "The mail message IDs that are part of the mail cluster", - "items": { - "description": "A mail message ID", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "countByDeliveryStatus": { - "description": "Count of mail messages by DeliveryStatus string representation", - "readOnly": true, - "type": "object" - }, - "countByThreatType": { - "description": "Count of mail messages by ThreatType string representation", - "readOnly": true, - "type": "object" - }, - "countByProtectionStatus": { - "description": "Count of mail messages by ProtectionStatus string representation", - "readOnly": true, - "type": "object" - }, - "threats": { - "description": "The threats of mail messages that are part of the mail cluster", - "items": { - "description": "A threat", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "query": { - "description": "The query that was used to identify the messages of the mail cluster", - "readOnly": true, - "type": "string" - }, - "queryTime": { - "description": "The query time", - "format": "date-time", - "readOnly": true, + } + }, + "required": [ + "kind" + ], + "type": "object" + }, + "AlertRule": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/AlertRuleKind" + } + ], + "description": "Alert rule.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "AlertRuleKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the alert rule", + "enum": [ + "Scheduled", + "MicrosoftSecurityIncidentCreation", + "Fusion", + "MLBehaviorAnalytics", + "ThreatIntelligence" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertRuleKind", + "values": [ + { + "value": "Scheduled" + }, + { + "value": "MicrosoftSecurityIncidentCreation" + }, + { + "value": "Fusion" + }, + { + "value": "MLBehaviorAnalytics" + }, + { + "value": "ThreatIntelligence" + } + ] + } + } + }, + "required": [ + "kind" + ], + "type": "object" + }, + "AlertRuleTemplate": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + }, + { + "$ref": "#/definitions/AlertRuleKind" + } + ], + "description": "Alert rule template.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "AlertRuleTemplateDataSource": { + "description": "alert rule template data sources", + "properties": { + "connectorId": { + "description": "The connector id that provides the following data types", + "type": "string" + }, + "dataTypes": { + "description": "The data types used by the alert rule template", + "items": { "type": "string" }, - "mailCount": { - "description": "The number of mail messages that are part of the mail cluster", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "isVolumeAnomaly": { - "description": "Is this a volume anomaly mail cluster", - "readOnly": true, - "type": "boolean" - }, - "source": { - "description": "The source of the mail cluster (default is 'O365 ATP')", - "readOnly": true, - "type": "string" + "type": "array" + } + }, + "type": "object" + }, + "AlertRuleTemplatePropertiesBase": { + "description": "Base alert rule template property bag.", + "properties": { + "alertRulesCreatedByTemplateCount": { + "description": "the number of alert rules that were created by this template", + "type": "integer" + }, + "lastUpdatedDateUTC": { + "description": "The last time that this alert rule template has been updated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "createdDateUTC": { + "description": "The time that this alert rule template has been added.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the alert rule template.", + "type": "string" + }, + "displayName": { + "description": "The display name for alert rule template.", + "type": "string" + }, + "requiredDataConnectors": { + "description": "The required data sources for this template", + "items": { + "$ref": "#/definitions/AlertRuleTemplateDataSource" + }, + "type": "array" + }, + "status": { + "description": "The alert rule template status.", + "enum": [ + "Installed", + "Available", + "NotAvailable" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TemplateStatus", + "values": [ + { + "description": "Alert rule template installed. and can not use more then once", + "value": "Installed" + }, + { + "description": "Alert rule template is available.", + "value": "Available" + }, + { + "description": "Alert rule template is not available", + "value": "NotAvailable" + } + ] + } + } + }, + "type": "object" + }, + "AlertRuleTemplatesList": { + "description": "List all the alert rule templates.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rule templates.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rule templates.", + "items": { + "$ref": "#/definitions/AlertRuleTemplate" }, - "clusterSourceIdentifier": { - "description": "The id of the cluster source", - "readOnly": true, - "type": "string" + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertRuleTriggerOperator": { + "description": "The operation against the threshold that triggers alert rule.", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "TriggerOperator" + } + }, + "AlertRulesList": { + "description": "List all the alert rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of alert rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of alert rules.", + "items": { + "$ref": "#/definitions/AlertRule" }, - "clusterSourceType": { - "description": "The type of the cluster source", - "readOnly": true, - "type": "string" + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" }, - "clusterQueryStartTime": { - "description": "The cluster query start time", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "description": "Medium severity", + "value": "Medium" }, - "clusterQueryEndTime": { - "description": "The cluster query end time", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "description": "Low severity", + "value": "Low" }, - "clusterGroup": { - "description": "The cluster group", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "MailMessageEntity": { - "allOf": [ { - "$ref": "#/definitions/Entity" + "description": "Informational severity", + "value": "Informational" } - ], - "description": "Represents a mail message entity.", + ] + } + }, + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Alerts data type connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "alerts" + ] + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + }, + "AwsCloudTrailDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Amazon Web Services CloudTrail data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties", + "description": "Amazon Web Services CloudTrail data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AwsCloudTrailDataConnectorDataTypes": { + "description": "The available data types for Amazon Web Services CloudTrail data connector.", + "properties": { + "logs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Logs data type.", + "type": "object" + } + }, + "type": "object", + "required": [ + "logs" + ] + }, + "AwsCloudTrailDataConnectorProperties": { + "description": "Amazon Web Services CloudTrail data connector properties.", + "properties": { + "awsRoleArn": { + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.", + "type": "string" + }, + "dataTypes": { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "AwsCloudTrailCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Amazon Web Services CloudTrail requirements check request.", + "type": "object", + "x-ms-discriminator-value": "AmazonWebServicesCloudTrail" + }, + "AzureResourceEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an azure resource entity.", + "properties": { "properties": { + "$ref": "#/definitions/AzureResourceEntityProperties", + "description": "AzureResource entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "AzureResource" + }, + "AzureResourceEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "AzureResource entity property bag.", + "properties": { + "resourceId": { + "description": "The azure resource id of the resource", + "readOnly": true, + "type": "string" + }, + "subscriptionId": { + "description": "The subscription id of the resource", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "RelationBase": { + "type": "object", + "description": "Represents a relation", + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + }, + { + "type": "object", "properties": { - "$ref": "#/definitions/MailMessageEntityProperties", - "description": "Mail message entity properties", - "x-ms-client-flatten": true + "kind": { + "type": "string", + "description": "The type of relation node", + "readOnly": true, + "enum": [ + "CasesToBookmarks" + ], + "x-ms-enum": { + "name": "RelationTypes", + "modelAsString": true, + "values": [ + { + "value": "CasesToBookmarks", + "description": "Relations between cases and bookmarks" + } + ] + } + }, + "etag": { + "type": "string", + "description": "ETag for relation" + } } - }, - "type": "object", - "x-ms-discriminator-value": "MailMessage" - }, - "MailMessageEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" + } + ] + }, + "CaseRelationList": { + "description": "List of case relations.", + "properties": { + "nextLink": { + "readOnly": true, + "description": "URL to fetch the next set of relations.", + "type": "string" + }, + "value": { + "description": "Array of relations.", + "type": "array", + "items": { + "$ref": "#/definitions/CaseRelation" } - ], - "description": "Mail message entity property bag.", + } + }, + "required": [ + "value" + ] + }, + "CaseRelation": { + "type": "object", + "description": "Represents a case relation", + "allOf": [ + { + "$ref": "#/definitions/RelationBase" + } + ], + "properties": { "properties": { - "fileEntityIds": { - "description": "The File entity ids of this mail message's attachments", - "items": { - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "recipient": { - "description": "The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient", - "readOnly": true, + "x-ms-client-flatten": true, + "description": "Case relation properties", + "$ref": "#/definitions/CaseRelationProperties" + } + } + }, + "CaseRelationProperties": { + "type": "object", + "description": "Case relation properties", + "properties": { + "relationName": { + "type": "string", + "description": "Name of relation" + }, + "bookmarkId": { + "type": "string", + "description": "The case related bookmark id" + }, + "caseIdentifier": { + "type": "string", + "description": "The case identifier" + }, + "bookmarkName": { + "type": "string", + "description": "The case related bookmark name" + } + }, + "required": [ + "relationName", + "caseIdentifier", + "bookmarkId" + ] + }, + "RelationsModelInput": { + "type": "object", + "description": "Relation input model", + "allOf": [ + { + "$ref": "#/definitions/RelationBase" + } + ], + "properties": { + "properties": { + "x-ms-client-flatten": true, + "description": "Relation input properties", + "$ref": "#/definitions/RelationsModelInputProperties" + } + } + }, + "RelationsModelInputProperties": { + "type": "object", + "description": "Relation input properties", + "properties": { + "relationName": { + "type": "string", + "description": "Name of relation" + }, + "sourceRelationNode": { + "type": "object", + "description": "Relation source node", + "$ref": "#/definitions/RelationNode" + }, + "targetRelationNode": { + "type": "object", + "description": "Relation target node", + "$ref": "#/definitions/RelationNode" + } + } + }, + "RelationNode": { + "type": "object", + "description": "Relation node", + "properties": { + "relationNodeId": { + "type": "string", + "description": "Relation Node Id" + }, + "relationNodeKind": { + "type": "string", + "description": "The type of relation node", + "readOnly": true, + "enum": [ + "Case", + "Bookmark" + ], + "x-ms-enum": { + "name": "RelationNodeKind", + "modelAsString": true, + "values": [ + { + "value": "Case", + "description": "Case node part of the relation" + }, + { + "value": "Bookmark", + "description": "Bookmark node part of the relation" + } + ] + } + }, + "etag": { + "type": "string", + "description": "Etag for relation node" + }, + "relationAdditionalProperties": { + "type": "object", + "additionalProperties": { "type": "string" }, - "urls": { - "description": "The Urls contained in this mail message", - "items": { - "description": "A Url contained in this mail message", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "threats": { - "description": "The threats of this mail message", - "items": { - "description": "A threat of the mail message", - "type": "string" + "description": "Additional set of properties" + } + } + }, + "Bookmark": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a bookmark in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/BookmarkProperties", + "description": "Bookmark properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "BookmarkList": { + "description": "List all the bookmarks.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of cases.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of bookmarks.", + "items": { + "$ref": "#/definitions/Bookmark" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "BookmarkProperties": { + "description": "Describes bookmark properties", + "properties": { + "created": { + "description": "The time the bookmark was created", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "displayName": { + "description": "The display name of the bookmark", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + }, + "notes": { + "description": "The notes of the bookmark", + "type": "string" + }, + "query": { + "description": "The query of the bookmark.", + "type": "string" + }, + "queryResult": { + "description": "The query result of the bookmark.", + "type": "string" + }, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "eventTime": { + "description": "The bookmark event time", + "format": "date-time", + "type": "string" + }, + "queryStartTime": { + "description": "The start time for the query", + "format": "date-time", + "type": "string" + }, + "queryEndTime": { + "description": "The end time for the query", + "format": "date-time", + "type": "string" + }, + "incidentInfo": { + "$ref": "#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" + } + }, + "required": [ + "displayName", + "query" + ], + "type": "object" + }, + "BookmarkExpandParameters": { + "description": "The parameters required to execute an expand operation on the given bookmark.", + "properties": { + "endTime": { + "description": "The end date filter, so the only expansion results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "expansionId": { + "description": "The Id of the expansion to perform.", + "format": "uuid", + "type": "string" + }, + "startTime": { + "description": "The start date filter, so the only expansion results returned are after this date.", + "format": "date-time", + "type": "string" + } + } + }, + "BookmarkExpandResponse": { + "description": "The entity expansion result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/ExpansionResultsMetadata", + "description": "The metadata from the expansion operation results." + }, + "value": { + "description": "The expansion result values.", + "properties": { + "entities": { + "description": "Array of the expansion result entities.", + "items": { + "$ref": "#/definitions/Entity" + }, + "type": "array" }, - "readOnly": true, - "type": "array" - }, - "p1Sender": { - "description": "The p1 sender's email address", - "readOnly": true, - "type": "string" - }, - "p1SenderDisplayName": { - "description": "The p1 sender's display name", - "readOnly": true, - "type": "string" + "edges": { + "description": "Array of expansion result connected entities", + "items": { + "$ref": "#/definitions/ConnectedEntity" + }, + "type": "array" + } }, - "p1SenderDomain": { - "description": "The p1 sender's domain", - "readOnly": true, - "type": "string" - }, - "senderIP": { - "description": "The sender's IP address", - "readOnly": true, - "type": "string" - }, - "p2Sender": { - "description": "The p2 sender's email address", - "readOnly": true, - "type": "string" - }, - "p2SenderDisplayName": { - "description": "The p2 sender's display name", - "readOnly": true, - "type": "string" - }, - "p2SenderDomain": { - "description": "The p2 sender's domain", - "readOnly": true, - "type": "string" - }, - "receiveDate": { - "description": "The receive date of this message", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "networkMessageId": { - "description": "The network message id of this mail message", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "internetMessageId": { - "description": "The internet message id of this mail message", - "readOnly": true, - "type": "string" - }, - "subject": { - "description": "The subject of this mail message", - "readOnly": true, - "type": "string" - }, - "language": { - "description": "The language of this mail message", - "readOnly": true, - "type": "string" - }, - "threatDetectionMethods": { - "description": "The threat detection methods", - "items": { - "description": "A threat detection method", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "bodyFingerprintBin1": { - "description": "The bodyFingerprintBin1", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin2": { - "description": "The bodyFingerprintBin2", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin3": { - "description": "The bodyFingerprintBin3", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin4": { - "description": "The bodyFingerprintBin4", - "type": "integer", - "format": "int32" - }, - "bodyFingerprintBin5": { - "description": "The bodyFingerprintBin5", - "type": "integer", - "format": "int32" - }, - "antispamDirection": { - "description": "The directionality of this mail message", - "enum": [ - "Unknown", - "Inbound", - "Outbound", - "Intraorg" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AntispamMailDirection", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "Inbound", - "value": "Inbound" - }, - { - "description": "Outbound", - "value": "Outbound" - }, - { - "description": "Intraorg", - "value": "Intraorg" - } - ] - } - }, - "deliveryAction": { - "description": "The delivery action of this mail message like Delivered, Blocked, Replaced etc", - "enum": [ - "Unknown", - "DeliveredAsSpam", - "Delivered", - "Blocked", - "Replaced" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "DeliveryAction", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "DeliveredAsSpam", - "value": "DeliveredAsSpam" - }, - { - "description": "Delivered", - "value": "Delivered" - }, - { - "description": "Blocked", - "value": "Blocked" - }, - { - "description": "Replaced", - "value": "Replaced" - } - ] - } - }, - "deliveryLocation": { - "description": "The delivery location of this mail message like Inbox, JunkFolder etc", - "enum": [ - "Unknown", - "Inbox", - "JunkFolder", - "DeletedFolder", - "Quarantine", - "External", - "Failed", - "Dropped", - "Forwarded" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "DeliveryLocation", - "values": [ - { - "description": "Unknown", - "value": "Unknown" - }, - { - "description": "Inbox", - "value": "Inbox" - }, - { - "description": "JunkFolder", - "value": "JunkFolder" - }, - { - "description": "DeletedFolder", - "value": "DeletedFolder" - }, - { - "description": "Quarantine", - "value": "Quarantine" - }, - { - "description": "External", - "value": "External" - }, - { - "description": "Failed", - "value": "Failed" - }, - { - "description": "Dropped", - "value": "Dropped" - }, - { - "description": "Forwarded", - "value": "Forwarded" - } - ] - } - } - }, - "type": "object" + "type": "object" + } + } + }, + "Case": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a case in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/CaseProperties", + "description": "Case properties", + "x-ms-client-flatten": true + } }, - "SubmissionMailEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a submission mail entity.", + "type": "object" + }, + "CaseComment": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + } + ], + "description": "Represents a case comment", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/SubmissionMailEntityProperties", - "description": "Submission mail entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "SubmissionMail" + "$ref": "#/definitions/CaseCommentProperties", + "description": "Case comment properties", + "x-ms-client-flatten": true + } }, - "SubmissionMailEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" + "type": "object" + }, + "CaseCommentList": { + "description": "List of case comments.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of comments.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of comments.", + "items": { + "$ref": "#/definitions/CaseComment" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "CaseCommentProperties": { + "description": "Case comment property bag.", + "properties": { + "createdTimeUtc": { + "description": "The time the comment was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "message": { + "description": "The comment message", + "type": "string" + }, + "userInfo": { + "$ref": "#/definitions/UserInfo", + "description": "Describes the user that created the comment", + "readOnly": true, + "type": "object" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "CaseList": { + "description": "List all the cases.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of cases.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of cases.", + "items": { + "$ref": "#/definitions/Case" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "CaseProperties": { + "description": "Describes case properties", + "properties": { + "caseNumber": { + "description": "a sequential number", + "readOnly": true, + "type": "integer" + }, + "closeReason": { + "description": "The reason the case was closed", + "enum": [ + "Resolved", + "Dismissed", + "TruePositive", + "FalsePositive", + "Other" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CloseReason", + "values": [ + { + "description": "Case was resolved", + "value": "Resolved" + }, + { + "description": "Case was dismissed", + "value": "Dismissed" + }, + { + "description": "Case was true positive", + "value": "TruePositive" + }, + { + "description": "Case was false positive", + "value": "FalsePositive" + }, + { + "description": "Case was closed for another reason", + "value": "Other" + } + ] } - ], - "description": "Submission mail entity property bag.", - "properties": { - "networkMessageId": { - "description": "The network message id of email to which submission belongs", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "submissionId": { - "description": "The submission id", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "submitter": { - "description": "The submitter", - "readOnly": true, - "type": "string" - }, - "submissionDate": { - "description": "The submission date", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "timestamp": { - "description": "The Time stamp when the message is received (Mail)", - "format": "date-time", - "readOnly": true, - "type": "string" + }, + "closedReasonText": { + "description": "the case close reason details", + "type": "string" + }, + "createdTimeUtc": { + "description": "The time the case was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the case", + "type": "string" + }, + "endTimeUtc": { + "description": "The end time of the case", + "format": "date-time", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this case", + "items": { + "$ref": "#/definitions/Label" }, - "recipient": { - "description": "The recipient of the mail", - "readOnly": true, - "type": "string" + "type": "array" + }, + "lastComment": { + "description": "the last comment in the case", + "readOnly": true, + "type": "string" + }, + "lastUpdatedTimeUtc": { + "description": "The last time the case was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "metrics": { + "description": "Dictionary of metrics, for example the number of alerts in the case", + "type": "object", + "additionalProperties": { + "type": "integer", + "format": "int32" }, - "sender": { - "description": "The sender of the mail", - "readOnly": true, + "readOnly": true + }, + "owner": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that the case is assigned to", + "type": "object" + }, + "relatedAlertIds": { + "description": "List of related alert identifiers", + "items": { + "description": "related alert id", "type": "string" }, - "senderIp": { - "description": "The sender's IP", - "readOnly": true, + "readOnly": true, + "type": "array" + }, + "relatedAlertProductNames": { + "description": "List of related alert product names", + "items": { + "description": "related alert product name", "type": "string" }, - "subject": { - "description": "The subject of submission mail", - "readOnly": true, - "type": "string" + "readOnly": true, + "type": "array" + }, + "tactics": { + "description": "The tactics associated with case", + "items": { + "$ref": "#/definitions/AttackTactic" }, - "reportType": { - "description": "The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk.", - "readOnly": true, - "type": "string" - } + "readOnly": true, + "type": "array" }, - "type": "object" - }, - "MCASDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/MCASDataConnectorProperties", - "description": "MCAS (Microsoft Cloud App Security) data connector properties.", - "x-ms-client-flatten": true + "severity": { + "description": "The severity of the case", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] } }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" - }, - "MCASDataConnectorDataTypes": { - "allOf": [ - { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector" - } - ], - "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", - "properties": { - "discoveryLogs": { - "allOf": [ + "startTimeUtc": { + "description": "The start time of the case", + "format": "date-time", + "type": "string" + }, + "status": { + "description": "The status of the case", + "enum": [ + "Draft", + "New", + "InProgress", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseStatus", + "values": [ + { + "description": "Case that wasn't promoted yet to active", + "value": "Draft" + }, + { + "description": "An active case which isn't handled currently", + "value": "New" + }, + { + "description": "An active case which is handled", + "value": "InProgress" + }, { - "$ref": "#/definitions/DataConnectorDataTypeCommon" + "description": "A non active case", + "value": "Closed" } - ], - "description": "Discovery log data type connection.", - "type": "object" + ] } }, - "type": "object" - }, - "MCASDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MCAS (Microsoft Cloud App Security) data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/MCASDataConnectorDataTypes", - "description": "The available data types for the connector." - } + "title": { + "description": "The title of the case", + "type": "string" }, - "required": [ - "dataTypes" - ], - "type": "object" + "totalComments": { + "description": "the number of total comments in the case", + "readOnly": true, + "type": "integer" + } }, - "MCASCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents MCAS (Microsoft Cloud App Security) requirements check request.", + "required": [ + "title", + "severity", + "status" + ], + "type": "object" + }, + "CasesAggregation": { + "allOf": [ + { + "$ref": "#/definitions/Aggregations" + } + ], + "description": "Represents aggregations results for cases.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/MCASCheckRequirementsProperties", - "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + "$ref": "#/definitions/CasesAggregationProperties", + "description": "Properties of aggregations results of cases.", + "x-ms-client-flatten": true + } }, - "MCASCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", - "type": "object" + "type": "object", + "x-ms-discriminator-value": "CasesAggregation" + }, + "CasesAggregationBySeverityProperties": { + "description": "Aggregative results of cases by severity property bag.", + "properties": { + "totalCriticalSeverity": { + "description": "Total amount of open cases with severity Critical", + "readOnly": true, + "type": "integer" + }, + "totalHighSeverity": { + "description": "Total amount of open cases with severity High", + "readOnly": true, + "type": "integer" + }, + "totalInformationalSeverity": { + "description": "Total amount of open cases with severity Informational", + "readOnly": true, + "type": "integer" + }, + "totalLowSeverity": { + "description": "Total amount of open cases with severity Low", + "readOnly": true, + "type": "integer" + }, + "totalMediumSeverity": { + "description": "Total amount of open cases with severity medium", + "readOnly": true, + "type": "integer" + } }, - "MDATPDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/MDATPDataConnectorProperties", - "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + "type": "object" + }, + "CasesAggregationByStatusProperties": { + "description": "Aggregative results of cases by status property bag.", + "properties": { + "totalDismissedStatus": { + "description": "Total amount of closed cases with status Dismissed", + "readOnly": true, + "type": "integer" + }, + "totalInProgressStatus": { + "description": "Total amount of open cases with status InProgress", + "readOnly": true, + "type": "integer" + }, + "totalNewStatus": { + "description": "Total amount of open cases with status New", + "readOnly": true, + "type": "integer" + }, + "totalResolvedStatus": { + "description": "Total amount of closed cases with status Resolved", + "readOnly": true, + "type": "integer" + }, + "totalFalsePositiveStatus": { + "description": "Total amount of closed cases with status Closed and Close reason of False positive", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "totalTruePositiveStatus": { + "description": "Total amount of closed cases with status Closed and Close reason of True positive", + "readOnly": true, + "type": "integer", + "format": "int32" + } }, - "MDATPDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - }, - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", - "type": "object" + "type": "object" + }, + "CasesAggregationProperties": { + "description": "Aggregative results of cases property bag.", + "properties": { + "aggregationBySeverity": { + "$ref": "#/definitions/CasesAggregationBySeverityProperties", + "description": "Aggregations results by case severity." + }, + "aggregationByStatus": { + "$ref": "#/definitions/CasesAggregationByStatusProperties", + "description": "Aggregations results by case status." + } }, - "MDATPCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) requirements check request.", - "properties": { - "properties": { - "$ref": "#/definitions/MDATPCheckRequirementsProperties", - "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + "type": "object" + }, + "ClientInfo": { + "description": "Information on the client (user or application) that made some action", + "properties": { + "email": { + "description": "The email of the client.", + "type": "string" + }, + "name": { + "description": "The name of the client.", + "type": "string" + }, + "objectId": { + "description": "The object id of the client.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the client.", + "type": "string" + } }, - "MDATPCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", - "type": "object" - }, - "MalwareEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a malware entity.", + "type": "object" + }, + "CloudApplicationEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a cloud application entity.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/MalwareEntityProperties", - "description": "File entity properties", - "x-ms-client-flatten": true - } + "$ref": "#/definitions/CloudApplicationEntityProperties", + "description": "CloudApplication entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "CloudApplication" + }, + "CloudApplicationEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "CloudApplication entity property bag.", + "properties": { + "appId": { + "description": "The technical identifier of the application.", + "readOnly": true, + "type": "integer" + }, + "appName": { + "description": "The name of the related cloud application.", + "readOnly": true, + "type": "string" + }, + "instanceName": { + "description": "The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "CloudError": { + "description": "Error response structure.", + "properties": { + "error": { + "$ref": "#/definitions/CloudErrorBody", + "description": "Error data", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-external": true + }, + "CloudErrorBody": { + "description": "Error details.", + "properties": { + "code": { + "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", + "readOnly": true, + "type": "string" + }, + "message": { + "description": "A message describing the error, intended to be suitable for display in a user interface.", + "readOnly": true, + "type": "string" + } + }, + "type": "object", + "x-ms-external": true + }, + "DataConnector": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" }, - "type": "object", - "x-ms-discriminator-value": "Malware" + { + "$ref": "#/definitions/DataConnectorKind" + } + ], + "description": "Data connector.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "DataConnectorsCheckRequirements": { + "description": "Data connector requirements properties.", + "properties": { + "kind": { + "$ref": "#/definitions/DataConnectorKind", + "description": "Describes the kind of connector to be checked." + } }, - "MalwareEntityProperties": { - "allOf": [ + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "DataConnectorAuthorizationState": { + "description": "Describes the state of user's authorization for a connector kind.", + "enum": [ + "Valid", + "Invalid" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorAuthorizationState", + "values": [ { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Malware entity property bag.", - "properties": { - "category": { - "description": "The malware category by the vendor, e.g. Trojan", - "readOnly": true, - "type": "string" - }, - "fileEntityIds": { - "description": "List of linked file entity identifiers on which the malware was found", - "items": { - "description": "file entity id", - "type": "string" - }, - "readOnly": true, - "type": "array" - }, - "malwareName": { - "description": "The malware name by the vendor, e.g. Win32/Toga!rfn", - "readOnly": true, - "type": "string" + "value": "Valid" }, - "processEntityIds": { - "description": "List of linked process entity identifiers on which the malware was found.", - "items": { - "description": "process entity id", - "type": "string" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" - }, - "MicrosoftSecurityIncidentCreationAlertRule": { - "allOf": [ { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents MicrosoftSecurityIncidentCreation rule.", - "properties": { - "properties": { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", - "description": "MicrosoftSecurityIncidentCreation rule properties", - "x-ms-client-flatten": true + "value": "Invalid" } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" - }, - "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { - "description": "MicrosoftSecurityIncidentCreation rule common property bag.", - "properties": { - "displayNamesFilter": { - "description": "the alerts' displayNames on which the cases will be generated", - "items": { - "type": "string" - }, - "type": "array" - }, - "displayNamesExcludeFilter": { - "description": "the alerts' displayNames on which the cases will not be generated", - "items": { - "type": "string" - }, - "type": "array" + ] + } + }, + "DataConnectorLicenseState": { + "description": "Describes the state of user's license for a connector kind.", + "enum": [ + "Valid", + "Invalid", + "Unknown" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorLicenseState", + "values": [ + { + "value": "Valid" }, - "productFilter": { - "description": "The alerts' productName on which the cases will be generated", - "enum": [ - "Microsoft Cloud App Security", - "Azure Security Center", - "Azure Advanced Threat Protection", - "Azure Active Directory Identity Protection", - "Azure Security Center for IoT", - "Office 365 Advanced Threat Protection", - "Microsoft Defender Advanced Threat Protection" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "MicrosoftSecurityProductName" - } + { + "value": "Invalid" }, - "severitiesFilter": { - "description": "the alerts' severities on which the cases will be generated", - "items": { - "$ref": "#/definitions/AlertSeverity" - }, - "type": "array" - } - }, - "required": [ - "productFilter" - ], - "type": "object" - }, - "MicrosoftSecurityIncidentCreationAlertRuleProperties": { - "allOf": [ { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + "value": "Unknown" } - ], - "description": "MicrosoftSecurityIncidentCreation rule property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" - }, - "description": { - "description": "The description of the alert rule.", - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "type": "string" - }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" - }, - "lastModifiedUtc": { - "description": "The last time that this alert has been modified.", - "format": "date-time", - "readOnly": true, - "type": "string" + ] + } + }, + "DataConnectorDataTypeCommon": { + "description": "Common field for data type in data connectors.", + "properties": { + "state": { + "description": "Describe whether this data type connection is enabled or not.", + "enum": [ + "Enabled", + "Disabled" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataTypeState" } - }, - "required": [ - "displayName", - "enabled", - "productFilter" - ], - "type": "object" + } }, - "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents MicrosoftSecurityIncidentCreation rule template.", - "properties": { - "properties": { - "allOf": [ + "type": "object", + "required": [ + "state" + ] + }, + "DataConnectorKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the data connector", + "enum": [ + "AzureActiveDirectory", + "AzureSecurityCenter", + "MicrosoftCloudAppSecurity", + "ThreatIntelligence", + "ThreatIntelligenceTaxii", + "Office365", + "OfficeATP", + "AmazonWebServicesCloudTrail", + "AzureAdvancedThreatProtection", + "MicrosoftDefenderAdvancedThreatProtection", + "Dynamics365", + "MicrosoftThreatProtection", + "MicrosoftThreatIntelligence" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "DataConnectorKind", + "values": [ + { + "value": "AzureActiveDirectory" + }, + { + "value": "AzureSecurityCenter" + }, + { + "value": "MicrosoftCloudAppSecurity" + }, + { + "value": "ThreatIntelligence" + }, + { + "value": "ThreatIntelligenceTaxii" + }, + { + "value": "Office365" + }, + { + "value": "OfficeATP" + }, + { + "value": "AmazonWebServicesCloudTrail" + }, + { + "value": "AzureAdvancedThreatProtection" + }, + { + "value": "MicrosoftDefenderAdvancedThreatProtection" + }, + { + "value": "Dynamics365" + }, { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + "value": "MicrosoftThreatProtection" }, { - "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + "value": "MicrosoftThreatIntelligence" } - ], - "description": "MicrosoftSecurityIncidentCreation rule template properties", - "required": [ - "displayName", - "description", - "createdDateUTC", - "status", - "alertRulesCreatedByTemplateCount", - "productFilter" - ], - "x-ms-client-flatten": true + ] } - }, - "type": "object", - "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + } }, - "OfficeATPDataConnector": { - "allOf": [ - { + "required": [ + "kind" + ], + "type": "object" + }, + "DataConnectorList": { + "description": "List all the data connectors.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of data connectors.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of data connectors.", + "items": { "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/OfficeATPDataConnectorProperties", - "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "OfficeATP" - }, - "OfficeATPDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" }, - { - "$ref": "#/definitions/DataConnectorWithAlertsProperties" - } - ], - "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", - "type": "object" + "type": "array" + } }, - "OfficeATPCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) requirements check request.", + "required": [ + "value" + ] + }, + "DataConnectorRequirementsState": { + "description": "Data connector requirements status.", + "properties": { + "authorizationState": { + "description": "Authorization state for this connector", + "$ref": "#/definitions/DataConnectorAuthorizationState" + }, + "licenseState": { + "description": "License state for this connector", + "$ref": "#/definitions/DataConnectorLicenseState" + } + }, + "type": "object" + }, + "DataConnectorTenantId": { + "description": "Properties data connector on tenant level.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + } + }, + "required": [ + "tenantId" + ], + "type": "object" + }, + "DataConnectorWithAlertsProperties": { + "description": "Data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector", + "description": "The available data types for the connector." + } + }, + "type": "object" + }, + "DnsEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a dns entity.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/OfficeATPCheckRequirementsProperties", - "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "OfficeATP" + "$ref": "#/definitions/DnsEntityProperties", + "description": "Dns entity properties", + "x-ms-client-flatten": true + } }, - "OfficeATPCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", - "type": "object" + "type": "object", + "x-ms-discriminator-value": "DnsResolution" + }, + "DnsEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Dns entity property bag.", + "properties": { + "dnsServerIpEntityId": { + "description": "An ip entity id for the dns server resolving the request", + "readOnly": true, + "type": "string" + }, + "domainName": { + "description": "The name of the dns record associated with the alert", + "readOnly": true, + "type": "string" + }, + "hostIpAddressEntityId": { + "description": "An ip entity id for the dns request client", + "readOnly": true, + "type": "string" + }, + "ipAddressEntityIds": { + "description": "Ip entity identifiers for the resolved ip address.", + "items": { + "description": "Ip entity id", + "type": "string" + }, + "readOnly": true, + "type": "array" + } }, - "OfficeConsent": { - "allOf": [ - { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" - } - ], - "description": "Consent for Office365 tenant that already made.", + "type": "object" + }, + "Dynamics365DataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents Dynamics365 data connector.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/OfficeConsentProperties", - "description": "Office consent properties", - "x-ms-client-flatten": true - } - }, - "type": "object" + "$ref": "#/definitions/Dynamics365DataConnectorProperties", + "description": "Dynamics365 data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Dynamics365" + }, + "Dynamics365DataConnectorDataTypes": { + "description": "The available data types for Dynamics365 data connector.", + "properties": { + "dynamics365CdsActivities": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Common Data Service data type connection.", + "type": "object" + } + }, + "type": "object", + "required": [ + "dynamics365CdsActivities" + ] + }, + "Dynamics365DataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Dynamics365 data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/Dynamics365DataConnectorDataTypes", + "description": "The available data types for the connector." + } }, - "OfficeConsentList": { - "description": "List of all the office365 consents.", + "required": [ + "dataTypes" + ], + "type": "object" + }, + "Dynamics365CheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents Dynamics365 requirements check request.", + "properties": { "properties": { - "nextLink": { - "description": "URL to fetch the next set of office consents.", - "readOnly": true, + "$ref": "#/definitions/Dynamics365CheckRequirementsProperties", + "description": "Dynamics365 requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Dynamics365" + }, + "Dynamics365CheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Dynamics365 requirements check properties.", + "type": "object" + }, + "EnrichmentDomainWhois": { + "description": "Whois information for a given domain and associated metadata", + "properties": { + "domain": { + "description": "The domain for this whois record", + "type": "string" + }, + "server": { + "description": "The hostname of this registrar's whois server", + "type": "string" + }, + "created": { + "description": "The timestamp at which this record was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The timestamp at which this record was last updated", + "format": "date-time", + "type": "string" + }, + "expires": { + "description": "The timestamp at which this record will expire", + "format": "date-time", + "type": "string" + }, + "parsedWhois": { + "description": "The whois record for a given domain", + "$ref": "#/definitions/EnrichmentDomainWhoisDetails" + } + } + }, + "EnrichmentDomainWhoisDetails": { + "description": "The whois record for a given domain", + "properties": { + "registrar": { + "description": "The registrar associated with this domain", + "$ref": "#/definitions/EnrichmentDomainWhoisRegistrarDetails" + }, + "contacts": { + "description": "The set of contacts associated with this domain", + "$ref": "#/definitions/EnrichmentDomainWhoisContacts" + }, + "nameServers": { + "description": "A list of name servers associated with this domain", + "type": "array", + "items": { "type": "string" - }, - "value": { - "description": "Array of the consents.", - "items": { - "$ref": "#/definitions/OfficeConsent" - }, - "type": "array" } }, - "required": [ - "value" - ] - }, - "OfficeConsentProperties": { - "description": "Consent property bag.", - "properties": { - "tenantId": { - "description": "The tenantId of the Office365 with the consent.", - "type": "string" - }, - "consentId": { - "description": "Help to easily cascade among the data layers.", + "statuses": { + "description": "The set of status flags for this whois record", + "type": "array", + "items": { "type": "string" } + } + } + }, + "EnrichmentDomainWhoisRegistrarDetails": { + "description": "The registrar associated with this domain", + "properties": { + "name": { + "description": "The name of this registrar", + "type": "string" + }, + "abuseContactEmail": { + "description": "This registrar's abuse contact email", + "type": "string" + }, + "abuseContactPhone": { + "description": "This registrar's abuse contact phone number", + "type": "string" + }, + "ianaId": { + "description": "This registrar's Internet Assigned Numbers Authority id", + "type": "string" + }, + "url": { + "description": "This registrar's URL", + "type": "string" + }, + "whoisServer": { + "description": "The hostname of this registrar's whois server", + "type": "string" + } + } + }, + "EnrichmentDomainWhoisContacts": { + "description": "The set of contacts associated with this domain", + "properties": { + "admin": { + "description": "The admin contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + }, + "billing": { + "description": "The billing contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + }, + "registrant": { + "description": "The registrant contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + }, + "tech": { + "description": "The technical contact for this whois record", + "$ref": "#/definitions/EnrichmentDomainWhoisContact" + } + } + }, + "EnrichmentDomainWhoisContact": { + "description": "An individual contact associated with this domain", + "properties": { + "name": { + "description": "The name of this contact", + "type": "string" }, - "type": "object" - }, - "OfficeDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Represents office data connector.", - "properties": { - "properties": { - "$ref": "#/definitions/OfficeDataConnectorProperties", - "description": "Office data connector properties.", - "x-ms-client-flatten": true + "org": { + "description": "The organization for this contact", + "type": "string" + }, + "street": { + "description": "A list describing the street address for this contact", + "type": "array", + "items": { + "type": "string" } }, - "type": "object", - "x-ms-discriminator-value": "Office365" - }, - "OfficeDataConnectorDataTypes": { - "description": "The available data types for office data connector.", - "properties": { - "exchange": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Exchange data type connection.", + "city": { + "description": "The city for this contact", + "type": "string" + }, + "state": { + "description": "The state for this contact", + "type": "string" + }, + "postal": { + "description": "The postal code for this contact", + "type": "string" + }, + "country": { + "description": "The country for this contact", + "type": "string" + }, + "phone": { + "description": "The phone number for this contact", + "type": "string" + }, + "fax": { + "description": "The fax number for this contact", + "type": "string" + }, + "email": { + "description": "The email address for this contact", + "type": "string" + } + } + }, + "EnrichmentIpGeodata": { + "description": "Geodata information for a given IP address", + "properties": { + "asn": { + "description": "The autonomous system number associated with this IP address", + "type": "string" + }, + "carrier": { + "description": "The name of the carrier for this IP address", + "type": "string" + }, + "city": { + "description": "The city this IP address is located in", + "type": "string" + }, + "cityCf": { + "description": "A numeric rating of confidence that the value in the 'city' field is correct, on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "continent": { + "description": "The continent this IP address is located on", + "type": "string" + }, + "country": { + "description": "The county this IP address is located in", + "type": "string" + }, + "countryCf": { + "description": "A numeric rating of confidence that the value in the 'country' field is correct on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "ipAddr": { + "description": "The dotted-decimal or colon-separated string representation of the IP address", + "type": "string" + }, + "ipRoutingType": { + "description": "A description of the connection type of this IP address", + "type": "string" + }, + "latitude": { + "description": "The latitude of this IP address", + "type": "string" + }, + "longitude": { + "description": "The longitude of this IP address", + "type": "string" + }, + "organization": { + "description": "The name of the organization for this IP address", + "type": "string" + }, + "organizationType": { + "description": "The type of the organization for this IP address", + "type": "string" + }, + "region": { + "description": "The geographic region this IP address is located in", + "type": "string" + }, + "state": { + "description": "The state this IP address is located in", + "type": "string" + }, + "stateCf": { + "description": "A numeric rating of confidence that the value in the 'state' field is correct on a scale of 0-100", + "type": "integer", + "format": "int32" + }, + "stateCode": { + "description": "The abbreviated name for the state this IP address is located in", + "type": "string" + } + } + }, + "Entity": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + }, + { + "$ref": "#/definitions/EntityKind" + } + ], + "description": "Specific entity.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "EntityEdges": { + "description": "The edge that connects the entity to the other entity.", + "properties": { + "targetEntityId": { + "description": "The target entity Id.", + "type": "string" + }, + "additionalData": { + "additionalProperties": { "type": "object" }, - "sharePoint": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "SharePoint data type connection.", + "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "type": "object" + } + }, + "type": "object" + }, + "EntityCommonProperties": { + "description": "Entity common property bag.", + "properties": { + "additionalData": { + "additionalProperties": { "type": "object" }, - "teams": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Teams data type connection.", - "type": "object" - } + "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", + "readOnly": true, + "type": "object" }, - "type": "object", - "required": [ - "exchange", - "sharePoint", - "teams" - ] + "friendlyName": { + "description": "The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.", + "readOnly": true, + "type": "string" + } }, - "OfficeDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Office data connector properties.", - "properties": { - "dataTypes": { - "$ref": "#/definitions/OfficeDataConnectorDataTypes", - "description": "The available data types for the connector." - } + "type": "object" + }, + "EntityExpandParameters": { + "description": "The parameters required to execute an expand operation on the given entity.", + "properties": { + "endTime": { + "description": "The end date filter, so the only expansion results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "expansionId": { + "description": "The Id of the expansion to perform.", + "format": "uuid", + "type": "string" + }, + "startTime": { + "description": "The start date filter, so the only expansion results returned are after this date.", + "format": "date-time", + "type": "string" + } + } + }, + "EntityTimelineParameters": { + "description": "The parameters required to execute s timeline operation on the given entity.", + "properties": { + "kinds": { + "description": "Array of timeline Item kinds.", + "items": { + "$ref": "#/definitions/EntityTimelineKind" + }, + "type": "array" }, - "required": [ - "dataTypes" - ], - "type": "object" + "startTime": { + "description": "The start timeline date, so the results returned are after this date.", + "format": "date-time", + "type": "string" + }, + "endTime": { + "description": "The end timeline date, so the results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "numberOfBucket": { + "description": "The number of bucket for timeline queries aggregation.", + "type": "integer", + "format": "int32" + } }, - "Operation": { - "description": "Operation provided by provider", - "properties": { - "display": { - "description": "Properties of the operation", - "properties": { - "description": { - "description": "Description of the operation", - "type": "string" - }, - "operation": { - "description": "Operation name", - "type": "string" - }, - "provider": { - "description": "Provider name", - "type": "string" + "required": [ + "startTime", + "endTime" + ] + }, + "EntityExpandResponse": { + "description": "The entity expansion result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/ExpansionResultsMetadata", + "description": "The metadata from the expansion operation results." + }, + "value": { + "description": "The expansion result values.", + "properties": { + "entities": { + "description": "Array of the expansion result entities.", + "items": { + "$ref": "#/definitions/Entity" }, - "resource": { - "description": "Resource name", - "type": "string" - } + "type": "array" }, - "type": "object" + "edges": { + "description": "Array of edges that connects the entity to the list of entities.", + "items": { + "$ref": "#/definitions/EntityEdges" + }, + "type": "array" + } }, - "name": { - "description": "Name of the operation", - "type": "string" + "type": "object" + } + } + }, + "EntityTimelineResponse": { + "description": "The entity timeline result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/TimelineResultsMetadata", + "description": "The metadata from the timeline operation results." + }, + "value": { + "description": "The timeline result values.", + "items": { + "$ref": "#/definitions/EntityTimelineItem" }, - "origin": { - "description": "The origin of the operation", - "type": "string" - } + "type": "array" } - }, - "OperationsList": { - "description": "Lists the operations available in the SecurityInsights RP.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of operations.", - "type": "string" + } + }, + "GetQueriesResponse": { + "description": "Retrieve queries for entity result operation response.", + "properties": { + "value": { + "description": "The query result values.", + "items": { + "$ref": "#/definitions/EntityQueryItem" }, - "value": { - "description": "Array of operations", - "items": { - "$ref": "#/definitions/Operation" - }, - "type": "array" - } - }, - "required": [ - "value" - ] - }, - "ProcessEntity": { - "allOf": [ + "type": "array" + } + } + }, + "EntityInnerKind": { + "description": "The kind of the entity", + "enum": [ + "Account", + "Host", + "File", + "AzureResource", + "CloudApplication", + "DnsResolution", + "FileHash", + "Ip", + "Malware", + "Process", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "Url", + "IoTDevice", + "SecurityAlert", + "Bookmark", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityKind", + "values": [ { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a process entity.", - "properties": { - "properties": { - "$ref": "#/definitions/ProcessEntityProperties", - "description": "Process entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Process" - }, - "ProcessEntityProperties": { - "allOf": [ + "description": "Entity represents account in the system.", + "value": "Account" + }, { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Process entity property bag.", - "properties": { - "accountEntityId": { - "description": "The account entity id running the processes.", - "readOnly": true, - "type": "string" + "description": "Entity represents host in the system.", + "value": "Host" }, - "commandLine": { - "description": "The command line used to create the process", - "readOnly": true, - "type": "string" + { + "description": "Entity represents file in the system.", + "value": "File" }, - "creationTimeUtc": { - "description": "The time when the process started to run", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "description": "Entity represents azure resource in the system.", + "value": "AzureResource" }, - "elevationToken": { - "description": "The elevation token associated with the process.", - "enum": [ - "Default", - "Full", - "Limited" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": false, - "name": "ElevationToken", - "values": [ - { - "description": "Default elevation token", - "value": "Default" - }, - { - "description": "Full elevation token", - "value": "Full" - }, - { - "description": "Limited elevation token", - "value": "Limited" - } - ] - } + { + "description": "Entity represents cloud application in the system.", + "value": "CloudApplication" }, - "hostEntityId": { - "description": "The host entity id on which the process was running", - "readOnly": true, - "type": "string" + { + "description": "Entity represents dns resolution in the system.", + "value": "DnsResolution" }, - "hostLogonSessionEntityId": { - "description": "The session entity id in which the process was running", - "readOnly": true, - "type": "string" + { + "description": "Entity represents file hash in the system.", + "value": "FileHash" }, - "imageFileEntityId": { - "description": "Image file entity id", - "readOnly": true, - "type": "string" + { + "description": "Entity represents ip in the system.", + "value": "Ip" }, - "parentProcessEntityId": { - "description": "The parent process entity id.", - "readOnly": true, - "type": "string" + { + "description": "Entity represents malware in the system.", + "value": "Malware" }, - "processId": { - "description": "The process ID", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "RegistryKeyEntity": { - "allOf": [ { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a registry key entity.", - "properties": { - "properties": { - "$ref": "#/definitions/RegistryKeyEntityProperties", - "description": "RegistryKey entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "RegistryKey" - }, - "RegistryKeyEntityProperties": { - "allOf": [ + "description": "Entity represents process in the system.", + "value": "Process" + }, { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "RegistryKey entity property bag.", - "properties": { - "hive": { - "description": "the hive that holds the registry key.", - "enum": [ - "HKEY_LOCAL_MACHINE", - "HKEY_CLASSES_ROOT", - "HKEY_CURRENT_CONFIG", - "HKEY_USERS", - "HKEY_CURRENT_USER_LOCAL_SETTINGS", - "HKEY_PERFORMANCE_DATA", - "HKEY_PERFORMANCE_NLSTEXT", - "HKEY_PERFORMANCE_TEXT", - "HKEY_A", - "HKEY_CURRENT_USER" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "RegistryHive", - "values": [ - { - "description": "HKEY_LOCAL_MACHINE", - "value": "HKEY_LOCAL_MACHINE" - }, - { - "description": "HKEY_CLASSES_ROOT", - "value": "HKEY_CLASSES_ROOT" - }, - { - "description": "HKEY_CURRENT_CONFIG", - "value": "HKEY_CURRENT_CONFIG" - }, - { - "description": "HKEY_USERS", - "value": "HKEY_USERS" - }, - { - "description": "HKEY_CURRENT_USER_LOCAL_SETTINGS", - "value": "HKEY_CURRENT_USER_LOCAL_SETTINGS" - }, - { - "description": "HKEY_PERFORMANCE_DATA", - "value": "HKEY_PERFORMANCE_DATA" - }, - { - "description": "HKEY_PERFORMANCE_NLSTEXT", - "value": "HKEY_PERFORMANCE_NLSTEXT" - }, - { - "description": "HKEY_PERFORMANCE_TEXT", - "value": "HKEY_PERFORMANCE_TEXT" - }, - { - "description": "HKEY_A", - "value": "HKEY_A" - }, - { - "description": "HKEY_CURRENT_USER", - "value": "HKEY_CURRENT_USER" - } - ] - } + "description": "Entity represents registry key in the system.", + "value": "RegistryKey" }, - "key": { - "description": "The registry key path.", - "readOnly": true, - "type": "string" - } - }, - "type": "object" - }, - "RegistryValueEntity": { - "allOf": [ { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a registry value entity.", - "properties": { - "properties": { - "$ref": "#/definitions/RegistryValueEntityProperties", - "description": "RegistryKey entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "RegistryValue" - }, - "RegistryValueEntityProperties": { - "allOf": [ + "description": "Entity represents registry value in the system.", + "value": "RegistryValue" + }, { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "RegistryValue entity property bag.", - "properties": { - "keyEntityId": { - "description": "The registry key entity id.", - "readOnly": true, - "type": "string" + "description": "Entity represents security group in the system.", + "value": "SecurityGroup" }, - "valueData": { - "description": "String formatted representation of the value data.", - "readOnly": true, - "type": "string" + { + "description": "Entity represents url in the system.", + "value": "Url" }, - "valueName": { - "description": "The registry value name.", - "readOnly": true, - "type": "string" + { + "description": "Entity represents IoT device in the system.", + "value": "IoTDevice" }, - "valueType": { - "description": "Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.", - "enum": [ - "None", - "Unknown", - "String", - "ExpandString", - "Binary", - "DWord", - "MultiString", - "QWord" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "RegistryValueKind", - "values": [ - { - "description": "None", - "value": "None" - }, - { - "description": "Unknown value type", - "value": "Unknown" - }, - { - "description": "String value type", - "value": "String" - }, - { - "description": "ExpandString value type", - "value": "ExpandString" - }, - { - "description": "Binary value type", - "value": "Binary" - }, - { - "description": "DWord value type", - "value": "DWord" - }, - { - "description": "MultiString value type", - "value": "MultiString" - }, - { - "description": "QWord value type", - "value": "QWord" - } - ] - } - } - }, - "type": "object" - }, - "RelationList": { - "description": "List of relations.", - "properties": { - "nextLink": { - "readOnly": true, - "description": "URL to fetch the next set of relations.", - "type": "string" + { + "description": "Entity represents security alert in the system.", + "value": "SecurityAlert" }, - "value": { - "description": "Array of relations.", - "type": "array", - "items": { - "$ref": "#/definitions/Relation" - } + { + "description": "Entity represents bookmark in the system.", + "value": "Bookmark" + }, + { + "description": "Entity represents mail cluster in the system.", + "value": "MailCluster" + }, + { + "description": "Entity represents mail message in the system.", + "value": "MailMessage" + }, + { + "description": "Entity represents mailbox in the system.", + "value": "Mailbox" + }, + { + "description": "Entity represents submission mail in the system.", + "value": "SubmissionMail" } - }, - "required": [ - "value" ] - }, - "Relation": { - "type": "object", - "description": "Represents a relation between two resources", - "allOf": [ + } + }, + "EntityInnerType": { + "description": "The type of the entity", + "enum": [ + "Account", + "Host", + "File", + "AzureResource", + "CloudApplication", + "DNS", + "FileHash", + "IP", + "Malware", + "Process", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "IoTDevice", + "SecurityAlert", + "HuntingBookmark", + "MailCluster", + "MailMessage", + "Mailbox", + "SubmissionMail" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityType", + "values": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "properties": { - "properties": { - "$ref": "#/definitions/RelationProperties", - "description": "Relation properties", - "x-ms-client-flatten": true - } - } - }, - "RelationProperties": { - "description": "Relation property bag.", - "properties": { - "relatedResourceId": { - "description": "The resource ID of the related resource", - "type": "string" + "description": "Entity represents account in the system.", + "value": "Account" }, - "relatedResourceName": { - "description": "The name of the related resource", - "readOnly": true, - "type": "string" + { + "description": "Entity represents host in the system.", + "value": "Host" }, - "relatedResourceType": { - "description": "The resource type of the related resource", - "readOnly": true, - "type": "string" + { + "description": "Entity represents file in the system.", + "value": "File" }, - "relatedResourceKind": { - "description": "The resource kind of the related resource", - "readOnly": true, - "type": "string" - } - }, - "required": [ - "relatedResourceId" - ], - "type": "object" - }, - "Resource": { - "description": "An azure resource object", - "properties": { - "id": { - "description": "Azure resource Id", - "readOnly": true, - "type": "string" + { + "description": "Entity represents azure resource in the system.", + "value": "AzureResource" }, - "name": { - "description": "Azure resource name", - "readOnly": true, - "type": "string" + { + "description": "Entity represents cloud application in the system.", + "value": "CloudApplication" }, - "type": { - "description": "Azure resource type", - "readOnly": true, - "type": "string" - } - }, - "x-ms-azure-resource": true - }, - "ScheduledAlertRule": { - "allOf": [ { - "$ref": "#/definitions/AlertRule" - } - ], - "description": "Represents scheduled alert rule.", - "properties": { - "properties": { - "$ref": "#/definitions/ScheduledAlertRuleProperties", - "description": "Scheduled alert rule properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Scheduled" - }, - "ScheduledAlertRuleCommonProperties": { - "description": "Scheduled alert rule template property bag.", - "properties": { - "query": { - "description": "The query that creates alerts for this rule.", - "type": "string" + "description": "Entity represents dns in the system.", + "value": "DNS" }, - "queryFrequency": { - "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", - "format": "duration", - "type": "string" + { + "description": "Entity represents file hash in the system.", + "value": "FileHash" }, - "queryPeriod": { - "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", - "format": "duration", - "type": "string" + { + "description": "Entity represents ip in the system.", + "value": "IP" }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity for alerts created by this alert rule." + { + "description": "Entity represents malware in the system.", + "value": "Malware" }, - "triggerOperator": { - "$ref": "#/definitions/AlertRuleTriggerOperator", - "description": "The operation against the threshold that triggers alert rule." + { + "description": "Entity represents process in the system.", + "value": "Process" }, - "triggerThreshold": { - "description": "The threshold triggers this alert rule.", - "type": "integer" + { + "description": "Entity represents registry key in the system.", + "value": "RegistryKey" }, - "eventGroupingSettings": { - "$ref": "#/definitions/EventGroupingSettings", - "description": "The event grouping settings." + { + "description": "Entity represents registry value in the system.", + "value": "RegistryValue" + }, + { + "description": "Entity represents security group in the system.", + "value": "SecurityGroup" + }, + { + "description": "Entity represents url in the system.", + "value": "URL" + }, + { + "description": "Entity represents IoT device in the system.", + "value": "IoTDevice" + }, + { + "description": "Entity represents security alert in the system.", + "value": "SecurityAlert" + }, + { + "description": "Entity represents HuntingBookmark in the system.", + "value": "HuntingBookmark" + }, + { + "description": "Entity represents mail cluster in the system.", + "value": "MailCluster" + }, + { + "description": "Entity represents mail message in the system.", + "value": "MailMessage" + }, + { + "description": "Entity represents mailbox in the system.", + "value": "Mailbox" + }, + { + "description": "Entity represents submission mail in the system.", + "value": "SubmissionMail" } - }, - "type": "object" + ] + } + }, + "EntityKind": { + "description": "Describes an entity with kind.", + "properties": { + "kind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the entity." + } }, - "EventGroupingSettings": { - "description": "Event grouping settings property bag.", - "properties": { - "aggregationKind": { - "$ref": "#/definitions/EventGroupingAggregationKind" + "required": [ + "kind" + ], + "type": "object" + }, + "EntityList": { + "description": "List of all the entities.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of entities.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of entities.", + "items": { + "$ref": "#/definitions/Entity" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "EntityQueryKind": { + "description": "Describes an Entity query resource with kind.", + "properties": { + "kind": { + "description": "The kind of the entity query", + "enum": [ + "Expansion", + "Insight" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityQueryKind", + "values": [ + { + "value": "Expansion" + }, + { + "value": "Insight" + } + ] } - }, - "type": "object" + } }, - "EventGroupingAggregationKind": { - "description": "The event grouping aggregation kinds", - "enum": [ - "SingleAlert", - "AlertPerResult" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EventGroupingAggregationKind" + "required": [ + "kind" + ], + "type": "object" + }, + "EntityQuery": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/EntityQueryKind" + } + ], + "description": "Specific entity query.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "ExpansionEntityQuery": { + "description": "Represents Expansion entity query.", + "allOf": [ + { + "$ref": "#/definitions/EntityQuery" + } + ], + "properties": { + "properties": { + "$ref": "#/definitions/ExpansionEntityQueriesProperties", + "description": "Expansion entity query properties", + "x-ms-client-flatten": true } }, - "ScheduledAlertRuleProperties": { - "allOf": [ + "type": "object", + "x-ms-discriminator-value": "Expansion" + }, + "EntityTimelineKind": { + "description": "The entity query kind", + "enum": [ + "Activity", + "Bookmark", + "SecurityAlert" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntityTimelineKind", + "values": [ { - "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" - } - ], - "description": "Scheduled alert rule base property bag.", - "properties": { - "alertRuleTemplateName": { - "description": "The Name of the alert rule template used to create this rule.", - "type": "string" + "description": "activity", + "value": "Activity" }, - "description": { - "description": "The description of the alert rule.", - "type": "string" - }, - "displayName": { - "description": "The display name for alerts created by this alert rule.", - "type": "string" + { + "description": "bookmarks", + "value": "Bookmark" }, - "enabled": { - "description": "Determines whether this alert rule is enabled or disabled.", - "type": "boolean" + { + "description": "security alerts", + "value": "SecurityAlert" + } + ] + } + }, + "EntityQueryList": { + "description": "List of all the entity queries.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of entity queries.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of entity queries.", + "items": { + "$ref": "#/definitions/EntityQuery" }, - "lastModifiedUtc": { - "description": "The last time that this alert rule has been modified.", - "format": "date-time", - "readOnly": true, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "ExpansionEntityQueriesProperties": { + "description": "Describes expansion entity query properties", + "properties": { + "dataSources": { + "description": "List of the data sources that are required to run the query", + "items": { + "description": "data source", "type": "string" }, - "suppressionDuration": { - "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", - "format": "duration", + "type": "array" + }, + "displayName": { + "description": "The query display name", + "type": "string" + }, + "inputEntityType": { + "$ref": "#/definitions/EntityInnerType", + "description": "The type of the query's source entity" + }, + "inputFields": { + "description": "List of the fields of the source entity that are required to run the query", + "items": { + "description": "input field", "type": "string" }, - "suppressionEnabled": { - "description": "Determines whether the suppression for this alert rule is enabled or disabled.", - "type": "boolean" - }, - "tactics": { - "description": "The tactics of the alert rule", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" + "type": "array" + }, + "outputEntityTypes": { + "description": "List of the desired output types to be constructed from the result", + "items": { + "$ref": "#/definitions/EntityInnerType", + "description": "output entity type" }, - "incidentConfiguration": { - "$ref": "#/definitions/IncidentConfiguration", - "description": "The settings of the incidents that created from alerts triggered by this analytics rule" - } + "type": "array" }, - "required": [ - "displayName", - "enabled", - "severity", - "query", - "queryFrequency", - "queryPeriod", - "triggerOperator", - "triggerThreshold", - "suppressionEnabled", - "suppressionDuration" - ], - "type": "object" + "queryTemplate": { + "description": "The template query string to be parsed and formatted", + "type": "string" + } }, - "ScheduledAlertRuleTemplate": { - "allOf": [ - { - "$ref": "#/definitions/AlertRuleTemplate" - } - ], - "description": "Represents scheduled alert rule template.", + "type": "object" + }, + "ExpansionResultAggregation": { + "description": "Information of a specific aggregation in the expansion result.", + "properties": { + "aggregationType": { + "description": "The common type of the aggregation. (for e.g. entity field name)", + "type": "string" + }, + "count": { + "description": "Total number of aggregations of the given kind (and aggregationType if given) in the expansion result.", + "type": "integer" + }, + "displayName": { + "description": "The display name of the aggregation by type.", + "type": "string" + }, + "entityKind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the aggregated entity." + } + }, + "required": [ + "entityKind", + "count" + ], + "type": "object" + }, + "ExpansionResultsMetadata": { + "description": "Expansion result metadata.", + "properties": { + "aggregations": { + "description": "Information of the aggregated nodes in the expansion result.", + "items": { + "$ref": "#/definitions/ExpansionResultAggregation" + }, + "type": "array" + } + }, + "type": "object" + }, + "ConnectedEntity": { + "description": "Expansion result connected entities", + "properties": { + "targetEntityId": { + "description": "Entity Id of the connected entity", + "type": "string" + }, + "additionalData": { + "description": "key-value pairs for a connected entity mapping", + "type": "object" + } + } + }, + "TimelineResultsMetadata": { + "description": "Expansion result metadata.", + "properties": { + "totalCount": { + "description": "the total items found for the timeline request", + "type": "integer", + "format": "int32" + }, + "aggregations": { + "description": "timeline aggregation per kind", + "items": { + "$ref": "#/definitions/TimelineAggregation" + }, + "type": "array" + }, + "errors": { + "description": "information about the failure queries", + "items": { + "$ref": "#/definitions/TimelineError" + }, + "type": "array" + } + }, + "required": [ + "totalCount", + "aggregations" + ], + "type": "object" + }, + "TimelineError": { + "description": "Timeline Query Errors.", + "properties": { + "kind": { + "description": "the query kind", + "$ref": "#/definitions/EntityTimelineKind" + }, + "queryId": { + "description": "the query id", + "type": "string" + }, + "errorMessage": { + "description": "the error message", + "type": "string" + } + }, + "required": [ + "kind", + "errorMessage" + ], + "type": "object" + }, + "TimelineAggregation": { + "description": "timeline aggregation information per kind", + "properties": { + "count": { + "description": "the total items found for a kind", + "type": "integer", + "format": "int32" + }, + "kind": { + "description": "the query kind", + "$ref": "#/definitions/EntityTimelineKind" + } + }, + "required": [ + "kind", + "count" + ], + "type": "object" + }, + "EntityTimelineItem": { + "description": "Entity timeline Item.", + "discriminator": "kind", + "type": "object", + "properties": { + "kind": { + "$ref": "#/definitions/EntityTimelineKind", + "description": "The entity query kind type." + } + }, + "required": [ + "kind" + ] + }, + "FileEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a file entity.", + "properties": { "properties": { - "properties": { - "allOf": [ + "$ref": "#/definitions/FileEntityProperties", + "description": "File entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "File" + }, + "FileEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "File entity property bag.", + "properties": { + "directory": { + "description": "The full path to the file.", + "readOnly": true, + "type": "string" + }, + "fileHashEntityIds": { + "description": "The file hash entity identifiers associated with this file", + "items": { + "description": "file hash id", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "fileName": { + "description": "The file name without path (some alerts might not include path).", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id which the file belongs to", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "FileHashEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a file hash entity.", + "properties": { + "properties": { + "$ref": "#/definitions/FileHashEntityProperties", + "description": "FileHash entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "FileHash" + }, + "FileHashEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "FileHash entity property bag.", + "properties": { + "algorithm": { + "description": "The hash algorithm type.", + "enum": [ + "Unknown", + "MD5", + "SHA1", + "SHA256", + "SHA256AC" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "FileHashAlgorithm", + "values": [ { - "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + "description": "Unknown hash algorithm", + "value": "Unknown" }, { - "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" - } - ], - "description": "Scheduled alert rule template properties", - "properties": { - "tactics": { - "description": "The tactics of the alert rule template", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "type": "array" + "description": "MD5 hash type", + "value": "MD5" + }, + { + "description": "SHA1 hash type", + "value": "SHA1" + }, + { + "description": "SHA256 hash type", + "value": "SHA256" + }, + { + "description": "SHA256 Authenticode hash type", + "value": "SHA256AC" } - }, - "required": [ - "displayName", - "description", - "status", - "alertRulesCreatedByTemplateCount", - "severity", - "query", - "queryFrequency", - "queryPeriod", - "triggerOperator", - "triggerThreshold" - ], - "x-ms-client-flatten": true + ] } }, - "type": "object", - "x-ms-discriminator-value": "Scheduled" + "hashValue": { + "description": "The file hash value.", + "readOnly": true, + "type": "string" + } }, - "IncidentConfiguration": { - "description": "Incident Configuration property bag.", + "type": "object" + }, + "InsightQueryItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityQueryItem" + } + ], + "description": "Represents Insight Query.", + "properties": { "properties": { - "createIncident": { - "description": "Create incidents from alerts triggered by this analytics rule", - "type": "boolean" - }, - "groupingConfiguration": { - "$ref": "#/definitions/GroupingConfiguration", - "description": "Set how the alerts that are triggered by this analytics rule, are grouped into incidents" - } - }, - "type": "object", - "required": [ - "createIncident" - ] + "description": "Properties bag for InsightQueryItem", + "$ref": "#/definitions/InsightQueryItemProperties" + } }, - "GroupingConfiguration": { - "description": "Grouping configuration property bag.", - "properties": { - "enabled": { - "description": "Grouping enabled", - "type": "boolean" - }, - "reopenClosedIncident": { - "description": "Re-open closed matching incidents", - "type": "boolean" - }, - "lookbackDuration": { - "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", - "format": "duration", - "type": "string" - }, - "entitiesMatchingMethod": { - "description": "Grouping matching method", - "enum": [ - "All", - "None", - "Custom" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntitiesMatchingMethod", - "values": [ - { - "description": "Grouping alerts into a single incident if all the entities match", - "value": "All" - }, - { - "description": "Grouping all alerts triggered by this rule into a single incident", - "value": "None" - }, - { - "description": "Grouping alerts into a single incident if the selected entities match", - "value": "Custom" - } - ] - } - }, - "groupByEntities": { - "description": "A list of entity types to group by (when entitiesMatchingMethod is Custom)", - "items": { - "description": "Grouping entity type", - "enum": [ - "Account", - "Host", - "Ip", - "Url", - "FileHash" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "GroupingEntityType", - "values": [ - { - "description": "Account entity", - "value": "Account" + "type": "object", + "x-ms-discriminator-value": "Insight" + }, + "InsightQueryItemProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityQueryItemProperties" + } + ], + "description": "Represents Insight Query.", + "properties": { + "displayName": { + "type": "string", + "description": "The insight display name." + }, + "description": { + "type": "string", + "description": "The insight description." + }, + "baseQuery": { + "type": "string", + "description": "The base query of the insight." + }, + "tableQuery": { + "type": "object", + "description": "The insight table query.", + "properties": { + "columnsDefinitions": { + "type": "array", + "description": "List of insight column definitions.", + "items": { + "properties": { + "header": { + "type": "string", + "description": "Insight column header." }, - { - "description": "Host entity", - "value": "Host" + "outputType": { + "type": "string", + "description": "Insights Column type.", + "enum": [ + "Number", + "String", + "Date", + "Entity" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "outputType" + } }, - { - "description": "Ip entity", - "value": "Ip" + "supportDeepLink": { + "type": "boolean", + "description": "Is query supports deep-link." + } + } + } + }, + "queriesDefinitions": { + "type": "array", + "description": "List of insight queries definitions.", + "items": { + "properties": { + "filter": { + "type": "string", + "description": "Insight column header." }, - { - "description": "Url entity", - "value": "Url" + "summarize": { + "type": "string", + "description": "Insight column header." }, - { - "description": "FileHash entity", - "value": "FileHash" + "project": { + "type": "string", + "description": "Insight column header." + }, + "linkColumnsDefinitions": { + "type": "array", + "description": "Insight column header.", + "items": { + "properties": { + "projectedName": { + "type": "string", + "description": "Insight Link Definition Projected Name." + }, + "Query": { + "type": "string", + "description": "Insight Link Definition Query." + } + } + } } - ] + } } - }, - "type": "array" + } } }, - "type": "object", - "required": [ - "enabled", - "reopenClosedIncident", - "lookbackDuration", - "entitiesMatchingMethod" - ] - }, - "SecurityAlert": { - "allOf": [ - { - "$ref": "#/definitions/Entity" + "chartQuery": { + "type": "object", + "description": "The insight chart query." + }, + "additionalQuery": { + "type": "object", + "description": "The activity query definitions.", + "properties": { + "query": { + "type": "string", + "description": "The insight query." + }, + "text": { + "type": "string", + "description": "The insight text." + } } - ], - "description": "Represents a security alert entity.", - "properties": { + }, + "defaultTimeRange": { + "type": "object", + "description": "The insight chart query.", "properties": { - "$ref": "#/definitions/SecurityAlertProperties", - "description": "SecurityAlert entity properties", - "x-ms-client-flatten": true + "beforeRange": { + "type": "string", + "description": "The padding for the start time of the query." + }, + "afterRange": { + "type": "string", + "description": "The padding for the end time of the query." + } } }, - "type": "object", - "x-ms-discriminator-value": "SecurityAlert" - }, - "SecurityAlertProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" + "referenceTimeRange": { + "type": "object", + "description": "The insight chart query.", + "properties": { + "beforeRange": { + "type": "string", + "description": "Additional query time for looking back." + } } - ], - "description": "SecurityAlert entity property bag.", + } + }, + "type": "object", + "x-ms-discriminator-value": "Insight" + }, + "ActivityTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents Activity timeline item.", + "properties": { + "queryId": { + "type": "string", + "description": "The activity query id." + }, + "bucketStartTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The grouping bucket start time." + }, + "bucketEndTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The grouping bucket end time." + }, + "firstActivityTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The time of the first activity in the grouping bucket." + }, + "lastActivityTimeUTC": { + "format": "date-time", + "type": "string", + "description": "The time of the last activity in the grouping bucket." + }, + "content": { + "type": "string", + "description": "The activity timeline content." + }, + "title": { + "type": "string", + "description": "The activity timeline title." + } + }, + "required": [ + "queryId", + "bucketStartTimeUTC", + "bucketEndTimeUTC", + "firstActivityTimeUTC", + "lastActivityTimeUTC", + "content", + "title" + ], + "type": "object", + "x-ms-discriminator-value": "Activity" + }, + "SecurityAlertTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents security alert timeline item.", + "properties": { + "azureResourceId": { + "type": "string", + "description": "The alert azure resource id." + }, + "productName": { + "type": "string", + "description": "The alert product name." + }, + "description": { + "type": "string", + "description": "The alert description." + }, + "displayName": { + "type": "string", + "description": "The alert name." + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The alert severity." + }, + "endTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The alert end time." + }, + "startTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The alert start time." + }, + "timeGenerated": { + "format": "date-time", + "type": "string", + "description": "The alert generated time." + }, + "alertType": { + "type": "string", + "description": "The name of the alert type." + } + }, + "required": [ + "azureResourceId", + "displayName", + "severity", + "endTimeUtc", + "startTimeUtc", + "timeGenerated", + "alertType" + ], + "type": "object", + "x-ms-discriminator-value": "SecurityAlert" + }, + "BookmarkTimelineItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityTimelineItem" + } + ], + "description": "Represents bookmark timeline item.", + "properties": { + "azureResourceId": { + "type": "string", + "description": "The bookmark azure resource id." + }, + "displayName": { + "type": "string", + "description": "The bookmark display name." + }, + "notes": { + "type": "string", + "description": "The notes of the bookmark" + }, + "endTimeUtc": { + "format": "date-time", + "type": "string", + "description": "The bookmark end time." + }, + "startTimeUtc": { + "format": "date-time", + "type": "string", + "description": "TThe bookmark start time." + }, + "eventTime": { + "format": "date-time", + "type": "string", + "description": "The bookmark event time." + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + } + }, + "required": [ + "azureResourceId" + ], + "type": "object", + "x-ms-discriminator-value": "Bookmark" + }, + "FusionAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents Fusion alert rule.", + "properties": { "properties": { - "alertDisplayName": { - "description": "The display name of the alert.", - "readOnly": true, - "type": "string" - }, - "alertType": { - "description": "The type name of the alert.", - "readOnly": true, - "type": "string" - }, - "compromisedEntity": { - "description": "Display name of the main entity being reported on.", - "readOnly": true, - "type": "string" + "$ref": "#/definitions/FusionAlertRuleProperties", + "description": "Fusion alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "FusionAlertRuleProperties": { + "description": "Fusion alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "FusionAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents Fusion alert rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + } + ], + "description": "Fusion alert rule template properties", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } }, - "confidenceLevel": { - "description": "The confidence level of this alert.", - "enum": [ - "Unknown", - "Low", - "High" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ConfidenceLevel", - "values": [ - { - "description": "Unknown confidence, the is the default value", - "value": "Unknown" - }, - { - "description": "Low confidence, meaning we have some doubts this is indeed malicious or part of an attack", - "value": "Low" - }, - { - "description": "High confidence that the alert is true positive malicious", - "value": "High" - } - ] + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Fusion" + }, + "ThreatIntelligenceAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents Threat Intelligence alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ThreatIntelligenceAlertRuleProperties", + "description": "Threat Intelligence alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "ThreatIntelligenceAlertRuleProperties": { + "description": "Threat Intelligence alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "readOnly": true, + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule.", + "readOnly": true + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "type": "object" + }, + "ThreatIntelligenceAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents Threat Intelligence alert rule template.", + "properties": { + "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" } - }, - "confidenceReasons": { - "description": "The confidence reasons", - "items": { - "description": "confidence reason item", - "properties": { - "reason": { - "description": "The reason's description", - "readOnly": true, - "type": "string" - }, - "reasonType": { - "description": "The type (category) of the reason", - "readOnly": true, - "type": "string" - } - }, - "type": "object" + ], + "description": "Threat Intelligence alert rule template properties", + "properties": { + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." }, - "readOnly": true, - "type": "array" - }, - "confidenceScore": { - "description": "The confidence score of the alert.", - "format": "double", - "readOnly": true, - "type": "number" - }, - "confidenceScoreStatus": { - "description": "The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.", - "enum": [ - "NotApplicable", - "InProcess", - "NotFinal", - "Final" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ConfidenceScoreStatus", - "values": [ - { - "description": "Score will not be calculated for this alert as it is not supported by virtual analyst", - "value": "NotApplicable" - }, - { - "description": "No score was set yet and calculation is in progress", - "value": "InProcess" - }, - { - "description": "Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data", - "value": "NotFinal" - }, - { - "description": "Final score was calculated and available", - "value": "Final" - } - ] + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" } }, - "description": { - "description": "Alert description.", - "readOnly": true, - "type": "string" + "required": [ + "displayName", + "description", + "status", + "severity", + "alertRulesCreatedByTemplateCount" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "GeoLocation": { + "description": "The geo-location context attached to the ip entity", + "properties": { + "asn": { + "description": "Autonomous System Number", + "readOnly": true, + "type": "integer" + }, + "city": { + "description": "City name", + "readOnly": true, + "type": "string" + }, + "countryCode": { + "description": "The country code according to ISO 3166 format", + "readOnly": true, + "type": "string" + }, + "countryName": { + "description": "Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name", + "readOnly": true, + "type": "string" + }, + "latitude": { + "description": "The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "longitude": { + "description": "The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "state": { + "description": "State name", + "readOnly": true, + "type": "string" + } + }, + "readOnly": true, + "type": "object" + }, + "HostEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a host entity.", + "properties": { + "properties": { + "$ref": "#/definitions/HostEntityProperties", + "description": "Host entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Host" + }, + "HostEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Host entity property bag.", + "properties": { + "azureID": { + "description": "The azure resource id of the VM.", + "readOnly": true, + "type": "string" + }, + "dnsDomain": { + "description": "The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain", + "readOnly": true, + "type": "string" + }, + "hostName": { + "description": "The hostname without the domain suffix.", + "readOnly": true, + "type": "string" + }, + "isDomainJoined": { + "description": "Determines whether this host belongs to a domain.", + "readOnly": true, + "type": "boolean" + }, + "netBiosName": { + "description": "The host name (pre-windows2000).", + "readOnly": true, + "type": "string" + }, + "ntDomain": { + "description": "The NT domain that this host belongs to.", + "readOnly": true, + "type": "string" + }, + "omsAgentID": { + "description": "The OMS agent id, if the host has OMS agent installed.", + "readOnly": true, + "type": "string" + }, + "osFamily": { + "description": "The operating system type.", + "enum": [ + "Linux", + "Windows", + "Android", + "IOS", + "Unknown" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "OSFamily", + "values": [ + { + "description": "Host with Linux operating system.", + "value": "Linux" + }, + { + "description": "Host with Windows operating system.", + "value": "Windows" + }, + { + "description": "Host with Android operating system.", + "value": "Android" + }, + { + "description": "Host with IOS operating system.", + "value": "IOS" + }, + { + "description": "Host with Unknown operating system.", + "value": "Unknown" + } + ] + } + }, + "osVersion": { + "description": "A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "Incident": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents an incident in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/IncidentProperties", + "description": "Incident properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "HuntingBookmark": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a Hunting bookmark entity.", + "properties": { + "properties": { + "$ref": "#/definitions/HuntingBookmarkProperties", + "description": "HuntingBookmark entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Bookmark" + }, + "HuntingBookmarkProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Describes bookmark properties", + "properties": { + "created": { + "description": "The time the bookmark was created", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the bookmark", + "type": "object" + }, + "displayName": { + "description": "The display name of the bookmark", + "type": "string" + }, + "eventTime": { + "description": "The time of the event", + "format": "date-time", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this bookmark", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + }, + "notes": { + "description": "The notes of the bookmark", + "type": "string" + }, + "query": { + "description": "The query of the bookmark.", + "type": "string" + }, + "queryResult": { + "description": "The query result of the bookmark.", + "type": "string" + }, + "updated": { + "description": "The last time the bookmark was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the bookmark", + "type": "object" + }, + "incidentInfo": { + "$ref": "#/definitions/IncidentInfo", + "description": "Describes an incident that relates to bookmark", + "type": "object" + } + }, + "required": [ + "displayName", + "query" + ], + "type": "object" + }, + "IncidentAdditionalData": { + "description": "Incident additional data property bag.", + "properties": { + "alertsCount": { + "description": "The number of alerts in the incident", + "readOnly": true, + "type": "integer" + }, + "bookmarksCount": { + "description": "The number of bookmarks in the incident", + "readOnly": true, + "type": "integer" + }, + "commentsCount": { + "description": "The number of comments in the incident", + "readOnly": true, + "type": "integer" + }, + "alertProductNames": { + "description": "List of product names of alerts in the incident", + "items": { + "description": "Alert product name", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "tactics": { + "description": "The tactics associated with incident", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "IncidentAlertList": { + "description": "List of incident alerts.", + "properties": { + "value": { + "description": "Array of incident alerts.", + "type": "array", + "items": { + "$ref": "#/definitions/SecurityAlert" + } + } + }, + "required": [ + "value" + ] + }, + "IncidentBookmarkList": { + "description": "List of incident bookmarks.", + "properties": { + "value": { + "description": "Array of incident bookmarks.", + "type": "array", + "items": { + "$ref": "#/definitions/HuntingBookmark" + } + } + }, + "required": [ + "value" + ] + }, + "IncidentComment": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents an incident comment", + "properties": { + "properties": { + "$ref": "#/definitions/IncidentCommentProperties", + "description": "Incident comment properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "IncidentCommentList": { + "description": "List of incident comments.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of comments.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of comments.", + "items": { + "$ref": "#/definitions/IncidentComment" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "IncidentCommentProperties": { + "description": "Incident comment property bag.", + "properties": { + "createdTimeUtc": { + "description": "The time the comment was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "lastModifiedTimeUtc": { + "description": "The time the comment was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "message": { + "description": "The comment message", + "type": "string" + }, + "author": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that created the comment", + "readOnly": true, + "type": "object" + } + }, + "required": [ + "message" + ], + "type": "object" + }, + "IncidentEntitiesResponse": { + "description": "The incident related entities response.", + "properties": { + "entities": { + "description": "Array of the incident related entities.", + "type": "array", + "items": { + "$ref": "#/definitions/Entity" + } + }, + "metaData": { + "description": "The metadata from the incident related entities results.", + "type": "array", + "items": { + "$ref": "#/definitions/IncidentEntitiesResultsMetadata" + } + } + } + }, + "IncidentEntitiesResultsMetadata": { + "description": "Information of a specific aggregation in the incident related entities result.", + "properties": { + "count": { + "description": "Total number of aggregations of the given kind in the incident related entities result.", + "type": "integer", + "format": "int32" + }, + "entityKind": { + "$ref": "#/definitions/EntityInnerKind", + "description": "The kind of the aggregated entity." + } + }, + "required": [ + "entityKind", + "count" + ], + "type": "object" + }, + "IncidentLabel": { + "description": "Represents an incident label", + "properties": { + "labelName": { + "description": "The name of the label", + "type": "string" + }, + "labelType": { + "description": "The type of the label", + "enum": [ + "User", + "System" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentLabelType", + "values": [ + { + "description": "Label manually created by a user", + "value": "User" + }, + { + "description": "Label automatically created by the system", + "value": "System" + } + ] + } + } + }, + "required": [ + "labelName" + ], + "type": "object" + }, + "IncidentList": { + "description": "List all the incidents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of incidents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of incidents.", + "items": { + "$ref": "#/definitions/Incident" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "IncidentOwnerInfo": { + "description": "Information on the user an incident is assigned to", + "properties": { + "email": { + "description": "The email of the user the incident is assigned to.", + "type": "string" + }, + "assignedTo": { + "description": "The name of the user the incident is assigned to.", + "type": "string" + }, + "objectId": { + "description": "The object id of the user the incident is assigned to.", + "format": "uuid", + "type": "string" + }, + "userPrincipalName": { + "description": "The user principal name of the user the incident is assigned to.", + "type": "string" + } + }, + "type": "object" + }, + "IncidentClassification": { + "description": "The reason the incident was closed", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassification", + "values": [ + { + "description": "Incident classification was undetermined", + "value": "Undetermined" }, - "endTimeUtc": { - "description": "The impact end time of the alert (the time of the last event contributing to the alert).", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "description": "Incident was true positive", + "value": "TruePositive" }, - "intent": { - "description": "Holds the alert intent stage(s) mapping for this alert.", - "enum": [ - "Unknown", - "Probing", - "Exploitation", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Execution", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "KillChainIntent", - "values": [ - { - "description": "The default value.", - "value": "Unknown" - }, - { - "description": "Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.", - "value": "Probing" - }, - { - "description": "Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.", - "value": "Exploitation" - }, - { - "description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.", - "value": "Persistence" - }, - { - "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.", - "value": "PrivilegeEscalation" - }, - { - "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ", - "value": "DefenseEvasion" - }, - { - "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.", - "value": "CredentialAccess" - }, - { - "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", - "value": "Discovery" - }, - { - "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.", - "value": "LateralMovement" - }, - { - "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.", - "value": "Execution" - }, - { - "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", - "value": "Collection" - }, - { - "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", - "value": "Exfiltration" - }, - { - "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network.", - "value": "CommandAndControl" - }, - { - "description": "The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.", - "value": "Impact" - } - ] - } + { + "description": "Incident was benign positive", + "value": "BenignPositive" }, - "providerAlertId": { - "description": "The identifier of the alert inside the product which generated the alert.", - "readOnly": true, - "type": "string" + { + "description": "Incident was false positive", + "value": "FalsePositive" + } + ] + } + }, + "IncidentClassificationReason": { + "description": "The classification reason the incident was closed with", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassificationReason", + "values": [ + { + "description": "Classification reason was suspicious activity", + "value": "SuspiciousActivity" }, - "processingEndTime": { - "description": "The time the alert was made available for consumption.", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "description": "Classification reason was suspicious but expected", + "value": "SuspiciousButExpected" }, - "productComponentName": { - "description": "The name of a component inside the product which generated the alert.", - "readOnly": true, - "type": "string" + { + "description": "Classification reason was incorrect alert logic", + "value": "IncorrectAlertLogic" }, - "productName": { - "description": "The name of the product which published this alert.", - "readOnly": true, - "type": "string" + { + "description": "Classification reason was inaccurate data", + "value": "InaccurateData" + } + ] + } + }, + "IncidentSeverity": { + "description": "The severity of the incident", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "High severity", + "value": "High" }, - "productVersion": { - "description": "The version of the product generating the alert.", - "readOnly": true, - "type": "string" + { + "description": "Medium severity", + "value": "Medium" }, - "remediationSteps": { - "description": "Manual action items to take to remediate the alert.", - "items": { - "type": "string" - }, - "readOnly": true, - "type": "array" + { + "description": "Low severity", + "value": "Low" }, - "severity": { - "$ref": "#/definitions/AlertSeverity", - "description": "The severity of the alert" + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "IncidentStatus": { + "description": "The status of the incident", + "enum": [ + "New", + "Active", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentStatus", + "values": [ + { + "description": "An active incident which isn't being handled currently", + "value": "New" }, - "startTimeUtc": { - "description": "The impact start time of the alert (the time of the first event contributing to the alert).", - "format": "date-time", - "readOnly": true, - "type": "string" + { + "description": "An active incident which is being handled", + "value": "Active" }, - "status": { - "description": "The lifecycle status of the alert.", - "enum": [ - "Unknown", - "New", - "Resolved", - "Dismissed", - "InProgress" - ], - "readOnly": true, - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertStatus", - "values": [ - { - "description": "Unknown value", - "value": "Unknown" - }, - { - "description": "New alert", - "value": "New" - }, - { - "description": "Alert closed after handling", - "value": "Resolved" - }, - { - "description": "Alert dismissed as false positive", - "value": "Dismissed" - }, - { - "description": "Alert is being handled", - "value": "InProgress" - } - ] + { + "description": "A non-active incident", + "value": "Closed" + } + ] + } + }, + "IncidentProperties": { + "description": "Describes incident properties", + "properties": { + "additionalData": { + "$ref": "#/definitions/IncidentAdditionalData", + "description": "Additional data on the incident", + "readOnly": true, + "type": "object" + }, + "classification": { + "$ref": "#/definitions/IncidentClassification", + "description": "The reason the incident was closed" + }, + "classificationComment": { + "description": "Describes the reason the incident was closed", + "type": "string" + }, + "classificationReason": { + "$ref": "#/definitions/IncidentClassificationReason", + "description": "The classification reason the incident was closed with" + }, + "createdTimeUtc": { + "description": "The time the incident was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "description": { + "description": "The description of the incident", + "type": "string" + }, + "firstActivityTimeUtc": { + "description": "The time of the first activity in the incident", + "format": "date-time", + "type": "string" + }, + "incidentUrl": { + "description": "The deep-link url to the incident in Azure portal", + "readOnly": true, + "type": "string" + }, + "incidentNumber": { + "description": "A sequential number", + "readOnly": true, + "type": "integer" + }, + "labels": { + "description": "List of labels relevant to this incident", + "items": { + "$ref": "#/definitions/IncidentLabel" + }, + "type": "array" + }, + "providerName": { + "description": "The name of the source provider that generated the incident", + "type": "string" + }, + "providerIncidentId": { + "description": "The incident ID assigned by the incident provider", + "type": "string" + }, + "lastActivityTimeUtc": { + "description": "The time of the last activity in the incident", + "format": "date-time", + "type": "string" + }, + "lastModifiedTimeUtc": { + "description": "The last time the incident was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "owner": { + "$ref": "#/definitions/IncidentOwnerInfo", + "description": "Describes a user that the incident is assigned to", + "type": "object" + }, + "relatedAnalyticRuleIds": { + "description": "List of resource ids of Analytic rules related to the incident", + "items": { + "description": "Related Analytic rule resource id", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "severity": { + "$ref": "#/definitions/IncidentSeverity", + "description": "The severity of the incident" + }, + "status": { + "$ref": "#/definitions/IncidentStatus", + "description": "The status of the incident" + }, + "title": { + "description": "The title of the incident", + "type": "string" + } + }, + "required": [ + "title", + "severity", + "status" + ], + "type": "object" + }, + "IpEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an ip entity.", + "properties": { + "properties": { + "$ref": "#/definitions/IpEntityProperties", + "description": "Ip entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Ip" + }, + "IpEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Ip entity property bag.", + "properties": { + "address": { + "description": "The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6)", + "readOnly": true, + "type": "string" + }, + "location": { + "$ref": "#/definitions/GeoLocation", + "description": "The geo-location context attached to the ip entity" + }, + "threatIntelligence": { + "description": "A list of TI contexts attached to the ip entity.", + "items": { + "$ref": "#/definitions/ThreatIntelligence" + }, + "readOnly": true, + "type": "array" + } + }, + "type": "object" + }, + "Label": { + "description": "Label that will be used to tag and filter on.", + "type": "string" + }, + "MailboxEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mailbox entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailboxEntityProperties", + "description": "Mailbox entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Mailbox" + }, + "MailboxEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mailbox entity property bag.", + "properties": { + "mailboxPrimaryAddress": { + "description": "The mailbox's primary address", + "readOnly": true, + "type": "string" + }, + "displayName": { + "description": "The mailbox's display name", + "readOnly": true, + "type": "string" + }, + "upn": { + "description": "The mailbox's UPN", + "readOnly": true, + "type": "string" + }, + "externalDirectoryObjectId": { + "description": "The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side", + "format": "uuid", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "MailClusterEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mail cluster entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailClusterEntityProperties", + "description": "Mail cluster entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MailCluster" + }, + "MailClusterEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mail cluster entity property bag.", + "properties": { + "networkMessageIds": { + "description": "The mail message IDs that are part of the mail cluster", + "items": { + "description": "A mail message ID", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "countByDeliveryStatus": { + "description": "Count of mail messages by DeliveryStatus string representation", + "readOnly": true, + "type": "object" + }, + "countByThreatType": { + "description": "Count of mail messages by ThreatType string representation", + "readOnly": true, + "type": "object" + }, + "countByProtectionStatus": { + "description": "Count of mail messages by ProtectionStatus string representation", + "readOnly": true, + "type": "object" + }, + "threats": { + "description": "The threats of mail messages that are part of the mail cluster", + "items": { + "description": "A threat", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "query": { + "description": "The query that was used to identify the messages of the mail cluster", + "readOnly": true, + "type": "string" + }, + "queryTime": { + "description": "The query time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "mailCount": { + "description": "The number of mail messages that are part of the mail cluster", + "readOnly": true, + "type": "integer", + "format": "int32" + }, + "isVolumeAnomaly": { + "description": "Is this a volume anomaly mail cluster", + "readOnly": true, + "type": "boolean" + }, + "source": { + "description": "The source of the mail cluster (default is 'O365 ATP')", + "readOnly": true, + "type": "string" + }, + "clusterSourceIdentifier": { + "description": "The id of the cluster source", + "readOnly": true, + "type": "string" + }, + "clusterSourceType": { + "description": "The type of the cluster source", + "readOnly": true, + "type": "string" + }, + "clusterQueryStartTime": { + "description": "The cluster query start time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "clusterQueryEndTime": { + "description": "The cluster query end time", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "clusterGroup": { + "description": "The cluster group", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "MailMessageEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a mail message entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MailMessageEntityProperties", + "description": "Mail message entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MailMessage" + }, + "MailMessageEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Mail message entity property bag.", + "properties": { + "fileEntityIds": { + "description": "The File entity ids of this mail message's attachments", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "recipient": { + "description": "The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient", + "readOnly": true, + "type": "string" + }, + "urls": { + "description": "The Urls contained in this mail message", + "items": { + "description": "A Url contained in this mail message", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "threats": { + "description": "The threats of this mail message", + "items": { + "description": "A threat of the mail message", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "p1Sender": { + "description": "The p1 sender's email address", + "readOnly": true, + "type": "string" + }, + "p1SenderDisplayName": { + "description": "The p1 sender's display name", + "readOnly": true, + "type": "string" + }, + "p1SenderDomain": { + "description": "The p1 sender's domain", + "readOnly": true, + "type": "string" + }, + "senderIP": { + "description": "The sender's IP address", + "readOnly": true, + "type": "string" + }, + "p2Sender": { + "description": "The p2 sender's email address", + "readOnly": true, + "type": "string" + }, + "p2SenderDisplayName": { + "description": "The p2 sender's display name", + "readOnly": true, + "type": "string" + }, + "p2SenderDomain": { + "description": "The p2 sender's domain", + "readOnly": true, + "type": "string" + }, + "receiveDate": { + "description": "The receive date of this message", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "networkMessageId": { + "description": "The network message id of this mail message", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "internetMessageId": { + "description": "The internet message id of this mail message", + "readOnly": true, + "type": "string" + }, + "subject": { + "description": "The subject of this mail message", + "readOnly": true, + "type": "string" + }, + "language": { + "description": "The language of this mail message", + "readOnly": true, + "type": "string" + }, + "threatDetectionMethods": { + "description": "The threat detection methods", + "items": { + "description": "A threat detection method", + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "bodyFingerprintBin1": { + "description": "The bodyFingerprintBin1", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin2": { + "description": "The bodyFingerprintBin2", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin3": { + "description": "The bodyFingerprintBin3", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin4": { + "description": "The bodyFingerprintBin4", + "type": "integer", + "format": "int32" + }, + "bodyFingerprintBin5": { + "description": "The bodyFingerprintBin5", + "type": "integer", + "format": "int32" + }, + "antispamDirection": { + "description": "The directionality of this mail message", + "enum": [ + "Unknown", + "Inbound", + "Outbound", + "Intraorg" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AntispamMailDirection", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "Inbound", + "value": "Inbound" + }, + { + "description": "Outbound", + "value": "Outbound" + }, + { + "description": "Intraorg", + "value": "Intraorg" + } + ] + } + }, + "deliveryAction": { + "description": "The delivery action of this mail message like Delivered, Blocked, Replaced etc", + "enum": [ + "Unknown", + "DeliveredAsSpam", + "Delivered", + "Blocked", + "Replaced" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "DeliveryAction", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "DeliveredAsSpam", + "value": "DeliveredAsSpam" + }, + { + "description": "Delivered", + "value": "Delivered" + }, + { + "description": "Blocked", + "value": "Blocked" + }, + { + "description": "Replaced", + "value": "Replaced" + } + ] + } + }, + "deliveryLocation": { + "description": "The delivery location of this mail message like Inbox, JunkFolder etc", + "enum": [ + "Unknown", + "Inbox", + "JunkFolder", + "DeletedFolder", + "Quarantine", + "External", + "Failed", + "Dropped", + "Forwarded" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "DeliveryLocation", + "values": [ + { + "description": "Unknown", + "value": "Unknown" + }, + { + "description": "Inbox", + "value": "Inbox" + }, + { + "description": "JunkFolder", + "value": "JunkFolder" + }, + { + "description": "DeletedFolder", + "value": "DeletedFolder" + }, + { + "description": "Quarantine", + "value": "Quarantine" + }, + { + "description": "External", + "value": "External" + }, + { + "description": "Failed", + "value": "Failed" + }, + { + "description": "Dropped", + "value": "Dropped" + }, + { + "description": "Forwarded", + "value": "Forwarded" + } + ] + } + } + }, + "type": "object" + }, + "SubmissionMailEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a submission mail entity.", + "properties": { + "properties": { + "$ref": "#/definitions/SubmissionMailEntityProperties", + "description": "Submission mail entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "SubmissionMail" + }, + "SubmissionMailEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Submission mail entity property bag.", + "properties": { + "networkMessageId": { + "description": "The network message id of email to which submission belongs", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "submissionId": { + "description": "The submission id", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "submitter": { + "description": "The submitter", + "readOnly": true, + "type": "string" + }, + "submissionDate": { + "description": "The submission date", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "timestamp": { + "description": "The Time stamp when the message is received (Mail)", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "recipient": { + "description": "The recipient of the mail", + "readOnly": true, + "type": "string" + }, + "sender": { + "description": "The sender of the mail", + "readOnly": true, + "type": "string" + }, + "senderIp": { + "description": "The sender's IP", + "readOnly": true, + "type": "string" + }, + "subject": { + "description": "The subject of submission mail", + "readOnly": true, + "type": "string" + }, + "reportType": { + "description": "The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk.", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "MCASDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASDataConnectorProperties", + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + }, + "MCASDataConnectorDataTypes": { + "allOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector.", + "properties": { + "discoveryLogs": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - }, - "systemAlertId": { - "description": "Holds the product identifier of the alert for the product.", - "readOnly": true, - "type": "string" - }, - "tactics": { - "description": "The tactics of the alert", - "items": { - "$ref": "#/definitions/AttackTactic" - }, - "readOnly": true, - "type": "array" - }, - "timeGenerated": { - "description": "The time the alert was generated.", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "vendorName": { - "description": "The name of the vendor that raise the alert.", - "readOnly": true, - "type": "string" - }, - "alertLink": { - "description": "The uri link of the alert.", - "readOnly": true, + ], + "description": "Discovery log data type connection.", + "type": "object" + } + }, + "type": "object" + }, + "MCASDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/MCASDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "MCASCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MCAS (Microsoft Cloud App Security) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MCASCheckRequirementsProperties", + "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftCloudAppSecurity" + }, + "MCASCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MCAS (Microsoft Cloud App Security) requirements check properties.", + "type": "object" + }, + "MDATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPDataConnectorProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + }, + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "MDATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/MDATPCheckRequirementsProperties", + "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftDefenderAdvancedThreatProtection" + }, + "MDATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "MalwareEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a malware entity.", + "properties": { + "properties": { + "$ref": "#/definitions/MalwareEntityProperties", + "description": "File entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Malware" + }, + "MalwareEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Malware entity property bag.", + "properties": { + "category": { + "description": "The malware category by the vendor, e.g. Trojan", + "readOnly": true, + "type": "string" + }, + "fileEntityIds": { + "description": "List of linked file entity identifiers on which the malware was found", + "items": { + "description": "file entity id", "type": "string" }, - "resourceIdentifiers": { - "description": "The list of resource identifiers of the alert.", - "items": { - "type": "object" - }, - "readOnly": true, - "type": "array" - } + "readOnly": true, + "type": "array" }, - "type": "object" - }, - "SecurityGroupEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a security group entity.", - "properties": { - "properties": { - "$ref": "#/definitions/SecurityGroupEntityProperties", - "description": "SecurityGroup entity properties", - "x-ms-client-flatten": true - } + "malwareName": { + "description": "The malware name by the vendor, e.g. Win32/Toga!rfn", + "readOnly": true, + "type": "string" }, - "type": "object", - "x-ms-discriminator-value": "SecurityGroup" + "processEntityIds": { + "description": "List of linked process entity identifiers on which the malware was found.", + "items": { + "description": "process entity id", + "type": "string" + }, + "readOnly": true, + "type": "array" + } }, - "SecurityGroupEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "SecurityGroup entity property bag.", + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule.", + "properties": { "properties": { - "distinguishedName": { - "description": "The group distinguished name", - "readOnly": true, + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties", + "description": "MicrosoftSecurityIncidentCreation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "MicrosoftSecurityIncidentCreationAlertRuleCommonProperties": { + "description": "MicrosoftSecurityIncidentCreation rule common property bag.", + "properties": { + "displayNamesFilter": { + "description": "the alerts' displayNames on which the cases will be generated", + "items": { "type": "string" }, - "objectGuid": { - "description": "A single-value attribute that is the unique identifier for the object, assigned by active directory.", - "format": "uuid", - "readOnly": true, + "type": "array" + }, + "displayNamesExcludeFilter": { + "description": "the alerts' displayNames on which the cases will not be generated", + "items": { "type": "string" }, - "sid": { - "description": "The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group", - "readOnly": true, - "type": "string" + "type": "array" + }, + "productFilter": { + "description": "The alerts' productName on which the cases will be generated", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT", + "Office 365 Advanced Threat Protection", + "Microsoft Defender Advanced Threat Protection" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "MicrosoftSecurityProductName" } }, - "type": "object" + "severitiesFilter": { + "description": "the alerts' severities on which the cases will be generated", + "items": { + "$ref": "#/definitions/AlertSeverity" + }, + "type": "array" + } + }, + "required": [ + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + } }, - "SettingList": { - "description": "List of all the settings.", + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "type": "object" + }, + "MicrosoftSecurityIncidentCreationAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule template.", + "properties": { "properties": { - "value": { - "description": "Array of settings.", - "items": { - "$ref": "#/definitions/Settings" + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" }, - "type": "array" - } + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule template properties", + "required": [ + "displayName", + "description", + "createdDateUTC", + "status", + "alertRulesCreatedByTemplateCount", + "productFilter" + ], + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "MicrosoftSecurityIncidentCreation" + }, + "OfficeATPDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) data connector.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeATPDataConnectorProperties", + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "OfficeATP" + }, + "OfficeATPDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" }, - "required": [ - "value" - ] + { + "$ref": "#/definitions/DataConnectorWithAlertsProperties" + } + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties.", + "type": "object" + }, + "OfficeATPCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) requirements check request.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeATPCheckRequirementsProperties", + "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", + "x-ms-client-flatten": true + } }, - "Settings": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - }, - { - "$ref": "#/definitions/SettingsKind" - } - ], - "description": "The Setting.", - "discriminator": "kind", - "type": "object" + "type": "object", + "x-ms-discriminator-value": "OfficeATP" + }, + "OfficeATPCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) requirements check properties.", + "type": "object" + }, + "OfficeConsent": { + "allOf": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + } + ], + "description": "Consent for Office365 tenant that already made.", + "properties": { + "properties": { + "$ref": "#/definitions/OfficeConsentProperties", + "description": "Office consent properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "OfficeConsentList": { + "description": "List of all the office365 consents.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of office consents.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of the consents.", + "items": { + "$ref": "#/definitions/OfficeConsent" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "OfficeConsentProperties": { + "description": "Consent property bag.", + "properties": { + "tenantId": { + "description": "The tenantId of the Office365 with the consent.", + "type": "string" + }, + "consentId": { + "description": "Help to easily cascade among the data layers.", + "type": "string" + } }, - "SettingsKind": { - "description": "Describes an Azure resource with kind.", + "type": "object" + }, + "OfficeDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Represents office data connector.", + "properties": { "properties": { - "kind": { - "description": "The kind of the setting", - "enum": [ - "EyesOn", - "EntityAnalytics", - "Ueba" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "SettingKind" + "$ref": "#/definitions/OfficeDataConnectorProperties", + "description": "Office data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Office365" + }, + "OfficeDataConnectorDataTypes": { + "description": "The available data types for office data connector.", + "properties": { + "exchange": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" } - } + ], + "description": "Exchange data type connection.", + "type": "object" }, - "required": [ - "kind" - ], - "type": "object" + "sharePoint": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "SharePoint data type connection.", + "type": "object" + }, + "teams": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Teams data type connection.", + "type": "object" + } }, - "TIDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" - } - ], - "description": "Data connector to pull threat intelligence data from TIP products.", - "properties": { + "type": "object", + "required": [ + "exchange", + "sharePoint", + "teams" + ] + }, + "OfficeDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Office data connector properties.", + "properties": { + "dataTypes": { + "$ref": "#/definitions/OfficeDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "required": [ + "dataTypes" + ], + "type": "object" + }, + "Operation": { + "description": "Operation provided by provider", + "properties": { + "display": { + "description": "Properties of the operation", "properties": { - "$ref": "#/definitions/TIDataConnectorProperties", - "description": "Threat Intelligence Platforms data connector properties.", - "x-ms-client-flatten": true - } + "description": { + "description": "Description of the operation", + "type": "string" + }, + "operation": { + "description": "Operation name", + "type": "string" + }, + "provider": { + "description": "Provider name", + "type": "string" + }, + "resource": { + "description": "Resource name", + "type": "string" + } + }, + "type": "object" + }, + "name": { + "description": "Name of the operation", + "type": "string" }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" + "origin": { + "description": "The origin of the operation", + "type": "string" + } + } + }, + "OperationsList": { + "description": "Lists the operations available in the SecurityInsights RP.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of operations.", + "type": "string" + }, + "value": { + "description": "Array of operations", + "items": { + "$ref": "#/definitions/Operation" + }, + "type": "array" + } }, - "TIDataConnectorDataTypes": { - "description": "The available data types for Threat Intelligence Platforms data connector.", + "required": [ + "value" + ] + }, + "ProcessEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a process entity.", + "properties": { "properties": { - "indicators": { - "allOf": [ + "$ref": "#/definitions/ProcessEntityProperties", + "description": "Process entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Process" + }, + "ProcessEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Process entity property bag.", + "properties": { + "accountEntityId": { + "description": "The account entity id running the processes.", + "readOnly": true, + "type": "string" + }, + "commandLine": { + "description": "The command line used to create the process", + "readOnly": true, + "type": "string" + }, + "creationTimeUtc": { + "description": "The time when the process started to run", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "elevationToken": { + "description": "The elevation token associated with the process.", + "enum": [ + "Default", + "Full", + "Limited" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": false, + "name": "ElevationToken", + "values": [ + { + "description": "Default elevation token", + "value": "Default" + }, + { + "description": "Full elevation token", + "value": "Full" + }, { - "$ref": "#/definitions/DataConnectorDataTypeCommon" + "description": "Limited elevation token", + "value": "Limited" } - ], - "description": "Data type for Threat Intelligence Platforms data connector.", - "type": "object" + ] } }, - "type": "object", - "required": [ - "indicators" - ] + "hostEntityId": { + "description": "The host entity id on which the process was running", + "readOnly": true, + "type": "string" + }, + "hostLogonSessionEntityId": { + "description": "The session entity id in which the process was running", + "readOnly": true, + "type": "string" + }, + "imageFileEntityId": { + "description": "Image file entity id", + "readOnly": true, + "type": "string" + }, + "parentProcessEntityId": { + "description": "The parent process entity id.", + "readOnly": true, + "type": "string" + }, + "processId": { + "description": "The process ID", + "readOnly": true, + "type": "string" + } }, - "TIDataConnectorProperties": { - "description": "TI (Threat Intelligence) data connector properties.", + "type": "object" + }, + "RegistryKeyEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a registry key entity.", + "properties": { "properties": { - "tenantId": { - "description": "The tenant id to connect to, and get the data from.", - "type": "string" - }, - "tipLookbackPeriod": { - "description": "The lookback period for the feed to be imported.", - "format": "date-time", - "type": "string", - "x-nullable": true - }, - "dataTypes": { - "$ref": "#/definitions/TIDataConnectorDataTypes", - "description": "The available data types for the connector." + "$ref": "#/definitions/RegistryKeyEntityProperties", + "description": "RegistryKey entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "RegistryKey" + }, + "RegistryKeyEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "RegistryKey entity property bag.", + "properties": { + "hive": { + "description": "the hive that holds the registry key.", + "enum": [ + "HKEY_LOCAL_MACHINE", + "HKEY_CLASSES_ROOT", + "HKEY_CURRENT_CONFIG", + "HKEY_USERS", + "HKEY_CURRENT_USER_LOCAL_SETTINGS", + "HKEY_PERFORMANCE_DATA", + "HKEY_PERFORMANCE_NLSTEXT", + "HKEY_PERFORMANCE_TEXT", + "HKEY_A", + "HKEY_CURRENT_USER" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "RegistryHive", + "values": [ + { + "description": "HKEY_LOCAL_MACHINE", + "value": "HKEY_LOCAL_MACHINE" + }, + { + "description": "HKEY_CLASSES_ROOT", + "value": "HKEY_CLASSES_ROOT" + }, + { + "description": "HKEY_CURRENT_CONFIG", + "value": "HKEY_CURRENT_CONFIG" + }, + { + "description": "HKEY_USERS", + "value": "HKEY_USERS" + }, + { + "description": "HKEY_CURRENT_USER_LOCAL_SETTINGS", + "value": "HKEY_CURRENT_USER_LOCAL_SETTINGS" + }, + { + "description": "HKEY_PERFORMANCE_DATA", + "value": "HKEY_PERFORMANCE_DATA" + }, + { + "description": "HKEY_PERFORMANCE_NLSTEXT", + "value": "HKEY_PERFORMANCE_NLSTEXT" + }, + { + "description": "HKEY_PERFORMANCE_TEXT", + "value": "HKEY_PERFORMANCE_TEXT" + }, + { + "description": "HKEY_A", + "value": "HKEY_A" + }, + { + "description": "HKEY_CURRENT_USER", + "value": "HKEY_CURRENT_USER" + } + ] } }, - "type": "object", - "required": [ - "tenantId", - "dataTypes" - ] + "key": { + "description": "The registry key path.", + "readOnly": true, + "type": "string" + } }, - "TICheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Threat Intelligence Platforms data connector check requirements", + "type": "object" + }, + "RegistryValueEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a registry value entity.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/TICheckRequirementsProperties", - "description": "Threat Intelligence Platforms data connector check required properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligence" + "$ref": "#/definitions/RegistryValueEntityProperties", + "description": "RegistryKey entity properties", + "x-ms-client-flatten": true + } }, - "TICheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "type": "object", + "x-ms-discriminator-value": "RegistryValue" + }, + "RegistryValueEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "RegistryValue entity property bag.", + "properties": { + "keyEntityId": { + "description": "The registry key entity id.", + "readOnly": true, + "type": "string" + }, + "valueData": { + "description": "String formatted representation of the value data.", + "readOnly": true, + "type": "string" + }, + "valueName": { + "description": "The registry value name.", + "readOnly": true, + "type": "string" + }, + "valueType": { + "description": "Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.", + "enum": [ + "None", + "Unknown", + "String", + "ExpandString", + "Binary", + "DWord", + "MultiString", + "QWord" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "RegistryValueKind", + "values": [ + { + "description": "None", + "value": "None" + }, + { + "description": "Unknown value type", + "value": "Unknown" + }, + { + "description": "String value type", + "value": "String" + }, + { + "description": "ExpandString value type", + "value": "ExpandString" + }, + { + "description": "Binary value type", + "value": "Binary" + }, + { + "description": "DWord value type", + "value": "DWord" + }, + { + "description": "MultiString value type", + "value": "MultiString" + }, + { + "description": "QWord value type", + "value": "QWord" + } + ] } - ], - "description": "Threat Intelligence Platforms data connector required properties.", - "properties": {}, - "type": "object" + } }, - "TiTaxiiDataConnector": { - "allOf": [ - { - "$ref": "#/definitions/DataConnector" + "type": "object" + }, + "RelationList": { + "description": "List of relations.", + "properties": { + "nextLink": { + "readOnly": true, + "description": "URL to fetch the next set of relations.", + "type": "string" + }, + "value": { + "description": "Array of relations.", + "type": "array", + "items": { + "$ref": "#/definitions/Relation" } - ], - "description": "Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server", + } + }, + "required": [ + "value" + ] + }, + "Relation": { + "type": "object", + "description": "Represents a relation between two resources", + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "properties": { + "properties": { + "$ref": "#/definitions/RelationProperties", + "description": "Relation properties", + "x-ms-client-flatten": true + } + } + }, + "RelationProperties": { + "description": "Relation property bag.", + "properties": { + "relatedResourceId": { + "description": "The resource ID of the related resource", + "type": "string" + }, + "relatedResourceName": { + "description": "The name of the related resource", + "readOnly": true, + "type": "string" + }, + "relatedResourceType": { + "description": "The resource type of the related resource", + "readOnly": true, + "type": "string" + }, + "relatedResourceKind": { + "description": "The resource kind of the related resource", + "readOnly": true, + "type": "string" + } + }, + "required": [ + "relatedResourceId" + ], + "type": "object" + }, + "Resource": { + "description": "An azure resource object", + "properties": { + "id": { + "description": "Azure resource Id", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "Azure resource name", + "readOnly": true, + "type": "string" + }, + "type": { + "description": "Azure resource type", + "readOnly": true, + "type": "string" + } + }, + "x-ms-azure-resource": true + }, + "ScheduledAlertRule": { + "allOf": [ + { + "$ref": "#/definitions/AlertRule" + } + ], + "description": "Represents scheduled alert rule.", + "properties": { + "properties": { + "$ref": "#/definitions/ScheduledAlertRuleProperties", + "description": "Scheduled alert rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "Scheduled" + }, + "ScheduledAlertRuleCommonProperties": { + "description": "Scheduled alert rule template property bag.", + "properties": { + "query": { + "description": "The query that creates alerts for this rule.", + "type": "string" + }, + "queryFrequency": { + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run.", + "format": "duration", + "type": "string" + }, + "queryPeriod": { + "description": "The period (in ISO 8601 duration format) that this alert rule looks at.", + "format": "duration", + "type": "string" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity for alerts created by this alert rule." + }, + "triggerOperator": { + "$ref": "#/definitions/AlertRuleTriggerOperator", + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "description": "The threshold triggers this alert rule.", + "type": "integer" + }, + "eventGroupingSettings": { + "$ref": "#/definitions/EventGroupingSettings", + "description": "The event grouping settings." + } + }, + "type": "object" + }, + "EventGroupingSettings": { + "description": "Event grouping settings property bag.", + "properties": { + "aggregationKind": { + "$ref": "#/definitions/EventGroupingAggregationKind" + } + }, + "type": "object" + }, + "EventGroupingAggregationKind": { + "description": "The event grouping aggregation kinds", + "enum": [ + "SingleAlert", + "AlertPerResult" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EventGroupingAggregationKind" + } + }, + "ScheduledAlertRuleProperties": { + "allOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + } + ], + "description": "Scheduled alert rule base property bag.", + "properties": { + "alertRuleTemplateName": { + "description": "The Name of the alert rule template used to create this rule.", + "type": "string" + }, + "description": { + "description": "The description of the alert rule.", + "type": "string" + }, + "displayName": { + "description": "The display name for alerts created by this alert rule.", + "type": "string" + }, + "enabled": { + "description": "Determines whether this alert rule is enabled or disabled.", + "type": "boolean" + }, + "lastModifiedUtc": { + "description": "The last time that this alert rule has been modified.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "suppressionDuration": { + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.", + "format": "duration", + "type": "string" + }, + "suppressionEnabled": { + "description": "Determines whether the suppression for this alert rule is enabled or disabled.", + "type": "boolean" + }, + "tactics": { + "description": "The tactics of the alert rule", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + }, + "incidentConfiguration": { + "$ref": "#/definitions/IncidentConfiguration", + "description": "The settings of the incidents that created from alerts triggered by this analytics rule" + } + }, + "required": [ + "displayName", + "enabled", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold", + "suppressionEnabled", + "suppressionDuration" + ], + "type": "object" + }, + "ScheduledAlertRuleTemplate": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplate" + } + ], + "description": "Represents scheduled alert rule template.", + "properties": { "properties": { + "allOf": [ + { + "$ref": "#/definitions/AlertRuleTemplatePropertiesBase" + }, + { + "$ref": "#/definitions/ScheduledAlertRuleCommonProperties" + } + ], + "description": "Scheduled alert rule template properties", "properties": { - "$ref": "#/definitions/TiTaxiiDataConnectorProperties", - "description": "Threat intelligence TAXII data connector properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + "tactics": { + "description": "The tactics of the alert rule template", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "description", + "status", + "alertRulesCreatedByTemplateCount", + "severity", + "query", + "queryFrequency", + "queryPeriod", + "triggerOperator", + "triggerThreshold" + ], + "x-ms-client-flatten": true + } }, - "TiTaxiiDataConnectorDataTypes": { - "description": "The available data types for Threat Intelligence TAXII data connector.", - "properties": { - "taxiiClient": { - "allOf": [ + "type": "object", + "x-ms-discriminator-value": "Scheduled" + }, + "IncidentConfiguration": { + "description": "Incident Configuration property bag.", + "properties": { + "createIncident": { + "description": "Create incidents from alerts triggered by this analytics rule", + "type": "boolean" + }, + "groupingConfiguration": { + "$ref": "#/definitions/GroupingConfiguration", + "description": "Set how the alerts that are triggered by this analytics rule, are grouped into incidents" + } + }, + "type": "object", + "required": [ + "createIncident" + ] + }, + "GroupingConfiguration": { + "description": "Grouping configuration property bag.", + "properties": { + "enabled": { + "description": "Grouping enabled", + "type": "boolean" + }, + "reopenClosedIncident": { + "description": "Re-open closed matching incidents", + "type": "boolean" + }, + "lookbackDuration": { + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "entitiesMatchingMethod": { + "description": "Grouping matching method", + "enum": [ + "All", + "None", + "Custom" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntitiesMatchingMethod", + "values": [ + { + "description": "Grouping alerts into a single incident if all the entities match", + "value": "All" + }, { - "$ref": "#/definitions/DataConnectorDataTypeCommon" + "description": "Grouping all alerts triggered by this rule into a single incident", + "value": "None" + }, + { + "description": "Grouping alerts into a single incident if the selected entities match", + "value": "Custom" } - ], - "description": "Data type for TAXII connector.", - "type": "object" + ] } }, - "type": "object", - "required": [ - "taxiiClient" - ] - }, - "TiTaxiiDataConnectorProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" - } - ], - "description": "Threat Intelligence TAXII data connector properties.", - "properties": { - "workspaceId": { - "description": "The workspace id.", - "type": "string" - }, - "friendlyName": { - "description": "The friendly name for the TAXII server.", - "type": "string" - }, - "taxiiServer": { - "description": "The API root for the TAXII server.", - "type": "string" - }, - "collectionId": { - "description": "The collection id of the TAXII server.", - "type": "string" - }, - "userName": { - "description": "The userName for the TAXII server.", - "type": "string" - }, - "password": { - "description": "The password for the TAXII server.", - "type": "string" - }, - "taxiiLookbackPeriod": { - "description": "The lookback period for the TAXII server.", - "format": "date-time", - "type": "string", - "x-nullable": true - }, - "pollingFrequency": { - "description": "The polling frequency for the TAXII server.", - "type": "string", - "x-nullable": true, + "groupByEntities": { + "description": "A list of entity types to group by (when entitiesMatchingMethod is Custom)", + "items": { + "description": "Grouping entity type", "enum": [ - "OnceAMinute", - "OnceAnHour", - "OnceADay" + "Account", + "Host", + "Ip", + "Url", + "FileHash" ], + "type": "string", "x-ms-enum": { "modelAsString": true, - "name": "PollingFrequency", + "name": "GroupingEntityType", "values": [ { - "description": "Once a minute", - "value": "OnceAMinute" + "description": "Account entity", + "value": "Account" + }, + { + "description": "Host entity", + "value": "Host" + }, + { + "description": "Ip entity", + "value": "Ip" }, { - "description": "Once an hour", - "value": "OnceAnHour" + "description": "Url entity", + "value": "Url" }, { - "description": "Once a day", - "value": "OnceADay" + "description": "FileHash entity", + "value": "FileHash" } ] } }, - "dataTypes": { - "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes", - "description": "The available data types for Threat Intelligence TAXII data connector." - } - }, - "required": [ - "dataTypes", - "pollingFrequency" - ], - "type": "object" + "type": "array" + } }, - "TiTaxiiCheckRequirements": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - } - ], - "description": "Threat Intelligence TAXII data connector check requirements", + "type": "object", + "required": [ + "enabled", + "reopenClosedIncident", + "lookbackDuration", + "entitiesMatchingMethod" + ] + }, + "SecurityAlert": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a security alert entity.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/TiTaxiiCheckRequirementsProperties", - "description": "Threat Intelligence TAXII check required properties.", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + "$ref": "#/definitions/SecurityAlertProperties", + "description": "SecurityAlert entity properties", + "x-ms-client-flatten": true + } }, - "TiTaxiiCheckRequirementsProperties": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorTenantId" + "type": "object", + "x-ms-discriminator-value": "SecurityAlert" + }, + "SecurityAlertProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "SecurityAlert entity property bag.", + "properties": { + "alertDisplayName": { + "description": "The display name of the alert.", + "readOnly": true, + "type": "string" + }, + "alertType": { + "description": "The type name of the alert.", + "readOnly": true, + "type": "string" + }, + "compromisedEntity": { + "description": "Display name of the main entity being reported on.", + "readOnly": true, + "type": "string" + }, + "confidenceLevel": { + "description": "The confidence level of this alert.", + "enum": [ + "Unknown", + "Low", + "High" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConfidenceLevel", + "values": [ + { + "description": "Unknown confidence, the is the default value", + "value": "Unknown" + }, + { + "description": "Low confidence, meaning we have some doubts this is indeed malicious or part of an attack", + "value": "Low" + }, + { + "description": "High confidence that the alert is true positive malicious", + "value": "High" + } + ] } - ], - "description": "Threat Intelligence TAXII data connector required properties.", - "type": "object" - }, - "ThreatIntelligence": { - "description": "ThreatIntelligence property bag.", - "properties": { - "confidence": { - "description": "Confidence (must be between 0 and 1)", - "format": "double", - "readOnly": true, - "type": "number" - }, - "providerName": { - "description": "Name of the provider from whom this Threat Intelligence information was received", - "readOnly": true, - "type": "string" - }, - "reportLink": { - "description": "Report link", - "readOnly": true, - "type": "string" - }, - "threatDescription": { - "description": "Threat description (free text)", - "readOnly": true, - "type": "string" - }, - "threatName": { - "description": "Threat name (e.g. \"Jedobot malware\")", - "readOnly": true, - "type": "string" + }, + "confidenceReasons": { + "description": "The confidence reasons", + "items": { + "description": "confidence reason item", + "properties": { + "reason": { + "description": "The reason's description", + "readOnly": true, + "type": "string" + }, + "reasonType": { + "description": "The type (category) of the reason", + "readOnly": true, + "type": "string" + } + }, + "type": "object" }, - "threatType": { - "description": "Threat type (e.g. \"Botnet\")", - "readOnly": true, - "type": "string" + "readOnly": true, + "type": "array" + }, + "confidenceScore": { + "description": "The confidence score of the alert.", + "format": "double", + "readOnly": true, + "type": "number" + }, + "confidenceScoreStatus": { + "description": "The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.", + "enum": [ + "NotApplicable", + "InProcess", + "NotFinal", + "Final" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ConfidenceScoreStatus", + "values": [ + { + "description": "Score will not be calculated for this alert as it is not supported by virtual analyst", + "value": "NotApplicable" + }, + { + "description": "No score was set yet and calculation is in progress", + "value": "InProcess" + }, + { + "description": "Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data", + "value": "NotFinal" + }, + { + "description": "Final score was calculated and available", + "value": "Final" + } + ] } }, - "type": "object" - }, - "IPSyncer": { - "allOf": [ - { - "$ref": "#/definitions/Settings" + "description": { + "description": "Alert description.", + "readOnly": true, + "type": "string" + }, + "endTimeUtc": { + "description": "The impact end time of the alert (the time of the last event contributing to the alert).", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "intent": { + "description": "Holds the alert intent stage(s) mapping for this alert.", + "enum": [ + "Unknown", + "Probing", + "Exploitation", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Execution", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "KillChainIntent", + "values": [ + { + "description": "The default value.", + "value": "Unknown" + }, + { + "description": "Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.", + "value": "Probing" + }, + { + "description": "Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.", + "value": "Exploitation" + }, + { + "description": "Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.", + "value": "Persistence" + }, + { + "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.", + "value": "PrivilegeEscalation" + }, + { + "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ", + "value": "DefenseEvasion" + }, + { + "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.", + "value": "CredentialAccess" + }, + { + "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.", + "value": "Discovery" + }, + { + "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.", + "value": "LateralMovement" + }, + { + "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.", + "value": "Execution" + }, + { + "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Collection" + }, + { + "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "value": "Exfiltration" + }, + { + "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network.", + "value": "CommandAndControl" + }, + { + "description": "The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.", + "value": "Impact" + } + ] } - ], - "description": "Settings with single toggle.", - "properties": { - "properties": { - "$ref": "#/definitions/IPSyncerSettingsProperties", - "description": "IPSyncer properties", - "x-ms-client-flatten": true + }, + "providerAlertId": { + "description": "The identifier of the alert inside the product which generated the alert.", + "readOnly": true, + "type": "string" + }, + "processingEndTime": { + "description": "The time the alert was made available for consumption.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "productComponentName": { + "description": "The name of a component inside the product which generated the alert.", + "readOnly": true, + "type": "string" + }, + "productName": { + "description": "The name of the product which published this alert.", + "readOnly": true, + "type": "string" + }, + "productVersion": { + "description": "The version of the product generating the alert.", + "readOnly": true, + "type": "string" + }, + "remediationSteps": { + "description": "Manual action items to take to remediate the alert.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + }, + "severity": { + "$ref": "#/definitions/AlertSeverity", + "description": "The severity of the alert" + }, + "startTimeUtc": { + "description": "The impact start time of the alert (the time of the first event contributing to the alert).", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "status": { + "description": "The lifecycle status of the alert.", + "enum": [ + "Unknown", + "New", + "Resolved", + "Dismissed", + "InProgress" + ], + "readOnly": true, + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertStatus", + "values": [ + { + "description": "Unknown value", + "value": "Unknown" + }, + { + "description": "New alert", + "value": "New" + }, + { + "description": "Alert closed after handling", + "value": "Resolved" + }, + { + "description": "Alert dismissed as false positive", + "value": "Dismissed" + }, + { + "description": "Alert is being handled", + "value": "InProgress" + } + ] } }, - "type": "object", - "x-ms-discriminator-value": "IPSyncer" + "systemAlertId": { + "description": "Holds the product identifier of the alert for the product.", + "readOnly": true, + "type": "string" + }, + "tactics": { + "description": "The tactics of the alert", + "items": { + "$ref": "#/definitions/AttackTactic" + }, + "readOnly": true, + "type": "array" + }, + "timeGenerated": { + "description": "The time the alert was generated.", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "vendorName": { + "description": "The name of the vendor that raise the alert.", + "readOnly": true, + "type": "string" + }, + "alertLink": { + "description": "The uri link of the alert.", + "readOnly": true, + "type": "string" + }, + "resourceIdentifiers": { + "description": "The list of resource identifiers of the alert.", + "items": { + "type": "object" + }, + "readOnly": true, + "type": "array" + } }, - "IPSyncerSettingsProperties": { - "description": "IPSyncer property bag.", + "type": "object" + }, + "SecurityGroupEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a security group entity.", + "properties": { "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "readOnly": true, - "type": "boolean" - } - }, - "type": "object" + "$ref": "#/definitions/SecurityGroupEntityProperties", + "description": "SecurityGroup entity properties", + "x-ms-client-flatten": true + } }, - "EyesOn": { - "allOf": [ - { + "type": "object", + "x-ms-discriminator-value": "SecurityGroup" + }, + "SecurityGroupEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "SecurityGroup entity property bag.", + "properties": { + "distinguishedName": { + "description": "The group distinguished name", + "readOnly": true, + "type": "string" + }, + "objectGuid": { + "description": "A single-value attribute that is the unique identifier for the object, assigned by active directory.", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "sid": { + "description": "The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group", + "readOnly": true, + "type": "string" + } + }, + "type": "object" + }, + "SettingList": { + "description": "List of all the settings.", + "properties": { + "value": { + "description": "Array of settings.", + "items": { "$ref": "#/definitions/Settings" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Settings": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/SettingsKind" + } + ], + "description": "The Setting.", + "discriminator": "kind", + "type": "object" + }, + "SettingsKind": { + "description": "Describes an Azure resource with kind.", + "properties": { + "kind": { + "description": "The kind of the setting", + "enum": [ + "EyesOn", + "EntityAnalytics", + "Ueba" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "SettingKind" } - ], - "description": "Settings with single toggle.", + } + }, + "required": [ + "kind" + ], + "type": "object" + }, + "TIDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Data connector to pull threat intelligence data from TIP products.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/EyesOnSettingsProperties", - "description": "EyesOn properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "EyesOn" + "$ref": "#/definitions/TIDataConnectorProperties", + "description": "Threat Intelligence Platforms data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TIDataConnectorDataTypes": { + "description": "The available data types for Threat Intelligence Platforms data connector.", + "properties": { + "indicators": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for Threat Intelligence Platforms data connector.", + "type": "object" + } + }, + "type": "object", + "required": [ + "indicators" + ] + }, + "TIDataConnectorProperties": { + "description": "TI (Threat Intelligence) data connector properties.", + "properties": { + "tenantId": { + "description": "The tenant id to connect to, and get the data from.", + "type": "string" + }, + "tipLookbackPeriod": { + "description": "The lookback period for the feed to be imported.", + "format": "date-time", + "type": "string", + "x-nullable": true + }, + "dataTypes": { + "$ref": "#/definitions/TIDataConnectorDataTypes", + "description": "The available data types for the connector." + } + }, + "type": "object", + "required": [ + "tenantId", + "dataTypes" + ] + }, + "TICheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Threat Intelligence Platforms data connector check requirements", + "properties": { + "properties": { + "$ref": "#/definitions/TICheckRequirementsProperties", + "description": "Threat Intelligence Platforms data connector check required properties", + "x-ms-client-flatten": true + } }, - "EyesOnSettingsProperties": { - "description": "EyesOn property bag.", + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligence" + }, + "TICheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence Platforms data connector required properties.", + "properties": {}, + "type": "object" + }, + "TiTaxiiDataConnector": { + "allOf": [ + { + "$ref": "#/definitions/DataConnector" + } + ], + "description": "Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server", + "properties": { "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "readOnly": true, - "type": "boolean" + "$ref": "#/definitions/TiTaxiiDataConnectorProperties", + "description": "Threat intelligence TAXII data connector properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + }, + "TiTaxiiDataConnectorDataTypes": { + "description": "The available data types for Threat Intelligence TAXII data connector.", + "properties": { + "taxiiClient": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Data type for TAXII connector.", + "type": "object" + } + }, + "type": "object", + "required": [ + "taxiiClient" + ] + }, + "TiTaxiiDataConnectorProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence TAXII data connector properties.", + "properties": { + "workspaceId": { + "description": "The workspace id.", + "type": "string" + }, + "friendlyName": { + "description": "The friendly name for the TAXII server.", + "type": "string" + }, + "taxiiServer": { + "description": "The API root for the TAXII server.", + "type": "string" + }, + "collectionId": { + "description": "The collection id of the TAXII server.", + "type": "string" + }, + "userName": { + "description": "The userName for the TAXII server.", + "type": "string" + }, + "password": { + "description": "The password for the TAXII server.", + "type": "string" + }, + "taxiiLookbackPeriod": { + "description": "The lookback period for the TAXII server.", + "format": "date-time", + "type": "string", + "x-nullable": true + }, + "pollingFrequency": { + "description": "The polling frequency for the TAXII server.", + "type": "string", + "x-nullable": true, + "enum": [ + "OnceAMinute", + "OnceAnHour", + "OnceADay" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "PollingFrequency", + "values": [ + { + "description": "Once a minute", + "value": "OnceAMinute" + }, + { + "description": "Once an hour", + "value": "OnceAnHour" + }, + { + "description": "Once a day", + "value": "OnceADay" + } + ] } }, - "type": "object" + "dataTypes": { + "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes", + "description": "The available data types for Threat Intelligence TAXII data connector." + } }, - "EntityAnalytics": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Settings with single toggle.", + "required": [ + "dataTypes", + "pollingFrequency" + ], + "type": "object" + }, + "TiTaxiiCheckRequirements": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + } + ], + "description": "Threat Intelligence TAXII data connector check requirements", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/EntityAnalyticsProperties", - "description": "EntityAnalytics properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "EntityAnalytics" + "$ref": "#/definitions/TiTaxiiCheckRequirementsProperties", + "description": "Threat Intelligence TAXII check required properties.", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "ThreatIntelligenceTaxii" + }, + "TiTaxiiCheckRequirementsProperties": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorTenantId" + } + ], + "description": "Threat Intelligence TAXII data connector required properties.", + "type": "object" + }, + "ThreatIntelligence": { + "description": "ThreatIntelligence property bag.", + "properties": { + "confidence": { + "description": "Confidence (must be between 0 and 1)", + "format": "double", + "readOnly": true, + "type": "number" + }, + "providerName": { + "description": "Name of the provider from whom this Threat Intelligence information was received", + "readOnly": true, + "type": "string" + }, + "reportLink": { + "description": "Report link", + "readOnly": true, + "type": "string" + }, + "threatDescription": { + "description": "Threat description (free text)", + "readOnly": true, + "type": "string" + }, + "threatName": { + "description": "Threat name (e.g. \"Jedobot malware\")", + "readOnly": true, + "type": "string" + }, + "threatType": { + "description": "Threat type (e.g. \"Botnet\")", + "readOnly": true, + "type": "string" + } }, - "EntityAnalyticsProperties": { - "description": "EntityAnalytics property bag.", + "type": "object" + }, + "IPSyncer": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { "properties": { - "isEnabled": { - "description": "Determines whether the setting is enable or disabled.", - "readOnly": true, - "type": "boolean" - } - }, - "type": "object" + "$ref": "#/definitions/IPSyncerSettingsProperties", + "description": "IPSyncer properties", + "x-ms-client-flatten": true + } }, - "Ueba": { - "allOf": [ - { - "$ref": "#/definitions/Settings" - } - ], - "description": "Settings with single toggle.", + "type": "object", + "x-ms-discriminator-value": "IPSyncer" + }, + "IPSyncerSettingsProperties": { + "description": "IPSyncer property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, + "type": "boolean" + } + }, + "type": "object" + }, + "EyesOn": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/UebaProperties", - "description": "Ueba properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Ueba" + "$ref": "#/definitions/EyesOnSettingsProperties", + "description": "EyesOn properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "EyesOn" + }, + "EyesOnSettingsProperties": { + "description": "EyesOn property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, + "type": "boolean" + } }, - "UebaProperties": { - "description": "Ueba property bag.", + "type": "object" + }, + "EntityAnalytics": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { "properties": { - "dataSources": { - "description": "The relevant data sources that enriched by ueba", - "items": { - "$ref": "#/definitions/UebaDataSources" - }, - "type": "array" - } - }, - "type": "object" + "$ref": "#/definitions/EntityAnalyticsProperties", + "description": "EntityAnalytics properties", + "x-ms-client-flatten": true + } }, - "UebaDataSources": { - "description": "The data source that enriched by ueba.", - "enum": [ - "AuditLogs", - "AzureActivity", - "SecurityEvent", - "SigninLogs" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "UebaDataSources" + "type": "object", + "x-ms-discriminator-value": "EntityAnalytics" + }, + "EntityAnalyticsProperties": { + "description": "EntityAnalytics property bag.", + "properties": { + "isEnabled": { + "description": "Determines whether the setting is enable or disabled.", + "readOnly": true, + "type": "boolean" } }, - "UrlEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents a url entity.", + "type": "object" + }, + "Ueba": { + "allOf": [ + { + "$ref": "#/definitions/Settings" + } + ], + "description": "Settings with single toggle.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/UrlEntityProperties", - "description": "Url entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "Url" + "$ref": "#/definitions/UebaProperties", + "description": "Ueba properties", + "x-ms-client-flatten": true + } }, - "UrlEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "Url entity property bag.", - "properties": { - "url": { - "description": "A full URL the entity points to", - "readOnly": true, - "type": "string" - } - }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "Ueba" + }, + "UebaProperties": { + "description": "Ueba property bag.", + "properties": { + "dataSources": { + "description": "The relevant data sources that enriched by ueba", + "items": { + "$ref": "#/definitions/UebaDataSources" + }, + "type": "array" + } }, - "IoTDeviceEntity": { - "allOf": [ - { - "$ref": "#/definitions/Entity" - } - ], - "description": "Represents an IoT device entity.", + "type": "object" + }, + "UebaDataSources": { + "description": "The data source that enriched by ueba.", + "enum": [ + "AuditLogs", + "AzureActivity", + "SecurityEvent", + "SigninLogs" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "UebaDataSources" + } + }, + "UrlEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents a url entity.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/IoTDeviceEntityProperties", - "description": "IoTDevice entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "IoTDevice" + "$ref": "#/definitions/UrlEntityProperties", + "description": "Url entity properties", + "x-ms-client-flatten": true + } }, - "IoTDeviceEntityProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" - } - ], - "description": "IoTDevice entity property bag.", - "properties": { - "deviceId": { - "description": "The ID of the IoT Device in the IoT Hub", - "readOnly": true, - "type": "string" - }, - "deviceName": { - "description": "The friendly name of the device", - "readOnly": true, - "type": "string" - }, - "source": { - "description": "The source of the device", - "readOnly": true, - "type": "string" - }, - "iotSecurityAgentId": { - "description": "The ID of the security agent running on the device", - "format": "uuid", - "readOnly": true, - "type": "string" - }, - "deviceType": { - "description": "The type of the device", - "readOnly": true, - "type": "string" - }, - "vendor": { - "description": "The vendor of the device", - "readOnly": true, - "type": "string" - }, - "edgeId": { - "description": "The ID of the edge device", - "readOnly": true, - "type": "string" - }, - "macAddress": { - "description": "The MAC address of the device", - "readOnly": true, - "type": "string" - }, - "model": { - "description": "The model of the device", - "readOnly": true, - "type": "string" - }, - "serialNumber": { - "description": "The serial number of the device", - "readOnly": true, - "type": "string" - }, - "firmwareVersion": { - "description": "The firmware version of the device", - "readOnly": true, - "type": "string" - }, - "operatingSystem": { - "description": "The operating system of the device", - "readOnly": true, - "type": "string" - }, - "iotHubEntityId": { - "description": "The AzureResource entity id of the IoT Hub", - "readOnly": true, - "type": "string" - }, - "hostEntityId": { - "description": "The Host entity id of this device", - "readOnly": true, - "type": "string" - }, - "ipAddressEntityId": { - "description": "The IP entity if of this device", - "readOnly": true, - "type": "string" - }, - "threatIntelligence": { - "description": "A list of TI contexts attached to the IoTDevice entity.", - "items": { - "$ref": "#/definitions/ThreatIntelligence" - }, - "readOnly": true, - "type": "array" - }, - "protocols": { - "description": "A list of protocols of the IoTDevice entity.", - "items": { - "type": "string" - }, - "readOnly": true, - "type": "array" - } - }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "Url" + }, + "UrlEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Url entity property bag.", + "properties": { + "url": { + "description": "A full URL the entity points to", + "readOnly": true, + "type": "string" + } }, - "UserInfo": { - "description": "User information that made some action", + "type": "object" + }, + "IoTDeviceEntity": { + "allOf": [ + { + "$ref": "#/definitions/Entity" + } + ], + "description": "Represents an IoT device entity.", + "properties": { "properties": { - "email": { - "description": "The email of the user.", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "The name of the user.", - "readOnly": true, - "type": "string" - }, - "objectId": { - "description": "The object id of the user.", - "format": "uuid", - "type": "string", - "x-nullable": true - } - }, - "type": "object" + "$ref": "#/definitions/IoTDeviceEntityProperties", + "description": "IoTDevice entity properties", + "x-ms-client-flatten": true + } }, - "IncidentInfo": { - "description": "Describes related incident information for the bookmark", - "properties": { - "incidentId": { - "description": "Incident Id", - "type": "string" - }, - "severity": { - "description": "The severity of the incident", - "enum": [ - "Critical", - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "CaseSeverity", - "values": [ - { - "description": "Critical severity", - "value": "Critical" - }, - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "title": { - "description": "The title of the incident", - "type": "string" - }, - "relationName": { - "description": "Relation Name", - "type": "string" - } - }, - "type": "object" + "type": "object", + "x-ms-discriminator-value": "IoTDevice" + }, + "IoTDeviceEntityProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "IoTDevice entity property bag.", + "properties": { + "deviceId": { + "description": "The ID of the IoT Device in the IoT Hub", + "readOnly": true, + "type": "string" + }, + "deviceName": { + "description": "The friendly name of the device", + "readOnly": true, + "type": "string" + }, + "source": { + "description": "The source of the device", + "readOnly": true, + "type": "string" + }, + "iotSecurityAgentId": { + "description": "The ID of the security agent running on the device", + "format": "uuid", + "readOnly": true, + "type": "string" + }, + "deviceType": { + "description": "The type of the device", + "readOnly": true, + "type": "string" + }, + "vendor": { + "description": "The vendor of the device", + "readOnly": true, + "type": "string" + }, + "edgeId": { + "description": "The ID of the edge device", + "readOnly": true, + "type": "string" + }, + "macAddress": { + "description": "The MAC address of the device", + "readOnly": true, + "type": "string" + }, + "model": { + "description": "The model of the device", + "readOnly": true, + "type": "string" + }, + "serialNumber": { + "description": "The serial number of the device", + "readOnly": true, + "type": "string" + }, + "firmwareVersion": { + "description": "The firmware version of the device", + "readOnly": true, + "type": "string" + }, + "operatingSystem": { + "description": "The operating system of the device", + "readOnly": true, + "type": "string" + }, + "iotHubEntityId": { + "description": "The AzureResource entity id of the IoT Hub", + "readOnly": true, + "type": "string" + }, + "hostEntityId": { + "description": "The Host entity id of this device", + "readOnly": true, + "type": "string" + }, + "ipAddressEntityId": { + "description": "The IP entity if of this device", + "readOnly": true, + "type": "string" + }, + "threatIntelligence": { + "description": "A list of TI contexts attached to the IoTDevice entity.", + "items": { + "$ref": "#/definitions/ThreatIntelligence" + }, + "readOnly": true, + "type": "array" + }, + "protocols": { + "description": "A list of protocols of the IoTDevice entity.", + "items": { + "type": "string" + }, + "readOnly": true, + "type": "array" + } }, - "WatchlistList": { - "description": "List all the watchlists.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of watchlists.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of watchlist.", - "items": { - "$ref": "#/definitions/Watchlist" - }, - "type": "array" - } - }, - "required": [ - "value" - ] + "type": "object" + }, + "UserInfo": { + "description": "User information that made some action", + "properties": { + "email": { + "description": "The email of the user.", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "The name of the user.", + "readOnly": true, + "type": "string" + }, + "objectId": { + "description": "The object id of the user.", + "format": "uuid", + "type": "string", + "x-nullable": true + } }, - "Watchlist": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a Watchlist in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/WatchlistProperties", - "description": "Watchlist properties", - "x-ms-client-flatten": true + "type": "object" + }, + "IncidentInfo": { + "description": "Describes related incident information for the bookmark", + "properties": { + "incidentId": { + "description": "Incident Id", + "type": "string" + }, + "severity": { + "description": "The severity of the incident", + "enum": [ + "Critical", + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "CaseSeverity", + "values": [ + { + "description": "Critical severity", + "value": "Critical" + }, + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] } }, - "type": "object" - }, - "WatchlistProperties": { - "description": "Describes watchlist properties", - "properties": { - "watchlistId": { - "description": "The id (a Guid) of the watchlist", - "type": "string" - }, - "displayName": { - "description": "The display name of the watchlist", - "type": "string" - }, - "provider": { - "description": "The provider of the watchlist", - "type": "string" - }, - "source": { - "description": "The source of the watchlist", - "enum": [ - "Local file", - "Remote storage" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "source" - } - }, - "created": { - "description": "The time the watchlist was created", - "format": "date-time", - "type": "string" - }, - "updated": { - "description": "The last time the watchlist was updated", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the watchlist", - "type": "object" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the watchlist", - "type": "object" - }, - "description": { - "description": "A description of the watchlist", - "type": "string" - }, - "watchlistType": { - "description": "The type of the watchlist", - "type": "string" - }, - "watchlistAlias": { - "description": "The alias of the watchlist", - "type": "string" - }, - "isDeleted": { - "description": "A flag that indicates if the watchlist is deleted or not", - "type": "boolean" - }, - "labels": { - "description": "List of labels relevant to this watchlist", - "items": { - "$ref": "#/definitions/Label" - }, - "type": "array" - }, - "defaultDuration": { - "description": "The default duration of a watchlist (in ISO 8601 duration format)", - "format": "duration", - "type": "string" - }, - "tenantId": { - "description": "The tenantId where the watchlist belongs to", - "type": "string" - }, - "numberOfLinesToSkip": { - "description": "The number of lines in a csv/tsv content to skip before the header", - "type": "integer", - "format": "int32" - }, - "rawContent": { - "description": "The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint", - "type": "string" - }, - "contentType": { - "description": "The content type of the raw content. Example : text/csv or text/tsv ", - "type": "string" - }, - "uploadStatus": { - "description": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted", - "type": "string" - }, - "watchlistItemsCount": { - "description": "The number of Watchlist Items in the Watchlist", - "type": "integer", - "format": "int32" - } + "title": { + "description": "The title of the incident", + "type": "string" }, - "required": [ - "displayName", - "source", - "provider" - ], - "type": "object" + "relationName": { + "description": "Relation Name", + "type": "string" + } }, - "WatchlistItemList": { - "description": "List all the watchlist items.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of watchlist item.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of watchlist items.", - "items": { - "$ref": "#/definitions/WatchlistItem" - }, - "type": "array" - } - }, - "required": [ - "value" - ] + "type": "object" + }, + "WatchlistList": { + "description": "List all the watchlists.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of watchlists.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of watchlist.", + "items": { + "$ref": "#/definitions/Watchlist" + }, + "type": "array" + } }, - "WatchlistItem": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents a Watchlist item in Azure Security Insights.", + "required": [ + "value" + ] + }, + "Watchlist": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Watchlist in Azure Security Insights.", + "properties": { "properties": { - "properties": { - "$ref": "#/definitions/WatchlistItemProperties", - "description": "Watchlist Item properties", - "x-ms-client-flatten": true - } - }, - "type": "object" + "$ref": "#/definitions/WatchlistProperties", + "description": "Watchlist properties", + "x-ms-client-flatten": true + } }, - "WatchlistItemProperties": { - "description": "Describes watchlist item properties", - "properties": { - "watchlistItemType": { - "description": "The type of the watchlist item", - "type": "string" - }, - "watchlistItemId": { - "description": "The id (a Guid) of the watchlist item", - "type": "string" - }, - "tenantId": { - "description": "The tenantId to which the watchlist item belongs to", - "type": "string" - }, - "isDeleted": { - "description": "A flag that indicates if the watchlist item is deleted or not", - "type": "boolean" - }, - "created": { - "description": "The time the watchlist item was created", - "format": "date-time", - "type": "string" - }, - "updated": { - "description": "The last time the watchlist item was updated", - "format": "date-time", - "type": "string" - }, - "createdBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that created the watchlist item", - "type": "object" - }, - "updatedBy": { - "$ref": "#/definitions/UserInfo", - "description": "Describes a user that updated the watchlist item", - "type": "object" - }, - "itemsKeyValue": { - "description": "key-value pairs for a watchlist item", - "type": "object" - }, - "entityMapping": { - "description": "key-value pairs for a watchlist item entity mapping", - "type": "object" - } - }, - "required": [ - "itemsKeyValue" - ], - "type": "object" + "type": "object" + }, + "WatchlistProperties": { + "description": "Describes watchlist properties", + "properties": { + "watchlistId": { + "description": "The id (a Guid) of the watchlist", + "type": "string" + }, + "displayName": { + "description": "The display name of the watchlist", + "type": "string" + }, + "provider": { + "description": "The provider of the watchlist", + "type": "string" + }, + "source": { + "description": "The source of the watchlist", + "enum": [ + "Local file", + "Remote storage" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "source" + } + }, + "created": { + "description": "The time the watchlist was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The last time the watchlist was updated", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist", + "type": "object" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist", + "type": "object" + }, + "description": { + "description": "A description of the watchlist", + "type": "string" + }, + "watchlistType": { + "description": "The type of the watchlist", + "type": "string" + }, + "watchlistAlias": { + "description": "The alias of the watchlist", + "type": "string" + }, + "isDeleted": { + "description": "A flag that indicates if the watchlist is deleted or not", + "type": "boolean" + }, + "labels": { + "description": "List of labels relevant to this watchlist", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + }, + "defaultDuration": { + "description": "The default duration of a watchlist (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "tenantId": { + "description": "The tenantId where the watchlist belongs to", + "type": "string" + }, + "numberOfLinesToSkip": { + "description": "The number of lines in a csv/tsv content to skip before the header", + "type": "integer", + "format": "int32" + }, + "rawContent": { + "description": "The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint", + "type": "string" + }, + "contentType": { + "description": "The content type of the raw content. Example : text/csv or text/tsv ", + "type": "string" + }, + "uploadStatus": { + "description": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted", + "type": "string" + }, + "watchlistItemsCount": { + "description": "The number of Watchlist Items in the Watchlist", + "type": "integer", + "format": "int32" + } + }, + "required": [ + "displayName", + "source", + "provider" + ], + "type": "object" + }, + "WatchlistItemList": { + "description": "List all the watchlist items.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of watchlist item.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of watchlist items.", + "items": { + "$ref": "#/definitions/WatchlistItem" + }, + "type": "array" + } }, - "ThreatIntelligenceInformationList": { - "description": "List of all the threat intelligence information objects.", + "required": [ + "value" + ] + }, + "WatchlistItem": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Watchlist item in Azure Security Insights.", + "properties": { "properties": { - "nextLink": { - "description": "URL to fetch the next set of information objects.", - "readOnly": true, - "type": "string" - }, - "value": { - "description": "Array of threat intelligence information objects.", - "items": { - "$ref": "#/definitions/ThreatIntelligenceInformation" - }, - "type": "array" - } - }, - "required": [ - "value" - ] + "$ref": "#/definitions/WatchlistItemProperties", + "description": "Watchlist Item properties", + "x-ms-client-flatten": true + } }, - "ThreatIntelligenceInformation": { - "allOf": [ - { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" - }, - { - "$ref": "#/definitions/ThreatIntelligenceResourceKind" - } - ], - "description": "Threat intelligence information object.", - "discriminator": "kind", - "type": "object", - "required": [ - "kind" - ] + "type": "object" + }, + "WatchlistItemProperties": { + "description": "Describes watchlist item properties", + "properties": { + "watchlistItemType": { + "description": "The type of the watchlist item", + "type": "string" + }, + "watchlistItemId": { + "description": "The id (a Guid) of the watchlist item", + "type": "string" + }, + "tenantId": { + "description": "The tenantId to which the watchlist item belongs to", + "type": "string" + }, + "isDeleted": { + "description": "A flag that indicates if the watchlist item is deleted or not", + "type": "boolean" + }, + "created": { + "description": "The time the watchlist item was created", + "format": "date-time", + "type": "string" + }, + "updated": { + "description": "The last time the watchlist item was updated", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist item", + "type": "object" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist item", + "type": "object" + }, + "itemsKeyValue": { + "description": "key-value pairs for a watchlist item", + "type": "object" + }, + "entityMapping": { + "description": "key-value pairs for a watchlist item entity mapping", + "type": "object" + } }, - "ThreatIntelligenceIndicatorModel": { - "allOf": [ - { + "required": [ + "itemsKeyValue" + ], + "type": "object" + }, + "ThreatIntelligenceInformationList": { + "description": "List of all the threat intelligence information objects.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of information objects.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of threat intelligence information objects.", + "items": { "$ref": "#/definitions/ThreatIntelligenceInformation" - } - ], - "description": "Threat intelligence indicator entity.", - "properties": { - "properties": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", - "description": "Threat Intelligence Entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "indicator" - }, - "ThreatIntelligenceIndicatorModelForRequestBody": { - "allOf": [ - { - "$ref": "#/definitions/ThreatIntelligenceResourceKind" - } - ], - "description": "Threat intelligence indicator entity used in request body.", - "properties": { - "etag": { - "description": "Etag of the azure resource", - "type": "string" }, - "properties": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", - "description": "Threat Intelligence Entity properties", - "x-ms-client-flatten": true - } - }, - "type": "object", - "x-ms-discriminator-value": "indicator" + "type": "array" + } }, - "ThreatIntelligenceResourceKind": { - "description": "Describes an entity with kind.", + "required": [ + "value" + ] + }, + "ThreatIntelligenceInformation": { + "allOf": [ + { + "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + }, + { + "$ref": "#/definitions/ThreatIntelligenceResourceKind" + } + ], + "description": "Threat intelligence information object.", + "discriminator": "kind", + "type": "object", + "required": [ + "kind" + ] + }, + "ThreatIntelligenceIndicatorModel": { + "allOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceInformation" + } + ], + "description": "Threat intelligence indicator entity.", + "properties": { "properties": { - "kind": { - "$ref": "#/definitions/ThreatIntelligenceResourceInnerKind", - "description": "The kind of the entity." - } + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", + "description": "Threat Intelligence Entity properties", + "x-ms-client-flatten": true + } + }, + "type": "object", + "x-ms-discriminator-value": "indicator" + }, + "ThreatIntelligenceIndicatorModelForRequestBody": { + "allOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceResourceKind" + } + ], + "description": "Threat intelligence indicator entity used in request body.", + "properties": { + "etag": { + "description": "Etag of the azure resource", + "type": "string" }, - "required": [ - "kind" - ], - "type": "object" + "properties": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties", + "description": "Threat Intelligence Entity properties", + "x-ms-client-flatten": true + } }, - "ThreatIntelligenceResourceInnerKind": { - "description": "The kind of the threat intelligence entity", - "enum": [ - "indicator" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ThreatIntelligenceResourceKind", - "values": [ - { - "description": "Entity represents threat intelligence indicator in the system.", - "value": "indicator" - } - ] + "type": "object", + "x-ms-discriminator-value": "indicator" + }, + "ThreatIntelligenceResourceKind": { + "description": "Describes an entity with kind.", + "properties": { + "kind": { + "$ref": "#/definitions/ThreatIntelligenceResourceInnerKind", + "description": "The kind of the entity." } }, - "ThreatIntelligenceIndicatorProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityCommonProperties" + "required": [ + "kind" + ], + "type": "object" + }, + "ThreatIntelligenceResourceInnerKind": { + "description": "The kind of the threat intelligence entity", + "enum": [ + "indicator" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ThreatIntelligenceResourceKind", + "values": [ + { + "description": "Entity represents threat intelligence indicator in the system.", + "value": "indicator" } - ], - "description": "Describes threat intelligence entity properties", - "properties": { - "threatIntelligenceTags": { - "description": "List of tags", - "items": { - "description": "tag", - "type": "string" - }, - "type": "array" - }, - "lastUpdatedTimeUtc": { - "description": "Last updated time in UTC", - "type": "string" - }, - "source": { - "description": "Source of a threat intelligence entity", - "type": "string" - }, - "displayName": { - "description": "Display name of a threat intelligence entity", - "type": "string" - }, - "description": { - "description": "Description of a threat intelligence entity", - "type": "string" - }, - "indicatorTypes": { - "description": "Indicator types of threat intelligence entities", - "items": { - "description": "Indicator type of a threat intelligence entity", - "type": "string" - }, - "type": "array" - }, - "pattern": { - "description": "Pattern of a threat intelligence entity", - "type": "string" - }, - "patternType": { - "description": "Pattern type of a threat intelligence entity", - "type": "string" - }, - "patternVersion": { - "description": "Pattern version of a threat intelligence entity", - "type": "string" - }, - "killChainPhases": { - "description": "Kill chain phases", - "items": { - "description": "Kill chain phase", - "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" - }, - "type": "array" - }, - "parsedPattern": { - "description": "Parsed patterns", - "items": { - "description": "Parsed pattern", - "$ref": "#/definitions/ThreatIntelligenceParsedPattern" - }, - "type": "array" - }, - "externalId": { - "description": "External ID of threat intelligence entity", - "type": "string" - }, - "createdByRef": { - "description": "Created by reference of threat intelligence entity", - "type": "string" - }, - "defanged": { - "description": "Is threat intelligence entity defanged", - "type": "boolean" - }, - "externalLastUpdatedTimeUtc": { - "description": "External last updated time in UTC", - "type": "string" - }, - "externalReferences": { - "description": "External References", - "items": { - "description": "external_reference", - "$ref": "#/definitions/ThreatIntelligenceExternalReference" - }, - "type": "array" - }, - "granularMarkings": { - "description": "Granular Markings", - "items": { - "description": "Granular marking", - "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" - }, - "type": "array" - }, - "labels": { - "description": "Labels of threat intelligence entity", - "items": { - "description": "label", - "type": "string" - }, - "type": "array" - }, - "revoked": { - "description": "Is threat intelligence entity revoked", - "type": "boolean" - }, - "confidence": { - "description": "Confidence of threat intelligence entity", - "type": "integer", - "format": "int32" - }, - "objectMarkingRefs": { - "description": "Threat intelligence entity object marking references", - "items": { - "description": "Threat intelligence entity object marking reference", - "type": "string" - }, - "type": "array" - }, - "language": { - "description": "Language of threat intelligence entity", - "type": "string" - }, - "threatTypes": { - "description": "Threat types", - "items": { - "description": "Threat type", - "type": "string" - }, - "type": "array" - }, - "validFrom": { - "description": "Valid from", - "type": "string" - }, - "validUntil": { - "description": "Valid until", - "type": "string" - }, - "created": { - "description": "Created by", - "type": "string" - }, - "modified": { - "description": "Modified by", + ] + } + }, + "ThreatIntelligenceIndicatorProperties": { + "allOf": [ + { + "$ref": "#/definitions/EntityCommonProperties" + } + ], + "description": "Describes threat intelligence entity properties", + "properties": { + "threatIntelligenceTags": { + "description": "List of tags", + "items": { + "description": "tag", "type": "string" }, - "extensions": { - "description": "Extensions map", - "type": "object", - "additionalProperties": {} - } + "type": "array" }, - "type": "object" - }, - "ThreatIntelligenceKillChainPhase": { - "description": "Describes threat kill chain phase entity", - "properties": { - "killChainName": { - "description": "Kill chainName name", - "type": "string" - }, - "phaseName": { - "description": "Phase name", - "type": "string" - } + "lastUpdatedTimeUtc": { + "description": "Last updated time in UTC", + "type": "string" }, - "type": "object" - }, - "ThreatIntelligenceParsedPattern": { - "description": "Describes parsed pattern entity", - "properties": { - "patternTypeKey": { - "description": "Pattern type key", - "type": "string" - }, - "patternTypeValues": { - "description": "Pattern type keys", - "items": { - "description": "Pattern type key", - "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" - }, - "type": "array" - } + "source": { + "description": "Source of a threat intelligence entity", + "type": "string" }, - "type": "object" - }, - "ThreatIntelligenceParsedPatternTypeValue": { - "description": "Describes threat kill chain phase entity", - "properties": { - "valueType": { - "description": "Type of the value", - "type": "string" - }, - "value": { - "description": "Value of parsed pattern", - "type": "string" - } + "displayName": { + "description": "Display name of a threat intelligence entity", + "type": "string" }, - "type": "object" - }, - "ThreatIntelligenceGranularMarkingModel": { - "description": "Describes threat granular marking model entity", - "properties": { - "language": { - "description": "Language granular marking model", - "type": "string" - }, - "markingRef": { - "description": "marking reference granular marking model", - "type": "integer", - "format": "int32" - }, - "selectors": { - "description": "granular marking model selectors", - "items": { - "description": "granular marking model selector", - "type": "string" - }, - "type": "array" - } + "description": { + "description": "Description of a threat intelligence entity", + "type": "string" }, - "type": "object" - }, - "ThreatIntelligenceExternalReference": { - "description": "Describes external reference", - "properties": { - "description": { - "description": "External reference description", - "type": "string" - }, - "externalId": { - "description": "External reference ID", - "type": "string" - }, - "sourceName": { - "description": "External reference source name", + "indicatorTypes": { + "description": "Indicator types of threat intelligence entities", + "items": { + "description": "Indicator type of a threat intelligence entity", "type": "string" }, - "url": { - "description": "External reference URL", - "type": "string" + "type": "array" + }, + "pattern": { + "description": "Pattern of a threat intelligence entity", + "type": "string" + }, + "patternType": { + "description": "Pattern type of a threat intelligence entity", + "type": "string" + }, + "patternVersion": { + "description": "Pattern version of a threat intelligence entity", + "type": "string" + }, + "killChainPhases": { + "description": "Kill chain phases", + "items": { + "description": "Kill chain phase", + "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" }, - "hashes": { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "description": "External reference hashes" - } + "type": "array" }, - "type": "object" - }, - "ThreatIntelligenceFilteringCriteria": { - "description": "Filtering criteria for querying threat intelligence indicators.", - "properties": { - "pageSize": { - "description": "Page size", - "type": "integer", - "format": "int32" + "parsedPattern": { + "description": "Parsed patterns", + "items": { + "description": "Parsed pattern", + "$ref": "#/definitions/ThreatIntelligenceParsedPattern" }, - "minConfidence": { - "description": "Minimum confidence.", - "type": "integer", - "format": "int32" + "type": "array" + }, + "externalId": { + "description": "External ID of threat intelligence entity", + "type": "string" + }, + "createdByRef": { + "description": "Created by reference of threat intelligence entity", + "type": "string" + }, + "defanged": { + "description": "Is threat intelligence entity defanged", + "type": "boolean" + }, + "externalLastUpdatedTimeUtc": { + "description": "External last updated time in UTC", + "type": "string" + }, + "externalReferences": { + "description": "External References", + "items": { + "description": "external_reference", + "$ref": "#/definitions/ThreatIntelligenceExternalReference" }, - "maxConfidence": { - "description": "Maximum confidence.", - "type": "integer", - "format": "int32" + "type": "array" + }, + "granularMarkings": { + "description": "Granular Markings", + "items": { + "description": "Granular marking", + "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" }, - "minValidUntil": { - "description": "Start time for ValidUntil filter.", + "type": "array" + }, + "labels": { + "description": "Labels of threat intelligence entity", + "items": { + "description": "label", "type": "string" }, - "maxValidUntil": { - "description": "End time for ValidUntil filter.", + "type": "array" + }, + "revoked": { + "description": "Is threat intelligence entity revoked", + "type": "boolean" + }, + "confidence": { + "description": "Confidence of threat intelligence entity", + "type": "integer", + "format": "int32" + }, + "objectMarkingRefs": { + "description": "Threat intelligence entity object marking references", + "items": { + "description": "Threat intelligence entity object marking reference", "type": "string" }, - "includeDisabled": { - "description": "Parameter to include/exclude disabled indicators.", - "type": "boolean" - }, - "sortBy": { - "description": "Columns to sort by and sorting order", - "items": { - "description": "Sort By", - "$ref": "#/definitions/ThreatIntelligenceSortingCriteria" - }, - "type": "array" - }, - "sources": { - "description": "Sources of threat intelligence indicators", - "items": { - "description": "Source", - "type": "string" - }, - "type": "array" - }, - "patternTypes": { - "description": "Pattern types", - "items": { - "description": "Pattern type", - "type": "string" - }, - "type": "array" - }, - "threatTypes": { - "description": "Threat types of threat intelligence indicators", - "items": { - "description": "Threat type of a threat intelligence indicator", - "type": "string" - }, - "type": "array" - }, - "ids": { - "description": "Ids of threat intelligence indicators", - "items": { - "description": "Id of a threat intelligence indicator", - "type": "string" - }, - "type": "array" - }, - "keywords": { - "description": "Keywords for searching threat intelligence indicators", - "items": { - "description": "keyword for searching threat intelligence indicators", - "type": "string" - }, - "type": "array" - }, - "skipToken": { - "description": "Skip token.", - "type": "string" - } + "type": "array" }, - "type": "object" - }, - "ThreatIntelligenceSortingCriteria": { - "description": "List of available columns for sorting", - "properties": { - "itemKey": { - "description": "Column name", + "language": { + "description": "Language of threat intelligence entity", + "type": "string" + }, + "threatTypes": { + "description": "Threat types", + "items": { + "description": "Threat type", "type": "string" }, - "sortOrder": { - "$ref": "#/definitions/ThreatIntelligenceSortingOrder", - "description": "Sorting order (ascending/descending/unsorted)." - } + "type": "array" }, - "type": "object" - }, - "ThreatIntelligenceSortingOrder": { - "description": "Sorting order (ascending/descending/unsorted).", - "enum": [ - "unsorted", - "ascending", - "descending" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "ThreatIntelligenceSortingCriteria", - "values": [ - { - "value": "unsorted" - }, - { - "value": "ascending" - }, - { - "value": "descending" - } - ] + "validFrom": { + "description": "Valid from", + "type": "string" + }, + "validUntil": { + "description": "Valid until", + "type": "string" + }, + "created": { + "description": "Created by", + "type": "string" + }, + "modified": { + "description": "Modified by", + "type": "string" + }, + "extensions": { + "description": "Extensions map", + "type": "object", + "additionalProperties": {} } }, - "ThreatIntelligenceAppendTags": { - "description": "Array of tags to be appended to the threat intelligence indicator.", - "properties": { - "threatIntelligenceTags": { - "description": "List of tags to be appended.", - "items": { - "description": "parameter", - "type": "string" - }, - "type": "array" - } - }, - "type": "object" + "type": "object" + }, + "ThreatIntelligenceKillChainPhase": { + "description": "Describes threat kill chain phase entity", + "properties": { + "killChainName": { + "description": "Kill chainName name", + "type": "string" + }, + "phaseName": { + "description": "Phase name", + "type": "string" + } }, - "ThreatIntelligenceMetricsList": { - "description": "List of all the threat intelligence metric fields (type/threat type/source).", - "properties": { - "value": { - "description": "Array of threat intelligence metric fields (type/threat type/source).", - "items": { - "$ref": "#/definitions/ThreatIntelligenceMetrics" - }, - "type": "array" - } - }, - "required": [ - "value" - ] + "type": "object" + }, + "ThreatIntelligenceParsedPattern": { + "description": "Describes parsed pattern entity", + "properties": { + "patternTypeKey": { + "description": "Pattern type key", + "type": "string" + }, + "patternTypeValues": { + "description": "Pattern type keys", + "items": { + "description": "Pattern type key", + "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" + }, + "type": "array" + } }, - "ThreatIntelligenceMetrics": { - "description": "Threat intelligence metrics.", - "properties": { - "properties": { - "description": "Threat intelligence metrics.", - "$ref": "#/definitions/ThreatIntelligenceMetric" - } + "type": "object" + }, + "ThreatIntelligenceParsedPatternTypeValue": { + "description": "Describes threat kill chain phase entity", + "properties": { + "valueType": { + "description": "Type of the value", + "type": "string" + }, + "value": { + "description": "Value of parsed pattern", + "type": "string" } }, - "ThreatIntelligenceMetric": { - "description": "Describes threat intelligence metric", - "properties": { - "lastUpdatedTimeUtc": { - "description": "Last updated indicator metric", + "type": "object" + }, + "ThreatIntelligenceGranularMarkingModel": { + "description": "Describes threat granular marking model entity", + "properties": { + "language": { + "description": "Language granular marking model", + "type": "string" + }, + "markingRef": { + "description": "marking reference granular marking model", + "type": "integer", + "format": "int32" + }, + "selectors": { + "description": "granular marking model selectors", + "items": { + "description": "granular marking model selector", "type": "string" }, - "threatTypeMetrics": { - "description": "Threat type metrics", - "items": { - "description": "parameter", - "$ref": "#/definitions/ThreatIntelligenceMetricEntity" - }, - "type": "array" + "type": "array" + } + }, + "type": "object" + }, + "ThreatIntelligenceExternalReference": { + "description": "Describes external reference", + "properties": { + "description": { + "description": "External reference description", + "type": "string" + }, + "externalId": { + "description": "External reference ID", + "type": "string" + }, + "sourceName": { + "description": "External reference source name", + "type": "string" + }, + "url": { + "description": "External reference URL", + "type": "string" + }, + "hashes": { + "type": "object", + "additionalProperties": { + "type": "string" }, - "patternTypeMetrics": { - "description": "Pattern type metrics", - "items": { - "description": "parameter", - "$ref": "#/definitions/ThreatIntelligenceMetricEntity" - }, - "type": "array" + "description": "External reference hashes" + } + }, + "type": "object" + }, + "ThreatIntelligenceFilteringCriteria": { + "description": "Filtering criteria for querying threat intelligence indicators.", + "properties": { + "pageSize": { + "description": "Page size", + "type": "integer", + "format": "int32" + }, + "minConfidence": { + "description": "Minimum confidence.", + "type": "integer", + "format": "int32" + }, + "maxConfidence": { + "description": "Maximum confidence.", + "type": "integer", + "format": "int32" + }, + "minValidUntil": { + "description": "Start time for ValidUntil filter.", + "type": "string" + }, + "maxValidUntil": { + "description": "End time for ValidUntil filter.", + "type": "string" + }, + "includeDisabled": { + "description": "Parameter to include/exclude disabled indicators.", + "type": "boolean" + }, + "sortBy": { + "description": "Columns to sort by and sorting order", + "items": { + "description": "Sort By", + "$ref": "#/definitions/ThreatIntelligenceSortingCriteria" }, - "sourceMetrics": { - "description": "Source metrics", - "items": { - "description": "parameter", - "$ref": "#/definitions/ThreatIntelligenceMetricEntity" - }, - "type": "array" - } + "type": "array" }, - "type": "object" - }, - "ThreatIntelligenceMetricEntity": { - "description": "Describes threat intelligence metric entity", - "properties": { - "metricName": { - "description": "Metric name", + "sources": { + "description": "Sources of threat intelligence indicators", + "items": { + "description": "Source", "type": "string" }, - "metricValue": { - "description": "Metric value", - "type": "integer", - "format": "int32" - } + "type": "array" }, - "type": "object" - }, - "EntityGetInsightsParameters": { - "description": "The parameters required to execute insights operation on the given entity.", - "type": "object", - "properties": { - "startTime": { - "description": "The start timeline date, so the results returned are after this date.", - "format": "date-time", + "patternTypes": { + "description": "Pattern types", + "items": { + "description": "Pattern type", "type": "string" }, - "endTime": { - "description": "The end timeline date, so the results returned are before this date.", - "format": "date-time", + "type": "array" + }, + "threatTypes": { + "description": "Threat types of threat intelligence indicators", + "items": { + "description": "Threat type of a threat intelligence indicator", "type": "string" }, - "addDefaultExtendedTimeRange": { - "description": "Indicates if query time range should be extended with default time range of the query. Default value is false", - "type": "boolean" + "type": "array" + }, + "ids": { + "description": "Ids of threat intelligence indicators", + "items": { + "description": "Id of a threat intelligence indicator", + "type": "string" }, - "insightQueryIds": { - "description": "List of Insights Query Id. If empty, default value is all insights of this entity", - "type": "array", - "items": { - "description": "Insight Query Id (GUID)", - "format": "uuid", - "type": "string" - } - } + "type": "array" }, - "required": [ - "startTime", - "endTime" - ] - }, - "EntityGetInsightsResponse": { - "description": "The Get Insights result operation response.", - "properties": { - "metaData": { - "$ref": "#/definitions/GetInsightsResultsMetadata", - "description": "The metadata from the get insights operation results." + "keywords": { + "description": "Keywords for searching threat intelligence indicators", + "items": { + "description": "keyword for searching threat intelligence indicators", + "type": "string" }, - "value": { - "description": "The insights result values.", - "items": { - "$ref": "#/definitions/EntityInsightItem" - }, - "type": "array" - } + "type": "array" + }, + "skipToken": { + "description": "Skip token.", + "type": "string" } }, - "GetInsightsResultsMetadata": { - "description": "Get Insights result metadata.", - "properties": { - "totalCount": { - "description": "the total items found for the insights request", - "type": "integer", - "format": "int32" - }, - "errors": { - "description": "information about the failed queries", - "items": { - "$ref": "#/definitions/GetInsightsError" - }, - "type": "array" - } - }, - "required": [ - "totalCount" - ], - "type": "object" + "type": "object" + }, + "ThreatIntelligenceSortingCriteria": { + "description": "List of available columns for sorting", + "properties": { + "itemKey": { + "description": "Column name", + "type": "string" + }, + "sortOrder": { + "$ref": "#/definitions/ThreatIntelligenceSortingOrder", + "description": "Sorting order (ascending/descending/unsorted)." + } }, - "GetInsightsError": { - "description": "GetInsights Query Errors.", - "properties": { - "kind": { - "description": "the query kind", - "type": "string", - "enum": [ - "Insight" - ] + "type": "object" + }, + "ThreatIntelligenceSortingOrder": { + "description": "Sorting order (ascending/descending/unsorted).", + "enum": [ + "unsorted", + "ascending", + "descending" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "ThreatIntelligenceSortingCriteria", + "values": [ + { + "value": "unsorted" }, - "queryId": { - "description": "the query id", - "type": "string" + { + "value": "ascending" }, - "errorMessage": { - "description": "the error message", - "type": "string" - } - }, - "required": [ - "kind", - "errorMessage" - ], - "type": "object" - }, - "EntityQueryItem": { - "description": "An abstract Query item for entity", - "type": "object", - "discriminator": "kind", - "allOf": [ { - "$ref": "#/definitions/EntityQueryKind" + "value": "descending" } - ], - "properties": { - "id": { - "description": "Query Template ARM ID", - "type": "string", - "readOnly": true - }, - "name": { - "description": "Query Template ARM Name", + ] + } + }, + "ThreatIntelligenceAppendTags": { + "description": "Array of tags to be appended to the threat intelligence indicator.", + "properties": { + "threatIntelligenceTags": { + "description": "List of tags to be appended.", + "items": { + "description": "parameter", "type": "string" }, - "type": { - "description": "ARM Type", + "type": "array" + } + }, + "type": "object" + }, + "ThreatIntelligenceMetricsList": { + "description": "List of all the threat intelligence metric fields (type/threat type/source).", + "properties": { + "value": { + "description": "Array of threat intelligence metric fields (type/threat type/source).", + "items": { + "$ref": "#/definitions/ThreatIntelligenceMetrics" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "ThreatIntelligenceMetrics": { + "description": "Threat intelligence metrics.", + "properties": { + "properties": { + "description": "Threat intelligence metrics.", + "$ref": "#/definitions/ThreatIntelligenceMetric" + } + } + }, + "ThreatIntelligenceMetric": { + "description": "Describes threat intelligence metric", + "properties": { + "lastUpdatedTimeUtc": { + "description": "Last updated indicator metric", + "type": "string" + }, + "threatTypeMetrics": { + "description": "Threat type metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" + }, + "patternTypeMetrics": { + "description": "Pattern type metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" + }, + "sourceMetrics": { + "description": "Source metrics", + "items": { + "description": "parameter", + "$ref": "#/definitions/ThreatIntelligenceMetricEntity" + }, + "type": "array" + } + }, + "type": "object" + }, + "ThreatIntelligenceMetricEntity": { + "description": "Describes threat intelligence metric entity", + "properties": { + "metricName": { + "description": "Metric name", + "type": "string" + }, + "metricValue": { + "description": "Metric value", + "type": "integer", + "format": "int32" + } + }, + "type": "object" + }, + "EntityGetInsightsParameters": { + "description": "The parameters required to execute insights operation on the given entity.", + "type": "object", + "properties": { + "startTime": { + "description": "The start timeline date, so the results returned are after this date.", + "format": "date-time", + "type": "string" + }, + "endTime": { + "description": "The end timeline date, so the results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "addDefaultExtendedTimeRange": { + "description": "Indicates if query time range should be extended with default time range of the query. Default value is false", + "type": "boolean" + }, + "insightQueryIds": { + "description": "List of Insights Query Id. If empty, default value is all insights of this entity", + "type": "array", + "items": { + "description": "Insight Query Id (GUID)", + "format": "uuid", "type": "string" } + } + }, + "required": [ + "startTime", + "endTime" + ] + }, + "EntityGetInsightsResponse": { + "description": "The Get Insights result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/GetInsightsResultsMetadata", + "description": "The metadata from the get insights operation results." + }, + "value": { + "description": "The insights result values.", + "items": { + "$ref": "#/definitions/EntityInsightItem" + }, + "type": "array" + } + } + }, + "GetInsightsResultsMetadata": { + "description": "Get Insights result metadata.", + "properties": { + "totalCount": { + "description": "the total items found for the insights request", + "type": "integer", + "format": "int32" + }, + "errors": { + "description": "information about the failed queries", + "items": { + "$ref": "#/definitions/GetInsightsError" + }, + "type": "array" + } + }, + "required": [ + "totalCount" + ], + "type": "object" + }, + "GetInsightsError": { + "description": "GetInsights Query Errors.", + "properties": { + "kind": { + "description": "the query kind", + "type": "string", + "enum": [ + "Insight" + ] }, - "required": [ - "kind" - ] + "queryId": { + "description": "the query id", + "type": "string" + }, + "errorMessage": { + "description": "the error message", + "type": "string" + } }, - "EntityQueryItemProperties": { - "description": "An properties abstract Query item for entity", - "type": "object", - "properties": { - "dataTypes": { - "description": "Data types for template", - "type": "array", - "items": { - "properties": { - "dataType": { - "description": "Data type name", - "type": "string" - } + "required": [ + "kind", + "errorMessage" + ], + "type": "object" + }, + "EntityQueryItem": { + "description": "An abstract Query item for entity", + "type": "object", + "discriminator": "kind", + "allOf": [ + { + "$ref": "#/definitions/EntityQueryKind" + } + ], + "properties": { + "id": { + "description": "Query Template ARM ID", + "type": "string", + "readOnly": true + }, + "name": { + "description": "Query Template ARM Name", + "type": "string" + }, + "type": { + "description": "ARM Type", + "type": "string" + } + }, + "required": [ + "kind" + ] + }, + "EntityQueryItemProperties": { + "description": "An properties abstract Query item for entity", + "type": "object", + "properties": { + "dataTypes": { + "description": "Data types for template", + "type": "array", + "items": { + "properties": { + "dataType": { + "description": "Data type name", + "type": "string" } } - }, - "inputEntityType": { - "description": "The type of the entity", - "$ref": "#/definitions/EntityInnerType" - }, - "requiredInputFieldsSets": { - "description": "Data types for template", + } + }, + "inputEntityType": { + "description": "The type of the entity", + "$ref": "#/definitions/EntityInnerType" + }, + "requiredInputFieldsSets": { + "description": "Data types for template", + "type": "array", + "items": { "type": "array", "items": { - "type": "array", - "items": { - "type": "string" - } + "type": "string" } - }, - "entitiesFilter": { - "description": "The query applied only to entities matching to all filters", - "type": "object" } + }, + "entitiesFilter": { + "description": "The query applied only to entities matching to all filters", + "type": "object" } - }, - "EntityInsightItem": { - "description": "Entity insight Item.", - "type": "object", - "properties": { - "queryId": { - "type": "string", - "description": "The query id of the insight" - }, - "queryTimeInterval": { - "type": "object", - "description": "The Time interval that the query actually executed on.", - "properties": { - "startTime": { - "format": "date-time", - "type": "string", - "description": "Insight query start time" - }, - "endTime": { - "format": "date-time", - "type": "string", - "description": "Insight query end time" - } + } + }, + "EntityInsightItem": { + "description": "Entity insight Item.", + "type": "object", + "properties": { + "queryId": { + "type": "string", + "description": "The query id of the insight" + }, + "queryTimeInterval": { + "type": "object", + "description": "The Time interval that the query actually executed on.", + "properties": { + "startTime": { + "format": "date-time", + "type": "string", + "description": "Insight query start time" + }, + "endTime": { + "format": "date-time", + "type": "string", + "description": "Insight query end time" } - }, - "tableQueryResults": { + } + }, + "tableQueryResults": { + "$ref": "#/definitions/InsightsTableResult", + "description": "Query results for table insights query." + }, + "chartQueryResults": { + "type": "array", + "description": "Query results for table insights query.", + "items": { "$ref": "#/definitions/InsightsTableResult", "description": "Query results for table insights query." - }, - "chartQueryResults": { - "type": "array", - "description": "Query results for table insights query.", - "items": { - "$ref": "#/definitions/InsightsTableResult", - "description": "Query results for table insights query." - } } } - }, - "InsightsTableResult": { - "type": "object", - "description": "Query results for table insights query.", - "properties": { - "columns": { - "type": "array", - "description": "Columns Metadata of the table", - "items": { - "properties": { - "type": { - "type": "string", - "description": "the type of the colum" - }, - "name": { - "type": "string", - "description": "the name of the colum" - } + } + }, + "InsightsTableResult": { + "type": "object", + "description": "Query results for table insights query.", + "properties": { + "columns": { + "type": "array", + "description": "Columns Metadata of the table", + "items": { + "properties": { + "type": { + "type": "string", + "description": "the type of the colum" + }, + "name": { + "type": "string", + "description": "the name of the colum" } } - }, - "rows": { + } + }, + "rows": { + "type": "array", + "description": "Rows data of the table", + "items": { "type": "array", - "description": "Rows data of the table", + "description": "Single row of data", "items": { - "type": "array", - "description": "Single row of data", - "items": { - "type": "string", - "description": "Cell in the table" - } + "type": "string", + "description": "Cell in the table" } } } } + } + }, + "parameters": { + "Action": { + "description": "The action", + "in": "body", + "name": "action", + "required": true, + "schema": { + "$ref": "#/definitions/ActionRequest" + }, + "x-ms-parameter-location": "method" }, - "parameters": { - "Action": { - "description": "The action", - "in": "body", - "name": "action", - "required": true, - "schema": { - "$ref": "#/definitions/ActionRequest" - }, - "x-ms-parameter-location": "method" - }, - "ActionId": { - "description": "Action ID", - "in": "path", - "name": "actionId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "AggregationsName": { - "description": "The aggregation name. Supports - Cases", - "in": "path", - "name": "aggregationsName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "AlertRule": { - "description": "The alert rule", - "in": "body", - "name": "alertRule", - "required": true, - "schema": { - "$ref": "#/definitions/AlertRule" - }, - "x-ms-parameter-location": "method" - }, - "AlertRuleTemplateId": { - "description": "Alert rule template ID", - "in": "path", - "name": "alertRuleTemplateId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ApiVersion": { - "description": "API version for the operation", - "enum": [ - "2019-01-01-preview" - ], - "in": "query", - "name": "api-version", - "required": true, - "type": "string" - }, - "Bookmark": { - "description": "The bookmark", - "in": "body", - "name": "bookmark", - "required": true, - "schema": { - "$ref": "#/definitions/Bookmark" - }, - "x-ms-parameter-location": "method" - }, - "RelationName": { - "name": "relationName", - "in": "path", - "required": true, - "type": "string", - "description": "Relation Name", - "x-ms-parameter-location": "method" - }, - "RelationInputModel": { - "name": "relationInputModel", - "in": "body", - "description": "The relation input model", - "required": true, - "schema": { - "$ref": "#/definitions/RelationsModelInput" - }, - "x-ms-parameter-location": "method" - }, - "BookmarkId": { - "description": "Bookmark ID", - "in": "path", - "name": "bookmarkId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Case": { - "description": "The case", - "in": "body", - "name": "case", - "required": true, - "schema": { - "$ref": "#/definitions/Case" - }, - "x-ms-parameter-location": "method" - }, - "CaseComment": { - "description": "The case comment", - "in": "body", - "name": "caseComment", - "required": true, - "schema": { - "$ref": "#/definitions/CaseComment" - }, - "x-ms-parameter-location": "method" - }, - "CaseCommentId": { - "description": "Case comment ID", - "in": "path", - "name": "caseCommentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "CaseId": { - "description": "Case ID", - "in": "path", - "name": "caseId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ConsentId": { - "description": "consent ID", - "in": "path", - "name": "consentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "DataConnector": { - "description": "The data connector", - "in": "body", - "name": "dataConnector", - "required": true, - "schema": { - "$ref": "#/definitions/DataConnector" - }, - "x-ms-parameter-location": "method" - }, - "DataConnectorId": { - "description": "Connector ID", - "in": "path", - "name": "dataConnectorId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "DataConnectorsCheckRequirementsBody": { - "description": "The parameters for requirements check message", - "in": "body", - "name": "DataConnectorsCheckRequirements", - "required": true, - "schema": { - "$ref": "#/definitions/DataConnectorsCheckRequirements" - }, - "x-ms-parameter-location": "method" - }, - "EnrichmentDomain": { - "description": "Domain name to be enriched", - "in": "query", - "name": "domain", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EnrichmentIpAddress": { - "description": "IP address (v4 or v6) to be enriched", - "in": "query", - "name": "ipAddress", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityExpandRequestBody": { - "description": "The parameters required to execute an expand operation on the given entity.", - "in": "body", - "name": "parameters", - "required": true, - "schema": { - "$ref": "#/definitions/EntityExpandParameters" - }, - "x-ms-parameter-location": "method" - }, - "BookmarkExpandRequestBody": { - "description": "The parameters required to execute an expand operation on the given bookmark.", - "in": "body", - "name": "parameters", - "required": true, - "schema": { - "$ref": "#/definitions/BookmarkExpandParameters" - }, - "x-ms-parameter-location": "method" - }, - "EntityTimelineRequestBody": { - "description": "The parameters required to execute an timeline operation on the given entity.", - "in": "body", - "name": "parameters", - "required": true, - "schema": { - "$ref": "#/definitions/EntityTimelineParameters" - }, - "x-ms-parameter-location": "method" - }, - "GetInsightsEntityQueriesRequestBody": { - "description": "The parameters required to execute insights on the given entity.", - "name": "parameters", - "in": "body", - "required": true, - "schema": { - "$ref": "#/definitions/EntityGetInsightsParameters" - }, - "x-ms-parameter-location": "method" - }, - "EntityId": { - "description": "entity ID", - "in": "path", - "name": "entityId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityQueryId": { - "description": "entity query ID", - "in": "path", - "name": "entityQueryId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Incident": { - "description": "The incident", - "in": "body", - "name": "incident", - "required": true, - "schema": { - "$ref": "#/definitions/Incident" - }, - "x-ms-parameter-location": "method" - }, - "IncidentComment": { - "description": "The incident comment", - "in": "body", - "name": "incidentComment", - "required": true, - "schema": { - "$ref": "#/definitions/IncidentComment" - }, - "x-ms-parameter-location": "method" - }, - "IncidentCommentId": { - "description": "Incident comment ID", - "in": "path", - "name": "incidentCommentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "IncidentId": { - "description": "Incident ID", - "in": "path", - "name": "incidentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "EntityQueryKindParam": { - "description": "The Kind parameter for queries", - "in": "query", - "name": "kind", - "required": true, - "type": "string", - "enum": [ - "Insight" - ], - "x-ms-enum": { - "modelAsString": true, - "name": "EntityItemQueryKind", - "values": [ - { - "description": "insight", - "value": "Insight" - } - ] - }, - "x-ms-parameter-location": "method" - }, - "ODataFilter": { - "description": "Filters the results, based on a Boolean condition. Optional.", - "in": "query", - "name": "$filter", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataOrderBy": { - "description": "Sorts the results. Optional.", - "in": "query", - "name": "$orderby", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataSkipToken": { - "description": "Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", - "in": "query", - "name": "$skipToken", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ODataTop": { - "description": "Returns only the first n results. Optional.", - "format": "int32", - "in": "query", - "name": "$top", - "required": false, - "type": "integer", - "x-ms-parameter-location": "method" - }, - "OperationalInsightsResourceProvider": { - "description": "The namespace of workspaces resource provider- Microsoft.OperationalInsights.", - "in": "path", - "name": "operationalInsightsResourceProvider", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Relation": { - "name": "relation", - "in": "body", - "description": "The relation model", - "required": true, - "schema": { - "$ref": "#/definitions/Relation" - }, - "x-ms-parameter-location": "method" - }, - "ResourceGroupName": { - "description": "The name of the resource group within the user's subscription. The name is case insensitive.", - "in": "path", - "maxLength": 90, - "minLength": 1, - "name": "resourceGroupName", - "pattern": "^[-\\w\\._\\(\\)]+$", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "RuleId": { - "description": "Alert rule ID", - "in": "path", - "name": "ruleId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Settings": { - "description": "The setting", - "in": "body", - "name": "settings", - "required": true, - "schema": { - "$ref": "#/definitions/Settings" - }, - "x-ms-parameter-location": "method" - }, - "SettingsName": { - "description": "The setting name. Supports - EyesOn, EntityAnalytics, Ueba", - "in": "path", - "name": "settingsName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "WorkspaceName": { - "description": "The name of the workspace.", - "in": "path", - "maxLength": 90, - "minLength": 1, - "name": "workspaceName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "WatchlistAlias": { - "description": "Watchlist Alias", - "in": "path", - "name": "watchlistAlias", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "Watchlist": { - "description": "The watchlist", - "in": "body", - "name": "watchlist", - "required": true, - "schema": { - "$ref": "#/definitions/Watchlist" - }, - "x-ms-parameter-location": "method" - }, - "WatchlistItem": { - "description": "The watchlist item", - "in": "body", - "name": "watchlistItem", - "required": true, - "schema": { - "$ref": "#/definitions/WatchlistItem" - }, - "x-ms-parameter-location": "method" - }, - "WatchlistItemId": { - "description": "Watchlist Item Id (GUID)", - "in": "path", - "name": "watchlistItemId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceName": { - "description": "Threat intelligence indicator name field.", - "in": "path", - "name": "name", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceProperties": { - "description": "Properties of threat intelligence indicators to create and update.", - "in": "body", - "name": "ThreatIntelligenceProperties", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" - }, - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceReplaceTags": { - "description": "Tags in the threat intelligence indicator to be replaced.", - "in": "body", - "name": "ThreatIntelligenceReplaceTags", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" - }, - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceFilteringCriteria": { - "description": "Filtering criteria for querying threat intelligence indicators.", - "in": "body", - "name": "ThreatIntelligenceFilteringCriteria", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceFilteringCriteria" - }, - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceIndicatorEntityKind": { - "description": "The threat intelligence entity kind", - "in": "query", - "name": "ctiEntityKind", - "required": false, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ThreatIntelligenceAppendTags": { - "description": "The threat intelligence append tags request body", - "in": "body", - "name": "ThreatIntelligenceAppendTags", - "required": true, - "schema": { - "$ref": "#/definitions/ThreatIntelligenceAppendTags" - }, - "x-ms-parameter-location": "method" - } + "ActionId": { + "description": "Action ID", + "in": "path", + "name": "actionId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "AggregationsName": { + "description": "The aggregation name. Supports - Cases", + "in": "path", + "name": "aggregationsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "AlertRule": { + "description": "The alert rule", + "in": "body", + "name": "alertRule", + "required": true, + "schema": { + "$ref": "#/definitions/AlertRule" + }, + "x-ms-parameter-location": "method" + }, + "AlertRuleTemplateId": { + "description": "Alert rule template ID", + "in": "path", + "name": "alertRuleTemplateId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ApiVersion": { + "description": "API version for the operation", + "enum": [ + "2019-01-01-preview" + ], + "in": "query", + "name": "api-version", + "required": true, + "type": "string" + }, + "Bookmark": { + "description": "The bookmark", + "in": "body", + "name": "bookmark", + "required": true, + "schema": { + "$ref": "#/definitions/Bookmark" + }, + "x-ms-parameter-location": "method" + }, + "RelationName": { + "name": "relationName", + "in": "path", + "required": true, + "type": "string", + "description": "Relation Name", + "x-ms-parameter-location": "method" + }, + "RelationInputModel": { + "name": "relationInputModel", + "in": "body", + "description": "The relation input model", + "required": true, + "schema": { + "$ref": "#/definitions/RelationsModelInput" + }, + "x-ms-parameter-location": "method" + }, + "BookmarkId": { + "description": "Bookmark ID", + "in": "path", + "name": "bookmarkId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Case": { + "description": "The case", + "in": "body", + "name": "case", + "required": true, + "schema": { + "$ref": "#/definitions/Case" + }, + "x-ms-parameter-location": "method" + }, + "CaseComment": { + "description": "The case comment", + "in": "body", + "name": "caseComment", + "required": true, + "schema": { + "$ref": "#/definitions/CaseComment" + }, + "x-ms-parameter-location": "method" + }, + "CaseCommentId": { + "description": "Case comment ID", + "in": "path", + "name": "caseCommentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "CaseId": { + "description": "Case ID", + "in": "path", + "name": "caseId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ConsentId": { + "description": "consent ID", + "in": "path", + "name": "consentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "DataConnector": { + "description": "The data connector", + "in": "body", + "name": "dataConnector", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnector" + }, + "x-ms-parameter-location": "method" + }, + "DataConnectorId": { + "description": "Connector ID", + "in": "path", + "name": "dataConnectorId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "DataConnectorsCheckRequirementsBody": { + "description": "The parameters for requirements check message", + "in": "body", + "name": "DataConnectorsCheckRequirements", + "required": true, + "schema": { + "$ref": "#/definitions/DataConnectorsCheckRequirements" + }, + "x-ms-parameter-location": "method" + }, + "EnrichmentDomain": { + "description": "Domain name to be enriched", + "in": "query", + "name": "domain", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EnrichmentIpAddress": { + "description": "IP address (v4 or v6) to be enriched", + "in": "query", + "name": "ipAddress", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityExpandRequestBody": { + "description": "The parameters required to execute an expand operation on the given entity.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/EntityExpandParameters" + }, + "x-ms-parameter-location": "method" + }, + "BookmarkExpandRequestBody": { + "description": "The parameters required to execute an expand operation on the given bookmark.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/BookmarkExpandParameters" + }, + "x-ms-parameter-location": "method" + }, + "EntityTimelineRequestBody": { + "description": "The parameters required to execute an timeline operation on the given entity.", + "in": "body", + "name": "parameters", + "required": true, + "schema": { + "$ref": "#/definitions/EntityTimelineParameters" + }, + "x-ms-parameter-location": "method" + }, + "GetInsightsEntityQueriesRequestBody": { + "description": "The parameters required to execute insights on the given entity.", + "name": "parameters", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/EntityGetInsightsParameters" + }, + "x-ms-parameter-location": "method" + }, + "EntityId": { + "description": "entity ID", + "in": "path", + "name": "entityId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityQueryId": { + "description": "entity query ID", + "in": "path", + "name": "entityQueryId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Incident": { + "description": "The incident", + "in": "body", + "name": "incident", + "required": true, + "schema": { + "$ref": "#/definitions/Incident" + }, + "x-ms-parameter-location": "method" + }, + "IncidentComment": { + "description": "The incident comment", + "in": "body", + "name": "incidentComment", + "required": true, + "schema": { + "$ref": "#/definitions/IncidentComment" + }, + "x-ms-parameter-location": "method" + }, + "IncidentCommentId": { + "description": "Incident comment ID", + "in": "path", + "name": "incidentCommentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "IncidentId": { + "description": "Incident ID", + "in": "path", + "name": "incidentId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "EntityQueryKindParam": { + "description": "The Kind parameter for queries", + "in": "query", + "name": "kind", + "required": true, + "type": "string", + "enum": [ + "Insight" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "EntityItemQueryKind", + "values": [ + { + "description": "insight", + "value": "Insight" + } + ] + }, + "x-ms-parameter-location": "method" + }, + "ODataFilter": { + "description": "Filters the results, based on a Boolean condition. Optional.", + "in": "query", + "name": "$filter", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataOrderBy": { + "description": "Sorts the results. Optional.", + "in": "query", + "name": "$orderby", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataSkipToken": { + "description": "Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.", + "in": "query", + "name": "$skipToken", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ODataTop": { + "description": "Returns only the first n results. Optional.", + "format": "int32", + "in": "query", + "name": "$top", + "required": false, + "type": "integer", + "x-ms-parameter-location": "method" + }, + "OperationalInsightsResourceProvider": { + "description": "The namespace of workspaces resource provider- Microsoft.OperationalInsights.", + "in": "path", + "name": "operationalInsightsResourceProvider", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Relation": { + "name": "relation", + "in": "body", + "description": "The relation model", + "required": true, + "schema": { + "$ref": "#/definitions/Relation" + }, + "x-ms-parameter-location": "method" + }, + "ResourceGroupName": { + "description": "The name of the resource group within the user's subscription. The name is case insensitive.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "resourceGroupName", + "pattern": "^[-\\w\\._\\(\\)]+$", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "RuleId": { + "description": "Alert rule ID", + "in": "path", + "name": "ruleId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Settings": { + "description": "The setting", + "in": "body", + "name": "settings", + "required": true, + "schema": { + "$ref": "#/definitions/Settings" + }, + "x-ms-parameter-location": "method" + }, + "SettingsName": { + "description": "The setting name. Supports - EyesOn, EntityAnalytics, Ueba", + "in": "path", + "name": "settingsName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "WorkspaceName": { + "description": "The name of the workspace.", + "in": "path", + "maxLength": 90, + "minLength": 1, + "name": "workspaceName", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "WatchlistAlias": { + "description": "Watchlist Alias", + "in": "path", + "name": "watchlistAlias", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Watchlist": { + "description": "The watchlist", + "in": "body", + "name": "watchlist", + "required": true, + "schema": { + "$ref": "#/definitions/Watchlist" + }, + "x-ms-parameter-location": "method" + }, + "WatchlistItem": { + "description": "The watchlist item", + "in": "body", + "name": "watchlistItem", + "required": true, + "schema": { + "$ref": "#/definitions/WatchlistItem" + }, + "x-ms-parameter-location": "method" + }, + "WatchlistItemId": { + "description": "Watchlist Item Id (GUID)", + "in": "path", + "name": "watchlistItemId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceName": { + "description": "Threat intelligence indicator name field.", + "in": "path", + "name": "name", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceProperties": { + "description": "Properties of threat intelligence indicators to create and update.", + "in": "body", + "name": "ThreatIntelligenceProperties", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceReplaceTags": { + "description": "Tags in the threat intelligence indicator to be replaced.", + "in": "body", + "name": "ThreatIntelligenceReplaceTags", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceIndicatorModelForRequestBody" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceFilteringCriteria": { + "description": "Filtering criteria for querying threat intelligence indicators.", + "in": "body", + "name": "ThreatIntelligenceFilteringCriteria", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceFilteringCriteria" + }, + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceIndicatorEntityKind": { + "description": "The threat intelligence entity kind", + "in": "query", + "name": "ctiEntityKind", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, + "ThreatIntelligenceAppendTags": { + "description": "The threat intelligence append tags request body", + "in": "body", + "name": "ThreatIntelligenceAppendTags", + "required": true, + "schema": { + "$ref": "#/definitions/ThreatIntelligenceAppendTags" + }, + "x-ms-parameter-location": "method" } } } From 2a90598c9b8d29437ae57f4e17c7792fb9b76781 Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Mon, 5 Jul 2021 17:01:53 +0300 Subject: [PATCH 09/11] . --- .../2019-01-01-preview/SecurityInsights.json | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index eb57a33bd52b..90cb4ebf262e 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -10752,27 +10752,6 @@ ], "type": "object" }, - "Resource": { - "description": "An azure resource object", - "properties": { - "id": { - "description": "Azure resource Id", - "readOnly": true, - "type": "string" - }, - "name": { - "description": "Azure resource name", - "readOnly": true, - "type": "string" - }, - "type": { - "description": "Azure resource type", - "readOnly": true, - "type": "string" - } - }, - "x-ms-azure-resource": true - }, "ScheduledAlertRule": { "allOf": [ { From 0c2ec33ce625f8c685bdfd6e8a2b84c768d29b56 Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Mon, 5 Jul 2021 19:28:22 +0300 Subject: [PATCH 10/11] revert common definitons --- .../2019-01-01-preview/AutomationRules.json | 89 ++---- .../2019-01-01-preview/SecurityInsights.json | 268 +++++++++++------- 2 files changed, 186 insertions(+), 171 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json index 110c82be86c9..aaff726062c7 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/AutomationRules.json @@ -48,19 +48,19 @@ "operationId": "AutomationRules_List", "parameters": [ { - "$ref": "#/parameters/ApiVersion" + "$ref": "SecurityInsights.json#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" }, { - "$ref": "#/parameters/ResourceGroupName" + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" }, { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "#/parameters/WorkspaceName" + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" } ], "responses": { @@ -73,7 +73,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "SecurityInsights.json#/definitions/CloudError" } } }, @@ -96,19 +96,19 @@ "operationId": "AutomationRules_Get", "parameters": [ { - "$ref": "#/parameters/ApiVersion" + "$ref": "SecurityInsights.json#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" }, { - "$ref": "#/parameters/ResourceGroupName" + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" }, { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "#/parameters/WorkspaceName" + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/AutomationRuleId" @@ -124,7 +124,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "SecurityInsights.json#/definitions/CloudError" } } } @@ -142,19 +142,19 @@ "operationId": "AutomationRules_CreateOrUpdate", "parameters": [ { - "$ref": "#/parameters/ApiVersion" + "$ref": "SecurityInsights.json#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" }, { - "$ref": "#/parameters/ResourceGroupName" + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" }, { - "$ref": "#/parameters/OperationalInsightsResourceProvider" + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "#/parameters/WorkspaceName" + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/AutomationRuleId" @@ -179,7 +179,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "SecurityInsights.json#/definitions/CloudError" } } } @@ -197,19 +197,19 @@ "operationId": "AutomationRules_Delete", "parameters": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + "$ref": "SecurityInsights.json#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "SecurityInsights.json#/parameters/SubscriptionId" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + "$ref": "SecurityInsights.json#/parameters/ResourceGroupName" }, { - "$ref": "../../../common/1.0/types.json#/parameters/OperationalInsightsResourceProvider" + "$ref": "SecurityInsights.json#/parameters/OperationalInsightsResourceProvider" }, { - "$ref": "../../../common/1.0/types.json#/parameters/WorkspaceName" + "$ref": "SecurityInsights.json#/parameters/WorkspaceName" }, { "$ref": "#/parameters/AutomationRuleId" @@ -225,7 +225,7 @@ "default": { "description": "Error response describing why the operation failed.", "schema": { - "$ref": "../../../common/1.0/types.json#/definitions/CloudError" + "$ref": "SecurityInsights.json#/definitions/CloudError" } } } @@ -233,16 +233,6 @@ } }, "parameters": { - "ApiVersion": { - "description": "API version for the operation", - "enum": [ - "2019-01-01-preview" - ], - "in": "query", - "name": "api-version", - "required": true, - "type": "string" - }, "AutomationRule": { "description": "The automation rule", "in": "body", @@ -260,42 +250,13 @@ "required": true, "type": "string", "x-ms-parameter-location": "method" - }, - "OperationalInsightsResourceProvider": { - "description": "The namespace of workspaces resource provider- Microsoft.OperationalInsights.", - "in": "path", - "name": "operationalInsightsResourceProvider", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "ResourceGroupName": { - "description": "The name of the resource group within the user's subscription. The name is case insensitive.", - "in": "path", - "maxLength": 90, - "minLength": 1, - "name": "resourceGroupName", - "pattern": "^[-\\w\\._\\(\\)]+$", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "WorkspaceName": { - "description": "The name of the workspace.", - "in": "path", - "maxLength": 90, - "minLength": 1, - "name": "workspaceName", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" } }, "definitions": { "AutomationRule": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "SecurityInsights.json#/definitions/ResourceWithEtag" } ], "description": "Represents an automation rule.", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 90cb4ebf262e..da213157fdf9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -76,7 +76,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -130,7 +130,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -182,7 +182,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -237,7 +237,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -285,7 +285,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -336,7 +336,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -385,7 +385,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -443,7 +443,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -494,7 +494,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -542,7 +542,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -591,7 +591,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -652,7 +652,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -699,7 +699,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -755,7 +755,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -804,7 +804,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -869,7 +869,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -919,7 +919,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -973,7 +973,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1021,7 +1021,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1067,7 +1067,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1122,7 +1122,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1171,7 +1171,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1236,7 +1236,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1286,7 +1286,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1345,7 +1345,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1396,7 +1396,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1457,7 +1457,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1511,7 +1511,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1560,7 +1560,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1618,7 +1618,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1669,7 +1669,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1711,7 +1711,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1753,7 +1753,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1837,7 +1837,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1892,7 +1892,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -1947,7 +1947,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2028,7 +2028,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2076,7 +2076,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2181,7 +2181,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2229,7 +2229,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2280,7 +2280,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2331,7 +2331,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2382,7 +2382,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2433,7 +2433,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2497,7 +2497,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2548,7 +2548,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2596,7 +2596,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2642,7 +2642,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2690,7 +2690,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2735,7 +2735,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2781,7 +2781,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2827,7 +2827,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2878,7 +2878,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2926,7 +2926,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -2974,7 +2974,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3022,7 +3022,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3082,7 +3082,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3128,7 +3128,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3183,7 +3183,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3231,7 +3231,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3279,7 +3279,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3327,7 +3327,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3391,7 +3391,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3440,7 +3440,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3498,7 +3498,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3549,7 +3549,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3597,7 +3597,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3661,7 +3661,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3710,7 +3710,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3768,7 +3768,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3819,7 +3819,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3867,7 +3867,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3913,7 +3913,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -3959,7 +3959,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4016,7 +4016,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4067,7 +4067,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4116,7 +4116,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4165,7 +4165,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4225,7 +4225,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4279,7 +4279,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4339,7 +4339,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4385,7 +4385,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4440,7 +4440,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4488,7 +4488,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4539,7 +4539,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4584,7 +4584,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -4632,7 +4632,7 @@ "$ref": "#/parameters/ApiVersion" }, { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" @@ -5220,7 +5220,7 @@ "ActionRequest": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" } ], "description": "Action for alert rule.", @@ -5267,7 +5267,7 @@ "ActionResponse": { "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/definitions/Resource" } ], "description": "Action for alert rule.", @@ -5322,7 +5322,7 @@ "Aggregations": { "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/definitions/Resource" }, { "$ref": "#/definitions/AggregationsKind" @@ -5358,7 +5358,7 @@ "AlertRule": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" }, { "$ref": "#/definitions/AlertRuleKind" @@ -5415,7 +5415,7 @@ "AlertRuleTemplate": { "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/definitions/Resource" }, { "$ref": "#/definitions/AlertRuleKind" @@ -5741,7 +5741,7 @@ "description": "Represents a relation", "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/definitions/Resource" }, { "type": "object", @@ -5918,7 +5918,7 @@ "Bookmark": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" } ], "description": "Represents a bookmark in Azure Security Insights.", @@ -6076,7 +6076,7 @@ "Case": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" } ], "description": "Represents a case in Azure Security Insights.", @@ -6092,7 +6092,7 @@ "CaseComment": { "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/definitions/Resource" } ], "description": "Represents a case comment", @@ -6581,7 +6581,7 @@ "DataConnector": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" }, { "$ref": "#/definitions/DataConnectorKind" @@ -7170,7 +7170,7 @@ "Entity": { "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/definitions/Resource" }, { "$ref": "#/definitions/EntityKind" @@ -7626,7 +7626,7 @@ "EntityQuery": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" }, { "$ref": "#/definitions/EntityQueryKind" @@ -8687,7 +8687,7 @@ "Incident": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" } ], "description": "Represents an incident in Azure Security Insights.", @@ -8856,7 +8856,7 @@ "IncidentComment": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" } ], "description": "Represents an incident comment", @@ -10226,7 +10226,7 @@ "OfficeConsent": { "allOf": [ { - "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/Resource" + "$ref": "#/definitions/Resource" } ], "description": "Consent for Office365 tenant that already made.", @@ -10713,7 +10713,7 @@ "description": "Represents a relation between two resources", "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" } ], "properties": { @@ -10752,6 +10752,52 @@ ], "type": "object" }, + "Resource": { + "description": "An azure resource object", + "properties": { + "id": { + "description": "Azure resource Id", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "Azure resource name", + "readOnly": true, + "type": "string" + }, + "type": { + "description": "Azure resource type", + "readOnly": true, + "type": "string" + } + }, + "x-ms-azure-resource": true + }, + "ResourceWithEtag": { + "description": "An azure resource object with an Etag property", + "properties": { + "id": { + "description": "Azure resource Id", + "readOnly": true, + "type": "string" + }, + "name": { + "description": "Azure resource name", + "readOnly": true, + "type": "string" + }, + "type": { + "description": "Azure resource type", + "readOnly": true, + "type": "string" + }, + "etag": { + "description": "Etag of the azure resource", + "type": "string" + } + }, + "x-ms-azure-resource": true + }, "ScheduledAlertRule": { "allOf": [ { @@ -11452,7 +11498,7 @@ "Settings": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" }, { "$ref": "#/definitions/SettingsKind" @@ -12126,7 +12172,7 @@ "Watchlist": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" } ], "description": "Represents a Watchlist in Azure Security Insights.", @@ -12271,7 +12317,7 @@ "WatchlistItem": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" } ], "description": "Represents a Watchlist item in Azure Security Insights.", @@ -12360,7 +12406,7 @@ "ThreatIntelligenceInformation": { "allOf": [ { - "$ref": "../../../common/1.0/types.json#/definitions/ResourceWithEtag" + "$ref": "#/parameters/ResourceWithEtag" }, { "$ref": "#/definitions/ThreatIntelligenceResourceKind" @@ -13522,6 +13568,14 @@ "type": "string", "x-ms-parameter-location": "method" }, + "SubscriptionId": { + "description": "Azure subscription ID", + "in": "path", + "name": "subscriptionId", + "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", + "required": true, + "type": "string" + }, "WorkspaceName": { "description": "The name of the workspace.", "in": "path", From ff9585f298f50595de7e0d759baef1437df17328 Mon Sep 17 00:00:00 2001 From: Moran Raz Mizrahi Date: Mon, 5 Jul 2021 19:34:30 +0300 Subject: [PATCH 11/11] . --- .../2019-01-01-preview/SecurityInsights.json | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index da213157fdf9..2870b982fb0f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -5220,7 +5220,7 @@ "ActionRequest": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" } ], "description": "Action for alert rule.", @@ -5358,7 +5358,7 @@ "AlertRule": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/AlertRuleKind" @@ -5918,7 +5918,7 @@ "Bookmark": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" } ], "description": "Represents a bookmark in Azure Security Insights.", @@ -6076,7 +6076,7 @@ "Case": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" } ], "description": "Represents a case in Azure Security Insights.", @@ -6581,7 +6581,7 @@ "DataConnector": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/DataConnectorKind" @@ -7626,7 +7626,7 @@ "EntityQuery": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/EntityQueryKind" @@ -8687,7 +8687,7 @@ "Incident": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" } ], "description": "Represents an incident in Azure Security Insights.", @@ -8856,7 +8856,7 @@ "IncidentComment": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" } ], "description": "Represents an incident comment", @@ -10713,7 +10713,7 @@ "description": "Represents a relation between two resources", "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" } ], "properties": { @@ -11498,7 +11498,7 @@ "Settings": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/SettingsKind" @@ -12172,7 +12172,7 @@ "Watchlist": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" } ], "description": "Represents a Watchlist in Azure Security Insights.", @@ -12317,7 +12317,7 @@ "WatchlistItem": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" } ], "description": "Represents a Watchlist item in Azure Security Insights.", @@ -12406,7 +12406,7 @@ "ThreatIntelligenceInformation": { "allOf": [ { - "$ref": "#/parameters/ResourceWithEtag" + "$ref": "#/definitions/ResourceWithEtag" }, { "$ref": "#/definitions/ThreatIntelligenceResourceKind"