diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/AutomationRules.json index 363518ddd42c..f541aa829b72 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/AutomationRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/AutomationRules.json @@ -284,7 +284,8 @@ "description": "The type of the automation rule action.", "enum": [ "ModifyProperties", - "RunPlaybook" + "RunPlaybook", + "AddIncidentTask" ], "type": "string", "example": "ModifyProperties", @@ -299,10 +300,30 @@ { "value": "RunPlaybook", "description": "Run a playbook on an object" + }, + { + "value": "AddIncidentTask", + "description": "Add a task to an incident object" } ] } }, + "AddIncidentTaskActionProperties": { + "required": [ + "title" + ], + "type": "object", + "properties": { + "title": { + "description": "The title of the task.", + "type": "string" + }, + "description": { + "description": "The description of the task.", + "type": "string" + } + } + }, "AutomationRule": { "required": [ "properties" @@ -339,6 +360,23 @@ }, "discriminator": "actionType" }, + "AutomationRuleAddIncidentTaskAction": { + "description": "Describes an automation rule action to add a task to an incident", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } + ], + "properties": { + "actionConfiguration": { + "type": "object", + "$ref": "#/definitions/AddIncidentTaskActionProperties" + } + }, + "x-ms-discriminator-value": "AddIncidentTask", + "x-ms-client-flatten": true + }, "AutomationRuleBooleanCondition": { "type": "object", "properties": { diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/Incidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/Incidents.json index ca7460c88b49..17b7817da4b5 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/Incidents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/Incidents.json @@ -5,47 +5,17 @@ "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", "version": "2022-12-01-preview" }, - "host": "management.azure.com", - "schemes": [ - "https" - ], - "consumes": [ - "application/json" - ], - "produces": [ - "application/json" - ], - "security": [ - { - "azure_auth": [ - "user_impersonation" - ] - } - ], - "securityDefinitions": { - "azure_auth": { - "type": "oauth2", - "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", - "flow": "implicit", - "description": "Azure Active Directory OAuth2 Flow", - "scopes": { - "user_impersonation": "impersonate your user account" - } - } - }, "paths": { "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents": { "get": { - "x-ms-examples": { - "Get all incidents.": { - "$ref": "./examples/incidents/GetIncidents.json" - } - }, "tags": [ "Incidents" ], "description": "Gets all incidents.", "operationId": "Incidents_List", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -88,21 +58,24 @@ }, "x-ms-pageable": { "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "Incidents_List": { + "$ref": "./examples/incidents/Incidents_List.json" + } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}": { "get": { - "x-ms-examples": { - "Get an incident.": { - "$ref": "./examples/incidents/GetIncidentById.json" - } - }, "tags": [ "Incidents" ], "description": "Gets an incident.", "operationId": "Incidents_Get", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -133,19 +106,22 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "Incidents_Get": { + "$ref": "./examples/incidents/Incidents_Get.json" + } } }, "put": { - "x-ms-examples": { - "Creates or updates an incident.": { - "$ref": "./examples/incidents/CreateIncident.json" - } - }, "tags": [ "Incidents" ], "description": "Creates or updates the incident.", "operationId": "Incidents_CreateOrUpdate", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -185,19 +161,22 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "Incidents_CreateOrUpdate": { + "$ref": "./examples/incidents/Incidents_CreateOrUpdate.json" + } } }, "delete": { - "x-ms-examples": { - "Delete an incident.": { - "$ref": "./examples/incidents/DeleteIncident.json" - } - }, "tags": [ "Incidents" ], "description": "Delete the incident.", "operationId": "Incidents_Delete", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -228,21 +207,24 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "Incidents_Delete": { + "$ref": "./examples/incidents/Incidents_Delete.json" + } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/createTeam": { "post": { - "x-ms-examples": { - "Creates incident teams group.": { - "$ref": "./examples/incidents/CreateTeam.json" - } - }, "tags": [ "IncidentTeam" ], "description": "Creates a Microsoft team to investigate the incident by sharing information and insights between participants.", "operationId": "Incidents_CreateTeam", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -276,21 +258,24 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "Incidents_CreateTeam": { + "$ref": "./examples/incidents/IncidentTeam/Incidents_CreateTeam.json" + } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts": { "post": { - "x-ms-examples": { - "Get all incident alerts.": { - "$ref": "./examples/incidents/GetAllIncidentAlerts.json" - } - }, "tags": [ "IncidentAlerts" ], "description": "Gets all incident alerts.", "operationId": "Incidents_ListAlerts", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -321,21 +306,24 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "Incidents_ListAlerts": { + "$ref": "./examples/incidents/IncidentAlerts/Incidents_ListAlerts.json" + } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks": { "post": { - "x-ms-examples": { - "Get all incident bookmarks.": { - "$ref": "./examples/incidents/GetAllIncidentBookmarks.json" - } - }, "tags": [ "IncidentBookmarks" ], "description": "Gets all incident bookmarks.", "operationId": "Incidents_ListBookmarks", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -366,21 +354,24 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "Incidents_ListBookmarks": { + "$ref": "./examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json" + } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments": { "get": { - "x-ms-examples": { - "Get all incident comments.": { - "$ref": "./examples/incidents/comments/GetAllIncidentComments.json" - } - }, "tags": [ "IncidentComments" ], "description": "Gets all incident comments.", "operationId": "IncidentComments_List", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -424,24 +415,26 @@ } } }, - "x-ms-odata": "#/definitions/IncidentComment", "x-ms-pageable": { "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "IncidentComments_List": { + "$ref": "./examples/incidents/IncidentComments/IncidentComments_List.json" + } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}": { "get": { - "x-ms-examples": { - "Get an incident comment.": { - "$ref": "./examples/incidents/comments/GetIncidentCommentById.json" - } - }, "tags": [ "IncidentComments" ], "description": "Gets an incident comment.", "operationId": "IncidentComments_Get", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -475,19 +468,22 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "IncidentComments_Get": { + "$ref": "./examples/incidents/IncidentComments/IncidentComments_Get.json" + } } }, "put": { - "x-ms-examples": { - "Creates or updates an incident comment.": { - "$ref": "./examples/incidents/comments/CreateIncidentComment.json" - } - }, "tags": [ "IncidentComments" ], "description": "Creates or updates the incident comment.", "operationId": "IncidentComments_CreateOrUpdate", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -530,19 +526,22 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "IncidentComments_CreateOrUpdate": { + "$ref": "./examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json" + } } }, "delete": { - "x-ms-examples": { - "Delete the incident comment.": { - "$ref": "./examples/incidents/comments/DeleteIncidentComment.json" - } - }, "tags": [ "IncidentComments" ], "description": "Delete the incident comment.", "operationId": "IncidentComments_Delete", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -576,21 +575,24 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "IncidentComments_Delete": { + "$ref": "./examples/incidents/IncidentComments/IncidentComments_Delete.json" + } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities": { "post": { - "x-ms-examples": { - "Gets all incident related entities": { - "$ref": "./examples/incidents/entities/GetAllIncidentEntities.json" - } - }, "tags": [ "IncidentEntities" ], "description": "Gets all incident related entities.", "operationId": "Incidents_ListEntities", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -621,6 +623,11 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "Incidents_ListEntities": { + "$ref": "./examples/incidents/IncidentEntities/Incidents_ListEntities.json" + } } } }, @@ -636,6 +643,9 @@ ], "description": "Gets all incident relations.", "operationId": "IncidentRelations_List", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -697,6 +707,9 @@ ], "description": "Gets an incident relation.", "operationId": "IncidentRelations_Get", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -743,6 +756,9 @@ ], "description": "Creates or updates the incident relation.", "operationId": "IncidentRelations_CreateOrUpdate", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -798,6 +814,9 @@ ], "description": "Delete the incident relation.", "operationId": "IncidentRelations_Delete", + "produces": [ + "application/json" + ], "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -833,98 +852,306 @@ } } } - } - }, - "definitions": { - "Incident": { - "allOf": [ - { - "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" - } - ], - "description": "Represents an incident in Azure Security Insights.", - "properties": { - "properties": { - "$ref": "#/definitions/IncidentProperties", - "description": "Incident properties", - "x-ms-client-flatten": true - } - }, - "type": "object" }, - "IncidentAdditionalData": { - "description": "Incident additional data property bag.", - "properties": { - "alertsCount": { - "description": "The number of alerts in the incident", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "bookmarksCount": { - "description": "The number of bookmarks in the incident", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "commentsCount": { - "description": "The number of comments in the incident", - "readOnly": true, - "type": "integer", - "format": "int32" - }, - "alertProductNames": { - "description": "List of product names of alerts in the incident", - "items": { - "description": "Alert product name", - "type": "string" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/tasks": { + "get": { + "tags": [ + "IncidentTasks" + ], + "description": "Gets all incident tasks.", + "operationId": "IncidentTasks_List", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" }, - "readOnly": true, - "type": "array" - }, - "providerIncidentUrl": { - "description": "The provider incident url to the incident in Microsoft 365 Defender portal", - "readOnly": true, - "type": "string" - }, - "tactics": { - "description": "The tactics associated with incident", - "items": { - "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" }, - "readOnly": true, - "type": "array" - }, - "techniques": { - "description": "The techniques associated with incident's tactics'", - "items": { - "description": "Attack Technique", - "type": "string" + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" }, - "readOnly": true, - "type": "array" + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentTaskList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "IncidentTasks_List": { + "$ref": "./examples/incidents/IncidentTasks/IncidentTasks_List.json" + } } - }, - "type": "object" + } }, - "IncidentAlertList": { - "description": "List of incident alerts.", - "properties": { - "value": { - "description": "Array of incident alerts.", - "type": "array", - "items": { - "$ref": "./common/EntityTypes.json#/definitions/SecurityAlert" + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/tasks/{incidentTaskId}": { + "get": { + "tags": [ + "IncidentTasks" + ], + "description": "Gets an incident task.", + "operationId": "IncidentTasks_Get", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentTaskId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentTask" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "IncidentTasks_Get": { + "$ref": "./examples/incidents/IncidentTasks/IncidentTasks_Get.json" } } }, - "required": [ - "value" - ], - "type": "object" + "put": { + "tags": [ + "IncidentTasks" + ], + "description": "Creates or updates the incident task.", + "operationId": "IncidentTasks_CreateOrUpdate", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentTaskId" + }, + { + "$ref": "#/parameters/IncidentTask" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/IncidentTask" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/IncidentTask" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "IncidentTasks_CreateOrUpdate": { + "$ref": "./examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json" + } + } + }, + "delete": { + "tags": [ + "IncidentTasks" + ], + "description": "Delete the incident task.", + "operationId": "IncidentTasks_Delete", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/IncidentId" + }, + { + "$ref": "#/parameters/IncidentTaskId" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } + } + }, + "x-ms-examples": { + "IncidentTasks_Delete": { + "$ref": "./examples/incidents/IncidentTasks/IncidentTasks_Delete.json" + } + } + } + } + }, + "definitions": { + "Incident": { + "type": "object", + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "properties": { + "properties": { + "type": "object", + "$ref": "#/definitions/IncidentProperties", + "x-ms-client-flatten": true + } + } + }, + "IncidentAdditionalData": { + "description": "Incident additional data property bag.", + "type": "object", + "properties": { + "alertsCount": { + "format": "int32", + "description": "The number of alerts in the incident", + "type": "integer", + "readOnly": true + }, + "bookmarksCount": { + "format": "int32", + "description": "The number of bookmarks in the incident", + "type": "integer", + "readOnly": true + }, + "commentsCount": { + "format": "int32", + "description": "The number of comments in the incident", + "type": "integer", + "readOnly": true + }, + "alertProductNames": { + "description": "List of product names of alerts in the incident", + "type": "array", + "items": { + "description": "Alert product name", + "type": "string" + }, + "readOnly": true + }, + "tactics": { + "description": "The tactics associated with incident", + "type": "array", + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "readOnly": true + }, + "techniques": { + "description": "The techniques associated with incident's tactics", + "type": "array", + "items": { + "type": "string" + }, + "readOnly": true + }, + "providerIncidentUrl": { + "description": "The provider incident url to the incident in Microsoft 365 Defender portal", + "type": "string", + "readOnly": true + } + } + }, + "IncidentAlertList": { + "description": "List of incident alerts.", + "type": "object", + "properties": { + "value": { + "description": "Array of incident alerts.", + "type": "array", + "items": { + "$ref": "./common/EntityTypes.json#/definitions/SecurityAlert" + } + } + }, + "required": [ + "value" + ] }, "IncidentBookmarkList": { "description": "List of incident bookmarks.", + "type": "object", "properties": { "value": { "description": "Array of incident bookmarks.", @@ -936,10 +1163,10 @@ }, "required": [ "value" - ], - "type": "object" + ] }, "IncidentComment": { + "type": "object", "allOf": [ { "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" @@ -948,67 +1175,65 @@ "description": "Represents an incident comment", "properties": { "properties": { + "type": "object", "$ref": "#/definitions/IncidentCommentProperties", "description": "Incident comment properties", "x-ms-client-flatten": true } - }, - "type": "object" + } }, "IncidentCommentList": { - "description": "List of incident comments.", + "type": "object", "properties": { - "nextLink": { - "description": "URL to fetch the next set of comments.", - "readOnly": true, - "type": "string" - }, "value": { - "description": "Array of comments.", + "type": "array", "items": { "$ref": "#/definitions/IncidentComment" - }, - "type": "array" + } + }, + "nextLink": { + "type": "string", + "readOnly": true } }, "required": [ "value" - ], - "type": "object" + ] }, "IncidentCommentProperties": { "description": "Incident comment property bag.", + "required": [ + "message" + ], + "type": "object", "properties": { + "message": { + "description": "The comment message", + "type": "string" + }, "createdTimeUtc": { - "description": "The time the comment was created", "format": "date-time", - "readOnly": true, - "type": "string" + "description": "The time the comment was created", + "type": "string", + "readOnly": true }, "lastModifiedTimeUtc": { - "description": "The time the comment was updated", "format": "date-time", - "readOnly": true, - "type": "string" - }, - "message": { - "description": "The comment message", - "type": "string" + "description": "The time the comment was updated", + "type": "string", + "readOnly": true }, "author": { + "type": "object", "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo", "description": "Describes the client that created the comment", - "readOnly": true, - "type": "object" + "readOnly": true } - }, - "required": [ - "message" - ], - "type": "object" + } }, "IncidentEntitiesResponse": { "description": "The incident related entities response.", + "type": "object", "properties": { "entities": { "description": "Array of the incident related entities.", @@ -1024,199 +1249,288 @@ "$ref": "#/definitions/IncidentEntitiesResultsMetadata" } } - }, - "type": "object" + } }, "IncidentEntitiesResultsMetadata": { "description": "Information of a specific aggregation in the incident related entities result.", + "required": [ + "count", + "entityKind" + ], + "type": "object", "properties": { + "entityKind": { + "description": "The kind of the aggregated entity.", + "$ref": "./common/EntityTypes.json#/definitions/EntityInnerKind" + }, "count": { + "format": "int32", "description": "Total number of aggregations of the given kind in the incident related entities result.", - "type": "integer", - "format": "int32" - }, - "entityKind": { - "$ref": "./common/EntityTypes.json#/definitions/EntityInnerKind", - "description": "The kind of the aggregated entity." + "type": "integer" } - }, - "required": [ - "entityKind", - "count" - ], - "type": "object" + } }, "IncidentList": { + "required": [ + "value" + ], "description": "List all the incidents.", + "type": "object", "properties": { - "nextLink": { - "description": "URL to fetch the next set of incidents.", - "readOnly": true, - "type": "string" - }, "value": { - "description": "Array of incidents.", + "type": "array", "items": { "$ref": "#/definitions/Incident" - }, - "type": "array" + } + }, + "nextLink": { + "description": "URL to fetch the next set of incidents.", + "type": "string", + "readOnly": true } - }, - "required": [ - "value" - ], - "type": "object" + } }, "IncidentProperties": { - "description": "Describes incident properties", + "required": [ + "severity", + "status", + "title" + ], + "type": "object", "properties": { - "additionalData": { - "$ref": "#/definitions/IncidentAdditionalData", - "description": "Additional data on the incident", - "readOnly": true, - "type": "object" + "title": { + "description": "The title of the incident", + "type": "string" + }, + "description": { + "description": "The description of the incident", + "type": "string" + }, + "severity": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentSeverityEnum" + }, + "status": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentStatusEnum" }, "classification": { "description": "The reason the incident was closed", - "type": "string", "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationEnum" }, - "classificationComment": { - "description": "Describes the reason the incident was closed", - "type": "string" - }, "classificationReason": { "description": "The classification reason the incident was closed with", - "type": "string", "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationReasonEnum" }, - "createdTimeUtc": { - "description": "The time the incident was created", - "format": "date-time", - "readOnly": true, - "type": "string" - }, - "description": { - "description": "The description of the incident", - "type": "string" - }, - "firstActivityTimeUtc": { - "description": "The time of the first activity in the incident", - "format": "date-time", - "type": "string" - }, - "incidentUrl": { - "description": "The deep-link url to the incident in Azure portal", - "readOnly": true, + "classificationComment": { + "description": "Describes the reason the incident was closed", "type": "string" }, - "incidentNumber": { - "description": "A sequential number", - "readOnly": true, - "type": "integer", - "format": "int32" + "owner": { + "type": "object", + "description": "Describes a user that the incident is assigned to", + "$ref": "./common/IncidentTypes.json#/definitions/IncidentOwnerInfo" }, "labels": { "description": "List of labels relevant to this incident", + "type": "array", "items": { "$ref": "./common/IncidentTypes.json#/definitions/IncidentLabel" - }, - "type": "array" - }, - "providerName": { - "description": "The name of the source provider that generated the incident", - "type": "string" + } }, - "providerIncidentId": { - "description": "The incident ID assigned by the incident provider", + "firstActivityTimeUtc": { + "format": "date-time", + "description": "The time of the first activity in the incident", "type": "string" }, "lastActivityTimeUtc": { - "description": "The time of the last activity in the incident", "format": "date-time", + "description": "The time of the last activity in the incident", "type": "string" }, "lastModifiedTimeUtc": { + "format": "date-time", "description": "The last time the incident was updated", + "type": "string", + "readOnly": true + }, + "createdTimeUtc": { "format": "date-time", - "readOnly": true, - "type": "string" + "description": "The time the incident was created", + "type": "string", + "readOnly": true }, - "owner": { - "$ref": "./common/IncidentTypes.json#/definitions/IncidentOwnerInfo", - "description": "Describes a user that the incident is assigned to", + "incidentNumber": { + "format": "int32", + "description": "A sequential number", + "type": "integer", + "readOnly": true + }, + "additionalData": { + "$ref": "#/definitions/IncidentAdditionalData", + "description": "Additional data on the incident", + "readOnly": true, "type": "object" }, "relatedAnalyticRuleIds": { "description": "List of resource ids of Analytic rules related to the incident", + "type": "array", "items": { "description": "Related Analytic rule resource id", "type": "string" }, - "readOnly": true, - "type": "array" + "readOnly": true }, - "severity": { - "description": "The severity of the incident", + "incidentUrl": { + "description": "The deep-link url to the incident in Azure portal", "type": "string", - "$ref": "./common/IncidentTypes.json#/definitions/IncidentSeverityEnum" + "readOnly": true }, - "status": { - "description": "The status of the incident", - "type": "string", - "$ref": "./common/IncidentTypes.json#/definitions/IncidentStatusEnum" + "providerName": { + "description": "The name of the source provider that generated the incident", + "type": "string" + }, + "providerIncidentId": { + "description": "The incident ID assigned by the incident provider", + "type": "string" }, "teamInformation": { "$ref": "#/definitions/TeamInformation", "description": "Describes a team for the incident", "type": "object" + } + } + }, + "IncidentTask": { + "required": [ + "properties" + ], + "type": "object", + "allOf": [ + { + "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" + } + ], + "properties": { + "properties": { + "type": "object", + "$ref": "#/definitions/IncidentTaskProperties", + "x-ms-client-flatten": true + } + } + }, + "IncidentTaskList": { + "type": "object", + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/IncidentTask" + } }, - "title": { - "description": "The title of the incident", + "nextLink": { "type": "string" } - }, + } + }, + "IncidentTaskProperties": { "required": [ - "title", - "severity", - "status" + "status", + "title" + ], + "type": "object", + "properties": { + "title": { + "description": "The title of the task", + "type": "string" + }, + "description": { + "description": "The description of the task", + "type": "string" + }, + "status": { + "$ref": "#/definitions/IncidentTaskStatus" + }, + "createdTimeUtc": { + "format": "date-time", + "description": "The time the task was created", + "type": "string", + "readOnly": true + }, + "lastModifiedTimeUtc": { + "format": "date-time", + "description": "The last time the task was updated", + "type": "string", + "readOnly": true + }, + "createdBy": { + "type": "object", + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo" + }, + "lastModifiedBy": { + "type": "object", + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo" + } + } + }, + "IncidentTaskStatus": { + "enum": [ + "New", + "Completed" ], - "type": "object" + "type": "string", + "example": "New", + "x-ms-enum": { + "name": "IncidentTaskStatus", + "modelAsString": true, + "values": [ + { + "value": "New", + "description": "A new task" + }, + { + "value": "Completed", + "description": "A completed task" + } + ] + } }, "TeamInformation": { "description": "Describes team information", + "type": "object", "properties": { "teamId": { "description": "Team ID", - "readOnly": true, - "type": "string" + "type": "string", + "readOnly": true }, "primaryChannelUrl": { "description": "The primary channel URL of the team", - "readOnly": true, - "type": "string" + "type": "string", + "readOnly": true }, "teamCreationTimeUtc": { - "description": "The time the team was created", "format": "date-time", - "readOnly": true, - "type": "string" + "description": "The time the team was created", + "type": "string", + "readOnly": true }, "name": { "description": "The name of the team", - "readOnly": true, - "type": "string" + "type": "string", + "readOnly": true }, "description": { "description": "The description of the team", - "readOnly": true, - "type": "string" + "type": "string", + "readOnly": true } - }, - "type": "object" + } }, "TeamProperties": { "description": "Describes team properties", + "required": [ + "teamName" + ], + "type": "object", "properties": { "teamName": { "description": "The name of the team", @@ -1226,77 +1540,117 @@ "description": "The description of the team", "type": "string" }, - "memberIds": { - "description": "List of member IDs to add to the team", + "groupIds": { + "description": "List of group IDs to add their members to the team", + "type": "array", "items": { - "description": "A single-value attribute that is the unique identifier for the user, assigned by active directory.", "format": "uuid", "type": "string" - }, - "type": "array" + } }, - "groupIds": { - "description": "List of group IDs to add their members to the team", + "memberIds": { + "description": "List of member IDs to add to the team", + "type": "array", "items": { - "description": "A single-value attribute that is the unique identifier for the group, assigned by active directory.", "format": "uuid", "type": "string" - }, - "type": "array" + } } - }, - "required": [ - "teamName" - ], - "type": "object" + } } }, "parameters": { "Incident": { - "description": "The incident", - "in": "body", "name": "incident", + "description": "The incident", "required": true, + "in": "body", + "x-ms-parameter-location": "method", "schema": { "$ref": "#/definitions/Incident" - }, - "x-ms-parameter-location": "method" + } + }, + "IncidentId": { + "in": "path", + "name": "incidentId", + "description": "Incident ID", + "required": true, + "x-ms-parameter-location": "method", + "type": "string" }, "IncidentComment": { - "description": "The incident comment", - "in": "body", "name": "incidentComment", + "description": "The incident comment", "required": true, + "in": "body", + "x-ms-parameter-location": "method", "schema": { "$ref": "#/definitions/IncidentComment" - }, - "x-ms-parameter-location": "method" + } }, "IncidentCommentId": { - "description": "Incident comment ID", "in": "path", "name": "incidentCommentId", + "description": "Incident comment ID", "required": true, - "type": "string", - "x-ms-parameter-location": "method" - }, - "IncidentId": { - "description": "Incident ID", - "in": "path", - "name": "incidentId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" + "x-ms-parameter-location": "method", + "type": "string" }, "TeamProperties": { + "name": "teamProperties", "description": "Team properties", + "required": true, "in": "body", - "name": "teamProperties", + "x-ms-parameter-location": "method", + "schema": { + "$ref": "#/definitions/TeamInformation" + } + }, + "IncidentTask": { + "name": "incidentTask", + "description": "The incident task", "required": true, + "in": "body", + "x-ms-parameter-location": "method", "schema": { - "$ref": "#/definitions/TeamProperties" + "$ref": "#/definitions/IncidentTask" + } + }, + "IncidentTaskId": { + "in": "path", + "name": "incidentTaskId", + "description": "Incident task ID", + "required": true, + "x-ms-parameter-location": "method", + "type": "string" + } + }, + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "flow": "implicit", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "scopes": { + "user_impersonation": "impersonate your user account" }, - "x-ms-parameter-location": "method" + "description": "Azure Active Directory OAuth2 Flow" } - } + }, + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "host": "management.azure.com", + "schemes": [ + "https" + ], + "produces": [ + "application/json" + ], + "consumes": [ + "application/json" + ] } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/common/EntityTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/common/EntityTypes.json index 0a035390141b..a04c9422497c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/common/EntityTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/common/EntityTypes.json @@ -253,9 +253,7 @@ "description": "Entity common property bag.", "properties": { "additionalData": { - "additionalProperties": { - "type": "object" - }, + "additionalProperties": true, "description": "A bag of custom fields that should be part of the entity and will be presented to the user.", "readOnly": true, "type": "object" diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json index 63bc31b13afe..0ce72c48631c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json @@ -11,17 +11,17 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "Suspicious alerts in workspace", + "displayName": "Suspicious user sign-in events", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Alerts", + "triggersOn": "Incidents", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "AlertAnalyticRuleIds", + "propertyName": "IncidentRelatedAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", @@ -34,10 +34,10 @@ "actions": [ { "order": 1, - "actionType": "RunPlaybook", + "actionType": "AddIncidentTask", "actionConfiguration": { - "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d", - "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/AlertPlaybook" + "title": "Reset user passwords", + "description": "Reset passwords for compromised users." } } ], @@ -66,17 +66,17 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "Suspicious alerts in workspace", + "displayName": "Suspicious user sign-in events", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Alerts", + "triggersOn": "Incidents", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "AlertAnalyticRuleIds", + "propertyName": "IncidentRelatedAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", @@ -89,10 +89,10 @@ "actions": [ { "order": 1, - "actionType": "RunPlaybook", + "actionType": "AddIncidentTask", "actionConfiguration": { - "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d", - "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/AlertPlaybook" + "title": "Reset user passwords", + "description": "Reset passwords for compromised users." } } ], @@ -120,7 +120,7 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "Suspicious alerts in workspace", + "displayName": "Suspicious user sign-in events", "order": 1, "triggeringLogic": { "isEnabled": true, @@ -130,7 +130,7 @@ { "conditionType": "Property", "conditionProperties": { - "propertyName": "AlertAnalyticRuleIds", + "propertyName": "IncidentRelatedAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", @@ -143,10 +143,10 @@ "actions": [ { "order": 1, - "actionType": "RunPlaybook", + "actionType": "AddIncidentTask", "actionConfiguration": { - "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d", - "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/AlertPlaybook" + "title": "Reset user passwords", + "description": "Reset passwords for compromised users." } } ], diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_Get.json index 986dbd971592..1290bfad85f9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_Get.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_Get.json @@ -14,7 +14,7 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "Suspicious alerts in workspace", + "displayName": "Suspicious user sign-in events", "order": 1, "triggeringLogic": { "isEnabled": true, @@ -22,68 +22,13 @@ "triggersWhen": "Created", "conditions": [ { - "conditionType": "Boolean", + "conditionType": "Property", "conditionProperties": { - "operator": "Or", - "innerConditions": [ - { - "conditionType": "Property", - "conditionProperties": { - "propertyName": "AccountName", - "operator": "Equals", - "propertyValues": [ - "Administrator" - ] - } - }, - { - "conditionType": "Property", - "conditionProperties": { - "propertyName": "HostName", - "operator": "Equals", - "propertyValues": [ - "MainServer" - ] - } - } - ] - } - }, - { - "conditionType": "PropertyArray", - "conditionProperties": { - "arrayType": "CustomDetails", - "arrayConditionType": "AnyItem", - "itemConditions": [ - { - "conditionType": "Property", - "conditionProperties": { - "propertyName": "IncidentCustomDetailsKey", - "operator": "Equals", - "propertyValues": [ - "AlertTags" - ] - } - }, - { - "conditionType": "PropertyArray", - "conditionProperties": { - "arrayType": "CustomDetailValues", - "arrayConditionType": "AnyItem", - "itemConditions": [ - { - "conditionType": "Property", - "conditionProperties": { - "propertyName": "IncidentCustomDetailsValue", - "operator": "Equals", - "propertyValues": [ - "HighPriority" - ] - } - } - ] - } - } + "propertyName": "IncidentRelatedAnalyticRuleIds", + "operator": "Contains", + "propertyValues": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" ] } } @@ -92,10 +37,10 @@ "actions": [ { "order": 1, - "actionType": "RunPlaybook", + "actionType": "AddIncidentTask", "actionConfiguration": { - "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d", - "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook" + "title": "Reset user passwords", + "description": "Reset passwords for compromised users." } } ], diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_List.json index f255121dab24..09430516e733 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_List.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/automationRules/AutomationRules_List.json @@ -15,17 +15,17 @@ "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "displayName": "Suspicious alerts in workspace", + "displayName": "Suspicious user sign-in events", "order": 1, "triggeringLogic": { "isEnabled": true, - "triggersOn": "Alerts", + "triggersOn": "Incidents", "triggersWhen": "Created", "conditions": [ { "conditionType": "Property", "conditionProperties": { - "propertyName": "AlertAnalyticRuleIds", + "propertyName": "IncidentRelatedAnalyticRuleIds", "operator": "Contains", "propertyValues": [ "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", @@ -38,10 +38,10 @@ "actions": [ { "order": 1, - "actionType": "RunPlaybook", + "actionType": "AddIncidentTask", "actionConfiguration": { - "tenantId": "d23e3eef-eed0-428f-a2d5-bc48c268e31d", - "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/AlertPlaybook" + "title": "Reset user passwords", + "description": "Reset passwords for compromised users." } } ], diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetAllIncidentBookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetAllIncidentBookmarks.json deleted file mode 100644 index 9f55edc23af7..000000000000 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetAllIncidentBookmarks.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "parameters": { - "api-version": "2022-12-01-preview", - "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", - "resourceGroupName": "myRg", - "workspaceName": "myWorkspace", - "incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812" - }, - "responses": { - "200": { - "body": { - "value": [ - { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/afbd324f-6c48-459c-8710-8d1e1cd03812", - "name": "afbd324f-6c48-459c-8710-8d1e1cd03812", - "type": "Microsoft.SecurityInsights/Entities", - "kind": "Bookmark", - "properties": { - "displayName": "SecurityEvent - 868f40f4698d", - "created": "2020-06-17T15:34:01.4265524+00:00", - "updated": "2020-06-17T15:34:01.4265524+00:00", - "createdBy": { - "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd", - "email": "user@microsoft.com", - "name": "user" - }, - "updatedBy": { - "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd", - "email": "user@microsoft.com", - "name": "user" - }, - "eventTime": "2020-06-17T15:34:01.4265524+00:00", - "labels": [], - "query": "SecurityEvent\r\n| take 1\n", - "queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}", - "additionalData": { - "ETag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"", - "EntityId": "afbd324f-6c48-459c-8710-8d1e1cd03812" - }, - "friendlyName": "SecurityEvent - 868f40f4698d" - } - }, - { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/bbbd324f-6c48-459c-8710-8d1e1cd03812", - "name": "bbbd324f-6c48-459c-8710-8d1e1cd03812", - "type": "Microsoft.SecurityInsights/Entities", - "kind": "Bookmark", - "properties": { - "displayName": "SecurityEvent - 868f40f4698d", - "created": "2020-06-17T15:34:01.4265524+00:00", - "updated": "2020-06-17T15:34:01.4265524+00:00", - "createdBy": { - "objectId": "303ca914-5eb6-45e5-9417-fe0797c372fd", - "email": "user@microsoft.com", - "name": "user" - }, - "updatedBy": { - "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd", - "email": "user@microsoft.com", - "name": "user" - }, - "eventTime": "2020-06-17T15:34:01.4265524+00:00", - "labels": [], - "query": "SecurityEvent\r\n| take 1\n", - "queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}", - "additionalData": { - "ETag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"", - "EntityId": "afbd324f-6c48-459c-8710-8d1e1cd03812" - }, - "friendlyName": "SecurityEvent - 868f40f4698d" - } - } - ] - } - } - } -} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetAllIncidentAlerts.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json similarity index 80% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetAllIncidentAlerts.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json index e15c04edaa91..97088f313433 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetAllIncidentAlerts.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentAlerts/Incidents_ListAlerts.json @@ -4,7 +4,7 @@ "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", - "incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812" + "incidentId": "69a30280-6a4c-4aa7-9af0-5d63f335d600" }, "responses": { "200": { @@ -24,11 +24,11 @@ "vendorName": "Microsoft", "productName": "Azure Security Center", "alertType": "myAlert", - "processingEndTime": "2020-07-20T18:21:53.6158361Z", + "processingEndTime": "2020-07-20T18:21:53.615Z", "status": "New", - "endTimeUtc": "2020-07-20T18:21:53.6158361Z", - "startTimeUtc": "2020-07-20T18:21:53.6158361Z", - "timeGenerated": "2020-07-20T18:21:53.6158361Z", + "endTimeUtc": "2020-07-20T18:21:53.615Z", + "startTimeUtc": "2020-07-20T18:21:53.615Z", + "timeGenerated": "2020-07-20T18:21:53.615Z", "resourceIdentifiers": [ { "type": "LogAnalytics", @@ -38,7 +38,7 @@ } ], "additionalData": { - "AlertMessageEnqueueTime": "2020-07-20T18:21:57.304Z" + "alertMessageEnqueueTime": "2020-07-20T18:21:57.304Z" }, "friendlyName": "myAlert" } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json new file mode 100644 index 000000000000..5d6a6c324bc4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentBookmarks/Incidents_ListBookmarks.json @@ -0,0 +1,47 @@ +{ + "parameters": { + "api-version": "2022-12-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "69a30280-6a4c-4aa7-9af0-5d63f335d600" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/afbd324f-6c48-459c-8710-8d1e1cd03812", + "name": "afbd324f-6c48-459c-8710-8d1e1cd03812", + "type": "Microsoft.SecurityInsights/Entities", + "kind": "Bookmark", + "properties": { + "displayName": "SecurityEvent - 868f40f4698d", + "created": "2020-06-17T15:34:01.426+00:00", + "updated": "2020-06-17T15:34:01.426+00:00", + "createdBy": { + "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd", + "email": "user@contoso.com", + "name": "user" + }, + "updatedBy": { + "objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd", + "email": "user@contoso.com", + "name": "user" + }, + "eventTime": "2020-06-17T15:34:01.426+00:00", + "labels": [], + "query": "SecurityEvent\r\n| take 1\n", + "queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}", + "additionalData": { + "eTag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"", + "entityId": "afbd324f-6c48-459c-8710-8d1e1cd03812" + }, + "friendlyName": "SecurityEvent - 868f40f4698d" + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/CreateIncidentComment.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json similarity index 82% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/CreateIncidentComment.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json index ce180d30d67c..9f0e3179ced9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/CreateIncidentComment.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_CreateOrUpdate.json @@ -17,17 +17,17 @@ "body": { "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", "type": "Microsoft.SecurityInsights/incidents/comments", - "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", "properties": { "message": "Some message", "createdTimeUtc": "2019-01-01T13:15:30Z", - "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "lastModifiedTimeUtc": "2019-01-03T13:15:30Z", "author": { "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" + "name": "john doe", + "userPrincipalName": "john@contoso.com" } } } @@ -36,17 +36,17 @@ "body": { "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", "type": "Microsoft.SecurityInsights/incidents/comments", - "etag": "190057d0-0000-0d00-0000-5c622adb0000", "properties": { "message": "Some message", "createdTimeUtc": "2019-01-01T13:15:30Z", - "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T13:15:30Z", "author": { "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" + "name": "john doe", + "userPrincipalName": "john@contoso.com" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/DeleteIncidentComment.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_Delete.json similarity index 100% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/DeleteIncidentComment.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_Delete.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/GetIncidentCommentById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json similarity index 88% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/GetIncidentCommentById.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json index 0ef9d889f0e9..0327782786ab 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/GetIncidentCommentById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_Get.json @@ -12,8 +12,8 @@ "body": { "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", "type": "Microsoft.SecurityInsights/incidents/comments", - "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", "properties": { "message": "Some message", "createdTimeUtc": "2019-01-01T13:15:30Z", @@ -21,8 +21,8 @@ "author": { "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" + "name": "john doe", + "userPrincipalName": "john@contoso.com" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/GetAllIncidentComments.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json similarity index 88% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/GetAllIncidentComments.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json index fee3e49737df..4c3940a7ef5d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/comments/GetAllIncidentComments.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentComments/IncidentComments_List.json @@ -13,8 +13,8 @@ { "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/comments/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", "type": "Microsoft.SecurityInsights/incidents/comments", - "etag": "190057d0-0000-0d00-0000-5c6f5adb0000", "properties": { "message": "Some message", "createdTimeUtc": "2019-01-01T13:15:30Z", @@ -22,8 +22,8 @@ "author": { "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" + "name": "john doe", + "userPrincipalName": "john@contoso.com" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/entities/GetAllIncidentEntities.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json similarity index 86% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/entities/GetAllIncidentEntities.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json index d2645db8fdf2..c5fe7b6a343d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/entities/GetAllIncidentEntities.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentEntities/Incidents_ListEntities.json @@ -4,7 +4,7 @@ "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", "workspaceName": "myWorkspace", - "incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812" + "incidentId": "69a30280-6a4c-4aa7-9af0-5d63f335d600" }, "responses": { "200": { @@ -16,9 +16,9 @@ "type": "Microsoft.SecurityInsights/Entities", "kind": "Account", "properties": { - "friendlyName": "administrator", "accountName": "administrator", - "ntDomain": "domain" + "ntDomain": "domain", + "friendlyName": "administrator" } } ], diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json new file mode 100644 index 000000000000..f87f0fb15bf3 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_CreateOrUpdate.json @@ -0,0 +1,73 @@ +{ + "parameters": { + "api-version": "2022-12-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "incidentTaskId": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "incidentTask": { + "properties": { + "title": "Task title", + "description": "Task description", + "status": "New" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/tasks/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/tasks", + "properties": { + "title": "Task title", + "description": "Task description", + "status": "New", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/tasks/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/tasks", + "properties": { + "title": "Task title", + "description": "Task description", + "status": "New", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json new file mode 100644 index 000000000000..d09d4b78ca0d --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Delete.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2022-12-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "incidentTaskId": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json new file mode 100644 index 000000000000..3973303a998b --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_Get.json @@ -0,0 +1,39 @@ +{ + "parameters": { + "api-version": "2022-12-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "incidentTaskId": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/tasks/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/tasks", + "properties": { + "title": "Task title", + "description": "Task description", + "status": "New", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json new file mode 100644 index 000000000000..6c077cf02901 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTasks/IncidentTasks_List.json @@ -0,0 +1,42 @@ +{ + "parameters": { + "api-version": "2022-12-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5/tasks/4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014", + "etag": "\"190057d0-0000-0d00-0000-5c6f5adb0000\"", + "type": "Microsoft.SecurityInsights/incidents/tasks", + "properties": { + "title": "Task title", + "description": "Task description", + "status": "New", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "lastModifiedTimeUtc": "2019-01-03T11:10:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/CreateTeam.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json similarity index 68% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/CreateTeam.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json index 606fd42876da..c0af1c29b245 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/CreateTeam.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/IncidentTeam/Incidents_CreateTeam.json @@ -1,13 +1,15 @@ { "parameters": { "api-version": "2022-12-01-preview", - "subscriptionId": "9023f5b5-df22-4313-8fbf-b4b75af8a6d9", - "resourceGroupName": "ambawolvese5resourcegroup", - "workspaceName": "AmbaE5WestCentralUS", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", "incidentId": "69a30280-6a4c-4aa7-9af0-5d63f335d600", "teamProperties": { "teamName": "Team name", - "teamDescription": "Team description" + "teamDescription": "Team description", + "groupIds": null, + "memberIds": null } }, "responses": { @@ -15,7 +17,7 @@ "body": { "teamId": "99978838-9bda-4ad4-8f93-4cf7ebc50ca5", "primaryChannelUrl": "https://teams.microsoft.com/l/team/19:80bf3b25485b4067b7d2dc4eec9e1578%40thread.tacv2/conversations?groupId=99978838-9bda-4ad4-8f93-4cf7ebc50ca5&tenantId=5b5a146c-eba8-46af-96f8-e31b50d15a3f", - "teamCreationTimeUtc": "2021-03-15T17:08:21.9954238+02:00", + "teamCreationTimeUtc": "2021-03-15T17:08:21.995Z", "name": "Team name", "description": "Team description" } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/CreateIncident.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_CreateOrUpdate.json similarity index 73% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/CreateIncident.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_CreateOrUpdate.json index d8af262b3b5a..6b6bac5e3490 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/CreateIncident.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_CreateOrUpdate.json @@ -8,18 +8,22 @@ "incident": { "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", "properties": { - "lastActivityTimeUtc": "2019-01-01T13:05:30Z", - "firstActivityTimeUtc": "2019-01-01T13:00:30Z", - "description": "This is a demo incident", "title": "My incident", - "owner": { - "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70" - }, + "description": "This is a demo incident", "severity": "High", + "status": "Closed", "classification": "FalsePositive", + "classificationReason": "InaccurateData", "classificationComment": "Not a malicious activity", - "classificationReason": "IncorrectAlertLogic", - "status": "Closed" + "owner": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": null, + "assignedTo": null, + "userPrincipalName": null, + "ownerType": null + }, + "firstActivityTimeUtc": "2019-01-01T13:00:30Z", + "lastActivityTimeUtc": "2019-01-01T13:05:30Z" } } }, @@ -28,42 +32,51 @@ "body": { "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/incidents", "etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"", + "type": "Microsoft.SecurityInsights/incidents", "properties": { - "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", - "createdTimeUtc": "2019-01-01T13:15:30Z", - "lastActivityTimeUtc": "2019-01-01T13:05:30Z", - "firstActivityTimeUtc": "2019-01-01T13:00:30Z", - "description": "This is a demo incident", "title": "My incident", + "description": "This is a demo incident", + "severity": "High", + "status": "Closed", + "classification": "FalsePositive", + "classificationReason": "InaccurateData", + "classificationComment": "Not a malicious activity", "owner": { "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", "assignedTo": "john doe", + "userPrincipalName": "john@contoso.com", "ownerType": "User" }, - "severity": "High", - "classification": "FalsePositive", - "classificationComment": "Not a malicious activity", - "classificationReason": "IncorrectAlertLogic", - "status": "Closed", - "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "incidentNumber": 3177, "labels": [], - "providerName": "Azure Sentinel", - "providerIncidentId": "3177", - "relatedAnalyticRuleIds": [], + "firstActivityTimeUtc": "2019-01-01T13:00:30Z", + "lastActivityTimeUtc": "2019-01-01T13:05:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "incidentNumber": 3177, "additionalData": { "alertsCount": 0, "bookmarksCount": 0, "commentsCount": 3, "alertProductNames": [], - "tactics": [], - "techniques": [], + "tactics": [ + "InitialAccess", + "Persistence" + ], + "techniques": [ + "T1091", + "T1133", + "T1053" + ], "providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f" - } + }, + "relatedAnalyticRuleIds": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7" + ], + "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "providerName": "Azure Sentinel", + "providerIncidentId": "3177" } } }, @@ -71,41 +84,51 @@ "body": { "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/incidents", "etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"", + "type": "Microsoft.SecurityInsights/incidents", "properties": { - "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", - "createdTimeUtc": "2019-01-01T13:15:30Z", - "lastActivityTimeUtc": "2019-01-01T13:05:30Z", - "firstActivityTimeUtc": "2019-01-01T13:00:30Z", - "description": "This is a demo incident", "title": "My incident", + "description": "This is a demo incident", + "severity": "High", + "status": "Closed", + "classification": "FalsePositive", + "classificationReason": "InaccurateData", + "classificationComment": "Not a malicious activity", "owner": { "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", "email": "john.doe@contoso.com", + "assignedTo": "john doe", "userPrincipalName": "john@contoso.com", - "assignedTo": "john doe" + "ownerType": "User" }, - "severity": "High", - "classification": "FalsePositive", - "classificationComment": "Not a malicious activity", - "classificationReason": "IncorrectAlertLogic", - "status": "Closed", - "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "incidentNumber": 3177, "labels": [], - "providerName": "Azure Sentinel", - "providerIncidentId": "3177", - "relatedAnalyticRuleIds": [], + "firstActivityTimeUtc": "2019-01-01T13:00:30Z", + "lastActivityTimeUtc": "2019-01-01T13:05:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "incidentNumber": 3177, "additionalData": { "alertsCount": 0, "bookmarksCount": 0, "commentsCount": 3, "alertProductNames": [], - "tactics": [], - "techniques": [], + "tactics": [ + "InitialAccess", + "Persistence" + ], + "techniques": [ + "T1091", + "T1133", + "T1053" + ], "providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f" - } + }, + "relatedAnalyticRuleIds": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7" + ], + "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "providerName": "Azure Sentinel", + "providerIncidentId": "3177" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/DeleteIncident.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_Delete.json similarity index 100% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/DeleteIncident.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_Delete.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetIncidentById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_Get.json similarity index 98% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetIncidentById.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_Get.json index b376a9918cf4..8744ded8d167 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetIncidentById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_Get.json @@ -11,35 +11,29 @@ "body": { "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/incidents", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/incidents", "properties": { - "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", - "createdTimeUtc": "2019-01-01T13:15:30Z", - "lastActivityTimeUtc": "2019-01-01T13:05:30Z", - "firstActivityTimeUtc": "2019-01-01T13:00:30Z", - "description": "This is a demo incident", "title": "My incident", + "description": "This is a demo incident", + "severity": "High", + "status": "Closed", + "classification": "FalsePositive", + "classificationReason": "InaccurateData", + "classificationComment": "Not a malicious activity", "owner": { "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", "assignedTo": "john doe", + "userPrincipalName": "john@contoso.com", "ownerType": "User" }, - "severity": "High", - "classification": "FalsePositive", - "classificationComment": "Not a malicious activity", - "classificationReason": "InaccurateData", - "status": "Closed", - "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "incidentNumber": 3177, "labels": [], - "providerName": "Azure Sentinel", - "providerIncidentId": "3177", - "relatedAnalyticRuleIds": [ - "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7" - ], + "firstActivityTimeUtc": "2019-01-01T13:00:30Z", + "lastActivityTimeUtc": "2019-01-01T13:05:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "incidentNumber": 3177, "additionalData": { "alertsCount": 0, "bookmarksCount": 0, @@ -55,7 +49,13 @@ "T1053" ], "providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f" - } + }, + "relatedAnalyticRuleIds": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7" + ], + "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "providerName": "Azure Sentinel", + "providerIncidentId": "3177" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetIncidents.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_List.json similarity index 87% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetIncidents.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_List.json index a3ef48b1f301..0057db725e0a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/GetIncidents.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2022-12-01-preview/examples/incidents/Incidents_List.json @@ -14,49 +14,51 @@ { "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/incidents", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/incidents", "properties": { - "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", - "createdTimeUtc": "2019-01-01T13:15:30Z", - "lastActivityTimeUtc": "2019-01-01T13:05:30Z", - "firstActivityTimeUtc": "2019-01-01T13:00:30Z", - "description": "This is a demo incident", "title": "My incident", + "description": "This is a demo incident", + "severity": "High", + "status": "Closed", + "classification": "FalsePositive", + "classificationReason": "InaccurateData", + "classificationComment": "Not a malicious activity", "owner": { "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", "assignedTo": "john doe", + "userPrincipalName": "john@contoso.com", "ownerType": "User" }, - "severity": "High", - "classification": "FalsePositive", - "classificationComment": "Not a malicious activity", - "classificationReason": "IncorrectAlertLogic", - "status": "Closed", - "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "incidentNumber": 3177, "labels": [], - "providerName": "Azure Sentinel", - "providerIncidentId": "3177", - "relatedAnalyticRuleIds": [ - "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", - "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" - ], + "firstActivityTimeUtc": "2019-01-01T13:00:30Z", + "lastActivityTimeUtc": "2019-01-01T13:05:30Z", + "lastModifiedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "incidentNumber": 3177, "additionalData": { "alertsCount": 0, "bookmarksCount": 0, "commentsCount": 3, "alertProductNames": [], "tactics": [ + "InitialAccess", "Persistence" ], "techniques": [ + "T1091", + "T1133", "T1053" ], "providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f" - } + }, + "relatedAnalyticRuleIds": [ + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7" + ], + "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "providerName": "Azure Sentinel", + "providerIncidentId": "3177" } } ] diff --git a/specification/securityinsights/resource-manager/common/2.0/types.json b/specification/securityinsights/resource-manager/common/2.0/types.json index 9443ea2f9683..95e2052235e5 100644 --- a/specification/securityinsights/resource-manager/common/2.0/types.json +++ b/specification/securityinsights/resource-manager/common/2.0/types.json @@ -108,6 +108,7 @@ "name": "workspaceName", "required": true, "type": "string", + "pattern": "^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$", "x-ms-parameter-location": "method" }, "OperationalInsightsResourceProvider": {