From 1848bd1da07d986adf302bbbfa3ccc0365cc1e53 Mon Sep 17 00:00:00 2001 From: ityankel <47292630+ityankel@users.noreply.github.com> Date: Wed, 24 Mar 2021 03:11:29 +0200 Subject: [PATCH] Add AutomationRules api (#13421) * Add automation rules api * Move incident enums to common * fix schema * more fixes * update examples * update examples * remove automation rules OData support * fix typo in LA provider name * Update swagger * Update examples * prepare for PR * fix typos and prettier * fix typos and prettier * fix lint errors * fix lint errors * fix lint errors * fix lint errors * fix lint errors * fix linting error * Remove multiple allOf statements * Remove multiple allOf statements --- .../2019-01-01-preview/SecurityInsights.json | 1268 ++++++++++++++--- .../automationRules/CreateAutomationRule.json | 176 +++ .../automationRules/DeleteAutomationRule.json | 14 + .../GetAllAutomationRules.json | 69 + .../automationRules/GetAutomationRule.json | 76 + .../resource-manager/readme.md | 4 + 6 files changed, 1419 insertions(+), 188 deletions(-) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/CreateAutomationRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/DeleteAutomationRule.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/GetAllAutomationRules.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/GetAutomationRule.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index ccb0e3165d20..4b4b3ece3e45 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -573,6 +573,203 @@ } } }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules": { + "get": { + "x-ms-examples": { + "Get all automation rules.": { + "$ref": "./examples/automationRules/GetAllAutomationRules.json" + } + }, + "tags": [ + "Automation Rules" + ], + "description": "Gets all automation rules.", + "operationId": "AutomationRules_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutomationRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}": { + "get": { + "x-ms-examples": { + "Get an automation rule.": { + "$ref": "./examples/automationRules/GetAutomationRule.json" + } + }, + "tags": [ + "Automation Rules" + ], + "description": "Gets the automation rule.", + "operationId": "AutomationRules_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates or updates an automation rule.": { + "$ref": "./examples/automationRules/CreateAutomationRule.json" + } + }, + "tags": [ + "Automation Rules" + ], + "description": "Creates or updates the automation rule.", + "operationId": "AutomationRules_CreateOrUpdate", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + }, + { + "$ref": "#/parameters/AutomationRule" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete an automation rule.": { + "$ref": "./examples/automationRules/DeleteAutomationRule.json" + } + }, + "tags": [ + "Automation Rule" + ], + "description": "Delete the automation rule.", + "operationId": "AutomationRules_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/cases": { "get": { "x-ms-examples": { @@ -5448,88 +5645,749 @@ "readOnly": true, "type": "string" }, - "value": { - "description": "Array of alert rules.", + "value": { + "description": "Array of alert rules.", + "items": { + "$ref": "#/definitions/AlertRule" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AlertSeverity": { + "description": "The severity of the alert", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AlertSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "AlertsDataTypeOfDataConnector": { + "description": "Alerts data type for data connectors.", + "properties": { + "alerts": { + "allOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + } + ], + "description": "Alerts data type connection.", + "type": "object" + } + }, + "type": "object" + }, + "AttackTactic": { + "description": "The severity for alerts created by this alert rule.", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AttackTactic" + } + }, + "AutomationRule": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + } + ], + "description": "Represents an automation rule.", + "properties": { + "properties": { + "$ref": "#/definitions/AutomationRuleProperties", + "description": "Automation rule properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "AutomationRuleAction": { + "description": "Describes an automation rule action", + "discriminator": "actionType", + "properties": { + "order": { + "description": "The order of execution of the automation rule action", + "type": "integer", + "format": "int32" + }, + "actionType": { + "description": "The type of the automation rule action", + "enum": [ + "ModifyProperties", + "RunPlaybook" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRuleActionType", + "values": [ + { + "description": "Modify an object's properties", + "value": "ModifyProperties" + }, + { + "description": "Run a playbook on an object", + "value": "RunPlaybook" + } + ] + } + } + }, + "required": [ + "order", + "actionType" + ], + "type": "object" + }, + "AutomationRuleCondition": { + "description": "Describes an automation rule condition", + "discriminator": "conditionType", + "properties": { + "conditionType": { + "description": "The type of the automation rule condition", + "enum": [ + "Property" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRuleConditionType", + "values": [ + { + "description": "Evaluate an object property value", + "value": "Property" + } + ] + } + } + }, + "required": [ + "conditionType" + ], + "type": "object" + }, + "AutomationRuleRunPlaybookAction": { + "description": "Describes an automation rule action to run a playbook", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } + ], + "properties": { + "actionConfiguration": { + "description": "The configuration of the run playbook automation rule action", + "properties": { + "logicAppResourceId": { + "description": "The resource id of the playbook resource", + "type": "string" + }, + "tenantId": { + "description": "The tenant id of the playbook resource", + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "actionConfiguration" + ], + "x-ms-client-flatten": true, + "type": "object", + "x-ms-discriminator-value": "RunPlaybook" + }, + "AutomationRuleModifyPropertiesAction": { + "description": "Describes an automation rule action to modify an object's properties", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } + ], + "properties": { + "actionConfiguration": { + "description": "The configuration of the modify properties automation rule action", + "properties": { + "classification": { + "$ref": "#/definitions/IncidentClassification", + "description": "The reason the incident was closed" + }, + "classificationComment": { + "description": "Describes the reason the incident was closed", + "type": "string" + }, + "classificationReason": { + "$ref": "#/definitions/IncidentClassificationReason", + "description": "The classification reason to close the incident with" + }, + "labels": { + "description": "List of labels to add to the incident", + "items": { + "$ref": "#/definitions/IncidentLabel" + }, + "type": "array" + }, + "owner": { + "$ref": "#/definitions/IncidentOwnerInfo", + "description": "Describes a user that the incident is assigned to", + "type": "object" + }, + "severity": { + "$ref": "#/definitions/IncidentSeverity", + "description": "The severity of the incident" + }, + "status": { + "$ref": "#/definitions/IncidentStatus", + "description": "The status of the incident" + } + }, + "type": "object" + } + }, + "required": [ + "actionConfiguration" + ], + "x-ms-client-flatten": true, + "type": "object", + "x-ms-discriminator-value": "ModifyProperties" + }, + "AutomationRulePropertyConditionSupportedProperty": { + "description": "The property to evaluate in an automation rule property condition", + "enum": [ + "IncidentTitle", + "IncidentDescription", + "IncidentSeverity", + "IncidentStatus", + "IncidentTactics", + "IncidentRelatedAnalyticRuleIds", + "IncidentProviderName", + "AccountAadTenantId", + "AccountAadUserId", + "AccountName", + "AccountNTDomain", + "AccountPUID", + "AccountSid", + "AccountObjectGuid", + "AccountUPNSuffix", + "AzureResourceResourceId", + "AzureResourceSubscriptionId", + "CloudApplicationAppId", + "CloudApplicationAppName", + "DNSDomainName", + "FileDirectory", + "FileName", + "FileHashValue", + "HostAzureID", + "HostName", + "HostNetBiosName", + "HostNTDomain", + "HostOSVersion", + "IoTDeviceId", + "IoTDeviceName", + "IoTDeviceType", + "IoTDeviceVendor", + "IoTDeviceModel", + "IoTDeviceOperatingSystem", + "IPAddress", + "MailboxDisplayName", + "MailboxPrimaryAddress", + "MailboxUPN", + "MailMessageDeliveryAction", + "MailMessageDeliveryLocation", + "MailMessageRecipient", + "MailMessageSenderIP", + "MailMessageSubject", + "MailMessageP1Sender", + "MailMessageP2Sender", + "MalwareCategory", + "MalwareName", + "ProcessCommandLine", + "ProcessId", + "RegistryKey", + "RegistryValueData", + "Url" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRulePropertyConditionSupportedProperty", + "values": [ + { + "description": "The title of the incident", + "value": "IncidentTitle" + }, + { + "description": "The description of the incident", + "value": "IncidentDescription" + }, + { + "description": "The severity of the incident", + "value": "IncidentSeverity" + }, + { + "description": "The status of the incident", + "value": "IncidentStatus" + }, + { + "description": "The tactics of the incident", + "value": "IncidentTactics" + }, + { + "description": "The related Analytic rule ids of the incident", + "value": "IncidentRelatedAnalyticRuleIds" + }, + { + "description": "The provider name of the incident", + "value": "IncidentProviderName" + }, + { + "description": "The account Azure Active Directory tenant id", + "value": "AccountAadTenantId" + }, + { + "description": "The account Azure Active Directory user id.", + "value": "AccountAadUserId" + }, + { + "description": "The account name", + "value": "AccountName" + }, + { + "description": "The account NetBIOS domain name", + "value": "AccountNTDomain" + }, + { + "description": "The account Azure Active Directory Passport User ID", + "value": "AccountPUID" + }, + { + "description": "The account security identifier", + "value": "AccountSid" + }, + { + "description": "The account unique identifier", + "value": "AccountObjectGuid" + }, + { + "description": "The account user principal name suffix", + "value": "AccountUPNSuffix" + }, + { + "description": "The Azure resource id", + "value": "AzureResourceResourceId" + }, + { + "description": "The Azure resource subscription id", + "value": "AzureResourceSubscriptionId" + }, + { + "description": "The cloud application identifier", + "value": "CloudApplicationAppId" + }, + { + "description": "The cloud application name", + "value": "CloudApplicationAppName" + }, + { + "description": "The dns record domain name", + "value": "DNSDomainName" + }, + { + "description": "The file directory full path", + "value": "FileDirectory" + }, + { + "description": "The file name without path", + "value": "FileName" + }, + { + "description": "The file hash value", + "value": "FileHashValue" + }, + { + "description": "The host Azure resource id", + "value": "HostAzureID" + }, + { + "description": "The host name without domain", + "value": "HostName" + }, + { + "description": "The host NetBIOS name", + "value": "HostNetBiosName" + }, + { + "description": "The host NT domain", + "value": "HostNTDomain" + }, + { + "description": "The host operating system", + "value": "HostOSVersion" + }, + { + "description": "The IoT device id", + "value": "IoTDeviceId" + }, + { + "description": "The IoT device name", + "value": "IoTDeviceName" + }, + { + "description": "The IoT device type", + "value": "IoTDeviceType" + }, + { + "description": "The IoT device vendor", + "value": "IoTDeviceVendor" + }, + { + "description": "The IoT device model", + "value": "IoTDeviceModel" + }, + { + "description": "The IoT device operating system", + "value": "IoTDeviceOperatingSystem" + }, + { + "description": "The IP address", + "value": "IPAddress" + }, + { + "description": "The mailbox display name", + "value": "MailboxDisplayName" + }, + { + "description": "The mailbox primary address", + "value": "MailboxPrimaryAddress" + }, + { + "description": "The mailbox user principal name", + "value": "MailboxUPN" + }, + { + "description": "The mail message delivery action", + "value": "MailMessageDeliveryAction" + }, + { + "description": "The mail message delivery location", + "value": "MailMessageDeliveryLocation" + }, + { + "description": "The mail message recipient", + "value": "MailMessageRecipient" + }, + { + "description": "The mail message sender IP address", + "value": "MailMessageSenderIP" + }, + { + "description": "The mail message subject", + "value": "MailMessageSubject" + }, + { + "description": "The mail message P1 sender", + "value": "MailMessageP1Sender" + }, + { + "description": "The mail message P2 sender", + "value": "MailMessageP2Sender" + }, + { + "description": "The malware category", + "value": "MalwareCategory" + }, + { + "description": "The malware name", + "value": "MalwareName" + }, + { + "description": "The process execution command line", + "value": "ProcessCommandLine" + }, + { + "description": "The process id", + "value": "ProcessId" + }, + { + "description": "The registry key path", + "value": "RegistryKey" + }, + { + "description": "The registry key value in string formatted representation", + "value": "RegistryValueData" + }, + { + "description": "The url", + "value": "Url" + } + ] + } + }, + "AutomationRulePropertyValuesCondition": { + "description": "Describes an automation rule condition that evaluates a property's value", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "description": "The configuration of the automation rule condition", + "properties": { + "propertyName": { + "$ref": "#/definitions/AutomationRulePropertyConditionSupportedProperty", + "description": "The property to evaluate" + }, + "operator": { + "description": "The operator to use for evaluation the condition", + "enum": [ + "Equals", + "NotEquals", + "Contains", + "NotContains", + "StartsWith", + "NotStartsWith", + "EndsWith", + "NotEndsWith" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "AutomationRulePropertyConditionSupportedOperator", + "values": [ + { + "description": "Evaluates if the property equals at least one of the condition values", + "value": "Equals" + }, + { + "description": "Evaluates if the property does not equal any of the condition values", + "value": "NotEquals" + }, + { + "description": "Evaluates if the property contains at least one of the condition values", + "value": "Contains" + }, + { + "description": "Evaluates if the property does not contain any of the condition values", + "value": "NotContains" + }, + { + "description": "Evaluates if the property starts with any of the condition values", + "value": "StartsWith" + }, + { + "description": "Evaluates if the property does not start with any of the condition values", + "value": "NotStartsWith" + }, + { + "description": "Evaluates if the property ends with any of the condition values", + "value": "EndsWith" + }, + { + "description": "Evaluates if the property does not end with any of the condition values", + "value": "NotEndsWith" + } + ] + } + }, + "propertyValues": { + "description": "The values to use for evaluating the condition", + "items": { + "description": "A value to use for evaluating the condition", + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "required": [ + "conditionProperties" + ], + "x-ms-client-flatten": true, + "type": "object", + "x-ms-discriminator-value": "Property" + }, + "AutomationRulesList": { + "description": "List all the automation rules.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of automation rules.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of automation rules.", + "items": { + "$ref": "#/definitions/AutomationRule" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "AutomationRuleProperties": { + "description": "Describes automation rule properties", + "properties": { + "displayName": { + "description": "The display name of the automation rule", + "type": "string" + }, + "order": { + "description": "The order of execution of the automation rule", + "type": "integer", + "format": "int32" + }, + "triggeringLogic": { + "$ref": "#/definitions/AutomationRuleTriggeringLogic", + "description": "The triggering logic of the automation rule", + "type": "object" + }, + "actions": { + "description": "The actions to execute when the automation rule is triggered", + "items": { + "$ref": "#/definitions/AutomationRuleAction" + }, + "type": "array" + }, + "createdTimeUtc": { + "description": "The time the automation rule was created", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "lastModifiedTimeUtc": { + "description": "The last time the automation rule was updated", + "format": "date-time", + "readOnly": true, + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that created the automation rule", + "readOnly": true, + "type": "object" + }, + "lastModifiedBy": { + "$ref": "#/definitions/ClientInfo", + "description": "Describes the client that last updated the automation rule", + "readOnly": true, + "type": "object" + } + }, + "required": [ + "displayName", + "order", + "triggeringLogic", + "actions" + ], + "type": "object" + }, + "AutomationRuleTriggeringLogic": { + "description": "Describes automation rule triggering logic", + "properties": { + "isEnabled": { + "description": "Determines whether the automation rule is enabled or disabled.", + "type": "boolean" + }, + "expirationTimeUtc": { + "description": "Determines when the automation rule should automatically expire and be disabled.", + "format": "date-time", + "type": "string" + }, + "triggersOn": { + "description": "The type of object the automation rule triggers on", + "enum": [ + "Incidents" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TriggersOn", + "values": [ + { + "description": "Trigger on Incidents", + "value": "Incidents" + } + ] + } + }, + "triggersWhen": { + "description": "The type of event the automation rule triggers on", + "enum": [ + "Created" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "TriggersWhen", + "values": [ + { + "description": "Trigger on created objects", + "value": "Created" + } + ] + } + }, + "conditions": { + "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object", "items": { - "$ref": "#/definitions/AlertRule" + "$ref": "#/definitions/AutomationRuleCondition" }, "type": "array" } }, "required": [ - "value" - ] - }, - "AlertSeverity": { - "description": "The severity of the alert", - "enum": [ - "High", - "Medium", - "Low", - "Informational" + "isEnabled", + "triggersOn", + "triggersWhen" ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AlertSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } - }, - "AlertsDataTypeOfDataConnector": { - "description": "Alerts data type for data connectors.", - "properties": { - "alerts": { - "allOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - } - ], - "description": "Alerts data type connection.", - "type": "object" - } - }, "type": "object" }, - "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", - "enum": [ - "InitialAccess", - "Execution", - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion", - "CredentialAccess", - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration", - "CommandAndControl", - "Impact", - "PreAttack" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AttackTactic" - } - }, "AwsCloudTrailDataConnector": { "allOf": [ { @@ -8680,6 +9538,129 @@ }, "type": "object" }, + "IncidentClassification": { + "description": "The reason the incident was closed", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassification", + "values": [ + { + "description": "Incident classification was undetermined", + "value": "Undetermined" + }, + { + "description": "Incident was true positive", + "value": "TruePositive" + }, + { + "description": "Incident was benign positive", + "value": "BenignPositive" + }, + { + "description": "Incident was false positive", + "value": "FalsePositive" + } + ] + } + }, + "IncidentClassificationReason": { + "description": "The classification reason the incident was closed with", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentClassificationReason", + "values": [ + { + "description": "Classification reason was suspicious activity", + "value": "SuspiciousActivity" + }, + { + "description": "Classification reason was suspicious but expected", + "value": "SuspiciousButExpected" + }, + { + "description": "Classification reason was incorrect alert logic", + "value": "IncorrectAlertLogic" + }, + { + "description": "Classification reason was inaccurate data", + "value": "InaccurateData" + } + ] + } + }, + "IncidentSeverity": { + "description": "The severity of the incident", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentSeverity", + "values": [ + { + "description": "High severity", + "value": "High" + }, + { + "description": "Medium severity", + "value": "Medium" + }, + { + "description": "Low severity", + "value": "Low" + }, + { + "description": "Informational severity", + "value": "Informational" + } + ] + } + }, + "IncidentStatus": { + "description": "The status of the incident", + "enum": [ + "New", + "Active", + "Closed" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentStatus", + "values": [ + { + "description": "An active incident which isn't being handled currently", + "value": "New" + }, + { + "description": "An active incident which is being handled", + "value": "Active" + }, + { + "description": "A non-active incident", + "value": "Closed" + } + ] + } + }, "IncidentProperties": { "description": "Describes incident properties", "properties": { @@ -8690,72 +9671,16 @@ "type": "object" }, "classification": { - "description": "The reason the incident was closed", - "enum": [ - "Undetermined", - "TruePositive", - "BenignPositive", - "FalsePositive" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassification", - "values": [ - { - "description": "Incident classification was undetermined", - "value": "Undetermined" - }, - { - "description": "Incident was true positive", - "value": "TruePositive" - }, - { - "description": "Incident was benign positive", - "value": "BenignPositive" - }, - { - "description": "Incident was false positive", - "value": "FalsePositive" - } - ] - } + "$ref": "#/definitions/IncidentClassification", + "description": "The reason the incident was closed" }, "classificationComment": { "description": "Describes the reason the incident was closed", "type": "string" }, "classificationReason": { - "description": "The classification reason the incident was closed with", - "enum": [ - "SuspiciousActivity", - "SuspiciousButExpected", - "IncorrectAlertLogic", - "InaccurateData" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentClassificationReason", - "values": [ - { - "description": "Classification reason was suspicious activity", - "value": "SuspiciousActivity" - }, - { - "description": "Classification reason was suspicious but expected", - "value": "SuspiciousButExpected" - }, - { - "description": "Classification reason was incorrect alert logic", - "value": "IncorrectAlertLogic" - }, - { - "description": "Classification reason was inaccurate data", - "value": "InaccurateData" - } - ] - } + "$ref": "#/definitions/IncidentClassificationReason", + "description": "The classification reason the incident was closed with" }, "createdTimeUtc": { "description": "The time the incident was created", @@ -8823,63 +9748,12 @@ "type": "array" }, "severity": { - "description": "The severity of the incident", - "enum": [ - "High", - "Medium", - "Low", - "Informational" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentSeverity", - "values": [ - { - "description": "High severity", - "value": "High" - }, - { - "description": "Medium severity", - "value": "Medium" - }, - { - "description": "Low severity", - "value": "Low" - }, - { - "description": "Informational severity", - "value": "Informational" - } - ] - } + "$ref": "#/definitions/IncidentSeverity", + "description": "The severity of the incident" }, "status": { - "description": "The status of the incident", - "enum": [ - "New", - "Active", - "Closed" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentStatus", - "values": [ - { - "description": "An active incident which isn't being handled currently", - "value": "New" - }, - { - "description": "An active incident which is being handled", - "value": "Active" - }, - { - "description": "A non-active incident", - "value": "Closed" - } - ] - } + "$ref": "#/definitions/IncidentStatus", + "description": "The status of the incident" }, "title": { "description": "The title of the incident", @@ -12835,6 +13709,24 @@ "type": "string", "x-ms-parameter-location": "method" }, + "AutomationRule": { + "description": "The automation rule", + "in": "body", + "name": "automationRule", + "required": true, + "schema": { + "$ref": "#/definitions/AutomationRule" + }, + "x-ms-parameter-location": "method" + }, + "AutomationRuleId": { + "description": "Automation rule ID", + "in": "path", + "name": "automationRuleId", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, "ApiVersion": { "description": "API version for the operation", "enum": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/CreateAutomationRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/CreateAutomationRule.json new file mode 100644 index 000000000000..a792af5d52f0 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/CreateAutomationRule.json @@ -0,0 +1,176 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "automationRuleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "automationRule": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "order": 1, + "displayName": "High severity incidents escalation", + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentRelatedAnalyticRuleIds", + "operator": "Contains", + "propertyValues": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" + ] + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "ModifyProperties", + "actionConfiguration": { + "severity": "High" + } + }, + { + "order": 2, + "actionType": "RunPlaybook", + "actionConfiguration": { + "tenantId": "ee48efaf-50c6-411b-9345-b2bdc3eb4abc", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook" + } + } + ] + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/incidents", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"", + "properties": { + "order": 1, + "displayName": "High severity incidents escalation", + "createdTimeUtc": "2019-01-01T13:00:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "userPrincipalName": "john@contoso.com", + "name": "john doe" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "userPrincipalName": "john@contoso.com", + "name": "john doe" + }, + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentRelatedAnalyticRuleIds", + "operator": "Contains", + "propertyValues": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" + ] + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "ModifyProperties", + "actionConfiguration": { + "severity": "High" + } + }, + { + "order": 2, + "actionType": "RunPlaybook", + "actionConfiguration": { + "tenantId": "ee48efaf-50c6-411b-9345-b2bdc3eb4abc", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook" + } + } + ] + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/incidents", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"", + "properties": { + "order": 1, + "displayName": "High severity incidents escalation", + "createdTimeUtc": "2019-01-01T13:00:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "userPrincipalName": "john@contoso.com", + "name": "john doe" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "userPrincipalName": "john@contoso.com", + "name": "john doe" + }, + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentRelatedAnalyticRuleIds", + "operator": "Contains", + "propertyValues": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" + ] + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "ModifyProperties", + "actionConfiguration": { + "severity": "High" + } + }, + { + "order": 2, + "actionType": "RunPlaybook", + "actionConfiguration": { + "tenantId": "ee48efaf-50c6-411b-9345-b2bdc3eb4abc", + "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook" + } + } + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/DeleteAutomationRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/DeleteAutomationRule.json new file mode 100644 index 000000000000..76eebc5d7816 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/DeleteAutomationRule.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "automationRuleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/GetAllAutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/GetAllAutomationRules.json new file mode 100644 index 000000000000..2cd33d571f60 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/GetAllAutomationRules.json @@ -0,0 +1,69 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "$top": 1 + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/automationRules", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "order": 1, + "displayName": "High severity incidents escalation", + "createdTimeUtc": "2019-01-01T13:00:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "userPrincipalName": "john@contoso.com", + "name": "john doe" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "userPrincipalName": "john@contoso.com", + "name": "john doe" + }, + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentRelatedAnalyticRuleIds", + "operator": "Contains", + "propertyValues": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" + ] + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "ModifyProperties", + "actionConfiguration": { + "severity": "High" + } + } + ] + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/GetAutomationRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/GetAutomationRule.json new file mode 100644 index 000000000000..cc077509ea16 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/automationRules/GetAutomationRule.json @@ -0,0 +1,76 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "automationRuleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "type": "Microsoft.SecurityInsights/incidents", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "order": 1, + "displayName": "High severity incidents escalation", + "createdTimeUtc": "2019-01-01T13:00:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "userPrincipalName": "john@contoso.com", + "name": "john doe" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "userPrincipalName": "john@contoso.com", + "name": "john doe" + }, + "triggeringLogic": { + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "conditions": [ + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "IncidentTitle", + "operator": "Contains", + "propertyValues": [ + "logon failure" + ] + } + }, + { + "conditionType": "Property", + "conditionProperties": { + "propertyName": "HostName", + "operator": "Equals", + "propertyValues": [ + "TestVM" + ] + } + } + ] + }, + "actions": [ + { + "order": 1, + "actionType": "ModifyProperties", + "actionConfiguration": { + "status": "Closed", + "classification": "BenignPositive", + "classificationReason": "SuspiciousButExpected" + } + } + ] + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/readme.md b/specification/securityinsights/resource-manager/readme.md index 909005d202d7..2e3d16cc64ba 100644 --- a/specification/securityinsights/resource-manager/readme.md +++ b/specification/securityinsights/resource-manager/readme.md @@ -79,6 +79,10 @@ directive: from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json where: $.definitions.Watchlist reason: The Watchlist does not support list by subscription. It's not a top-level resource. To get the Watchlist, we should have a subscription as well as a resource group and Log Analytics workspace. + - suppress: R4017 + from: Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json + where: $.definitions.AutomationRule + reason: The AutomationRule does not support list by subscription. It's not a top-level resource. To get the AutomationRule, we should have a subscription as well as a resource group and Log Analytics workspace. ``` ---