diff --git a/schemas/2022-08-01-preview/Microsoft.SecurityInsights.json b/schemas/2022-08-01-preview/Microsoft.SecurityInsights.json new file mode 100644 index 0000000000..079b054c80 --- /dev/null +++ b/schemas/2022-08-01-preview/Microsoft.SecurityInsights.json @@ -0,0 +1,7890 @@ +{ + "id": "https://schema.management.azure.com/schemas/2022-08-01-preview/Microsoft.SecurityInsights.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.SecurityInsights", + "description": "Microsoft SecurityInsights Resource Types", + "resourceDefinitions": {}, + "extension_resourceDefinitions": { + "alertRules": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/MLBehaviorAnalyticsAlertRule" + }, + { + "$ref": "#/definitions/FusionAlertRule" + }, + { + "$ref": "#/definitions/ThreatIntelligenceAlertRule" + }, + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRule" + }, + { + "$ref": "#/definitions/ScheduledAlertRule" + }, + { + "$ref": "#/definitions/NrtAlertRule" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Alert rule ID" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/alertRules_actions_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/alertRules" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules" + }, + "alertRules_actions": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Action ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ActionRequestProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Action property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/alertRules/actions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules/actions" + }, + "automationRules": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Automation rule ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AutomationRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Automation rule properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/automationRules" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/automationRules" + }, + "bookmarks": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Bookmark ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/BookmarkProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes bookmark properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/bookmarks_relations_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/bookmarks" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/bookmarks" + }, + "bookmarks_relations": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/bookmarks/relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/bookmarks/relations" + }, + "dataConnectors": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/AADDataConnector" + }, + { + "$ref": "#/definitions/MSTIDataConnector" + }, + { + "$ref": "#/definitions/MTPDataConnector" + }, + { + "$ref": "#/definitions/AATPDataConnector" + }, + { + "$ref": "#/definitions/ASCDataConnector" + }, + { + "$ref": "#/definitions/AwsCloudTrailDataConnector" + }, + { + "$ref": "#/definitions/AwsS3DataConnector" + }, + { + "$ref": "#/definitions/MCASDataConnector" + }, + { + "$ref": "#/definitions/Dynamics365DataConnector" + }, + { + "$ref": "#/definitions/OfficeATPDataConnector" + }, + { + "$ref": "#/definitions/Office365ProjectDataConnector" + }, + { + "$ref": "#/definitions/OfficePowerBIDataConnector" + }, + { + "$ref": "#/definitions/OfficeIRMDataConnector" + }, + { + "$ref": "#/definitions/MDATPDataConnector" + }, + { + "$ref": "#/definitions/OfficeDataConnector" + }, + { + "$ref": "#/definitions/TIDataConnector" + }, + { + "$ref": "#/definitions/TiTaxiiDataConnector" + }, + { + "$ref": "#/definitions/IoTDataConnector" + }, + { + "$ref": "#/definitions/CodelessUiDataConnector" + }, + { + "$ref": "#/definitions/CodelessApiPollingDataConnector" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Connector ID" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/dataConnectors" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/dataConnectors" + }, + "entityQueries": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/ActivityCustomEntityQuery" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "entity query ID" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/entityQueries" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/entityQueries" + }, + "fileImports": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "name": { + "type": "string", + "description": "File import ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/FileImportProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes the FileImport's properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/fileImports" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/fileImports" + }, + "incidents": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes incident properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/incidents_comments_childResource" + }, + { + "$ref": "#/definitions/incidents_relations_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents" + }, + "incidents_comments": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident comment ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentCommentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident comment property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents/comments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/comments" + }, + "incidents_relations": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents/relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/relations" + }, + "metadata": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The Metadata name." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MetadataProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Metadata property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/metadata" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/metadata" + }, + "onboardingStates": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The Sentinel onboarding state name. Supports - default" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SentinelOnboardingStateProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Sentinel onboarding state properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/onboardingStates" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/onboardingStates" + }, + "securityMLAnalyticsSettings": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/AnomalySecurityMLAnalyticsSettings" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Security ML Analytics Settings resource name" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/securityMLAnalyticsSettings" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/securityMLAnalyticsSettings" + }, + "settings": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/Anomalies" + }, + { + "$ref": "#/definitions/EyesOn" + }, + { + "$ref": "#/definitions/EntityAnalytics" + }, + { + "$ref": "#/definitions/Ueba" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/settings" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/settings" + }, + "sourcecontrols": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Source control Id" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SourceControlProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes source control properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/sourcecontrols" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/sourcecontrols" + }, + "threatIntelligence_indicators": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Threat intelligence indicator name field." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes threat intelligence entity properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/threatIntelligence/indicators" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/threatIntelligence/indicators" + }, + "watchlists": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Watchlist Alias" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/watchlists_watchlistItems_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/watchlists" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists" + }, + "watchlists_watchlistItems": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Watchlist Item Id (GUID)" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistItemProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist item properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/watchlists/watchlistItems" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists/watchlistItems" + } + }, + "definitions": { + "AADDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AzureActiveDirectory" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AADDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "AAD (Azure Active Directory) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents AAD (Azure Active Directory) data connector." + }, + "AADDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "tenantId" + ], + "description": "AAD (Azure Active Directory) data connector properties." + }, + "AATPDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AzureAdvancedThreatProtection" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AATPDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "AATP (Azure Advanced Threat Protection) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector." + }, + "AATPDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "tenantId" + ], + "description": "AATP (Azure Advanced Threat Protection) data connector properties." + }, + "ActionRequestProperties": { + "type": "object", + "properties": { + "logicAppResourceId": { + "type": "string", + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}." + }, + "triggerUri": { + "type": "string", + "description": "Logic App Callback URL for this specific workflow." + } + }, + "required": [ + "logicAppResourceId", + "triggerUri" + ], + "description": "Action property bag." + }, + "ActivityCustomEntityQuery": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Activity" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ActivityEntityQueriesProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes activity entity query properties" + } + }, + "required": [ + "kind" + ], + "description": "Represents Activity entity query." + }, + "ActivityEntityQueriesProperties": { + "type": "object", + "properties": { + "content": { + "type": "string", + "description": "The entity query content to display in timeline" + }, + "description": { + "type": "string", + "description": "The entity query description" + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this activity is enabled or disabled." + }, + "entitiesFilter": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "array", + "items": { + "type": "string" + } + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The query applied only to entities matching to all filters" + }, + "inputEntityType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Account", + "Host", + "File", + "AzureResource", + "CloudApplication", + "DNS", + "FileHash", + "IP", + "Malware", + "Process", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "IoTDevice", + "SecurityAlert", + "HuntingBookmark", + "MailCluster", + "MailMessage", + "Mailbox", + "SubmissionMail", + "Nic" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The type of the query's source entity." + }, + "queryDefinitions": { + "oneOf": [ + { + "$ref": "#/definitions/ActivityEntityQueriesPropertiesQueryDefinitions" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Activity query definitions" + }, + "requiredInputFieldsSets": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "array", + "items": { + "type": "string" + } + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of the fields of the source entity that are required to run the query" + }, + "templateName": { + "type": "string", + "description": "The template id this activity was created from" + }, + "title": { + "type": "string", + "description": "The entity query title" + } + }, + "description": "Describes activity entity query properties" + }, + "ActivityEntityQueriesPropertiesQueryDefinitions": { + "type": "object", + "properties": { + "query": { + "type": "string", + "description": "The Activity query to run on a given entity" + } + }, + "description": "The Activity query definitions" + }, + "AlertDetailsOverride": { + "type": "object", + "properties": { + "alertDescriptionFormat": { + "type": "string", + "description": "the format containing columns name(s) to override the alert description" + }, + "alertDisplayNameFormat": { + "type": "string", + "description": "the format containing columns name(s) to override the alert name" + }, + "alertSeverityColumnName": { + "type": "string", + "description": "the column name to take the alert severity from" + }, + "alertTacticsColumnName": { + "type": "string", + "description": "the column name to take the alert tactics from" + } + }, + "description": "Settings for how to dynamically override alert static details" + }, + "alertRules_actions_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Action ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ActionRequestProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Action property bag." + }, + "type": { + "type": "string", + "enum": [ + "actions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules/actions" + }, + "AlertsDataTypeOfDataConnector": { + "type": "object", + "properties": { + "alerts": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + } + }, + "required": [ + "alerts" + ], + "description": "Alerts data type for data connectors." + }, + "Anomalies": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Anomalies" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AnomaliesSettingsProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Anomalies property bag." + } + }, + "required": [ + "kind" + ], + "description": "Settings with single toggle." + }, + "AnomaliesSettingsProperties": { + "type": "object", + "properties": {}, + "description": "Anomalies property bag." + }, + "AnomalySecurityMLAnalyticsSettings": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Anomaly" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AnomalySecurityMLAnalyticsSettingsProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "AnomalySecurityMLAnalytics settings base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents Anomaly Security ML Analytics Settings" + }, + "AnomalySecurityMLAnalyticsSettingsProperties": { + "type": "object", + "properties": { + "anomalySettingsVersion": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The anomaly settings version of the Anomaly security ml analytics settings that dictates whether job version gets updated or not." + }, + "anomalyVersion": { + "type": "string", + "description": "The anomaly version of the AnomalySecurityMLAnalyticsSettings." + }, + "customizableObservations": { + "type": "object", + "properties": {}, + "description": "The customizable observations of the AnomalySecurityMLAnalyticsSettings." + }, + "description": { + "type": "string", + "description": "The description of the SecurityMLAnalyticsSettings." + }, + "displayName": { + "type": "string", + "description": "The display name for settings created by this SecurityMLAnalyticsSettings." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this settings is enabled or disabled." + }, + "frequency": { + "type": "string", + "format": "duration", + "description": "The frequency that this SecurityMLAnalyticsSettings will be run." + }, + "isDefaultSettings": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this anomaly security ml analytics settings is a default settings" + }, + "requiredDataConnectors": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/SecurityMLAnalyticsSettingsDataSource" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The required data sources for this SecurityMLAnalyticsSettings" + }, + "settingsDefinitionId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The anomaly settings definition Id" + }, + "settingsStatus": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Production", + "Flighting" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The anomaly SecurityMLAnalyticsSettings status." + }, + "tactics": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "Reconnaissance", + "ResourceDevelopment", + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack", + "ImpairProcessControl", + "InhibitResponseFunction" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tactics of the SecurityMLAnalyticsSettings" + }, + "techniques": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The techniques of the SecurityMLAnalyticsSettings" + } + }, + "required": [ + "anomalyVersion", + "displayName", + "enabled", + "frequency", + "isDefaultSettings", + "settingsStatus" + ], + "description": "AnomalySecurityMLAnalytics settings base property bag." + }, + "ApiPollingParameters": { + "type": "object", + "properties": { + "connectorUiConfig": { + "oneOf": [ + { + "$ref": "#/definitions/CodelessUiConnectorConfigProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Config to describe the instructions blade" + }, + "pollingConfig": { + "oneOf": [ + { + "$ref": "#/definitions/CodelessConnectorPollingConfigProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Config to describe the polling config for API poller connector" + } + }, + "description": "Represents Codeless API Polling data connector" + }, + "ASCDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AzureSecurityCenter" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ASCDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "ASC (Azure Security Center) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents ASC (Azure Security Center) data connector." + }, + "ASCDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "subscriptionId": { + "type": "string", + "description": "The subscription id to connect to, and get the data from." + } + }, + "description": "ASC (Azure Security Center) data connector properties." + }, + "AutomationRuleAction": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/AutomationRuleModifyPropertiesAction" + }, + { + "$ref": "#/definitions/AutomationRuleRunPlaybookAction" + } + ], + "properties": { + "order": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + }, + "required": [ + "order" + ], + "description": "Describes an automation rule action." + }, + "AutomationRuleCondition": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/PropertyArrayChangedConditionProperties" + }, + { + "$ref": "#/definitions/PropertyChangedConditionProperties" + }, + { + "$ref": "#/definitions/PropertyConditionProperties" + } + ], + "properties": {}, + "description": "Describes an automation rule condition." + }, + "AutomationRuleModifyPropertiesAction": { + "type": "object", + "properties": { + "actionConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentPropertiesAction" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "actionType": { + "type": "string", + "enum": [ + "ModifyProperties" + ] + } + }, + "required": [ + "actionType" + ], + "description": "Describes an automation rule action to modify an object's properties" + }, + "AutomationRuleProperties": { + "type": "object", + "properties": { + "actions": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AutomationRuleAction" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The actions to execute when the automation rule is triggered." + }, + "displayName": { + "type": "string", + "maxLength": 500, + "description": "The display name of the automation rule." + }, + "order": { + "oneOf": [ + { + "type": "integer", + "minimum": 1, + "maximum": 1000 + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The order of execution of the automation rule." + }, + "triggeringLogic": { + "oneOf": [ + { + "$ref": "#/definitions/AutomationRuleTriggeringLogic" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes automation rule triggering logic." + } + }, + "required": [ + "actions", + "displayName", + "order", + "triggeringLogic" + ], + "description": "Automation rule properties" + }, + "AutomationRulePropertyArrayChangedValuesCondition": { + "type": "object", + "properties": { + "arrayType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Alerts", + "Labels", + "Tactics", + "Comments" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "changeType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Added" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + } + }, + "AutomationRulePropertyValuesChangedCondition": { + "type": "object", + "properties": { + "changeType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "ChangedFrom", + "ChangedTo" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "operator": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Equals", + "NotEquals", + "Contains", + "NotContains", + "StartsWith", + "NotStartsWith", + "EndsWith", + "NotEndsWith" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "propertyName": { + "oneOf": [ + { + "type": "string", + "enum": [ + "IncidentSeverity", + "IncidentStatus", + "IncidentOwner" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "propertyValues": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + } + }, + "AutomationRulePropertyValuesCondition": { + "type": "object", + "properties": { + "operator": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Equals", + "NotEquals", + "Contains", + "NotContains", + "StartsWith", + "NotStartsWith", + "EndsWith", + "NotEndsWith" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "propertyName": { + "oneOf": [ + { + "type": "string", + "enum": [ + "IncidentTitle", + "IncidentDescription", + "IncidentSeverity", + "IncidentStatus", + "IncidentRelatedAnalyticRuleIds", + "IncidentTactics", + "IncidentLabel", + "IncidentProviderName", + "AccountAadTenantId", + "AccountAadUserId", + "AccountName", + "AccountNTDomain", + "AccountPUID", + "AccountSid", + "AccountObjectGuid", + "AccountUPNSuffix", + "AlertProductNames", + "AlertAnalyticRuleIds", + "AzureResourceResourceId", + "AzureResourceSubscriptionId", + "CloudApplicationAppId", + "CloudApplicationAppName", + "DNSDomainName", + "FileDirectory", + "FileName", + "FileHashValue", + "HostAzureID", + "HostName", + "HostNetBiosName", + "HostNTDomain", + "HostOSVersion", + "IoTDeviceId", + "IoTDeviceName", + "IoTDeviceType", + "IoTDeviceVendor", + "IoTDeviceModel", + "IoTDeviceOperatingSystem", + "IPAddress", + "MailboxDisplayName", + "MailboxPrimaryAddress", + "MailboxUPN", + "MailMessageDeliveryAction", + "MailMessageDeliveryLocation", + "MailMessageRecipient", + "MailMessageSenderIP", + "MailMessageSubject", + "MailMessageP1Sender", + "MailMessageP2Sender", + "MalwareCategory", + "MalwareName", + "ProcessCommandLine", + "ProcessId", + "RegistryKey", + "RegistryValueData", + "Url" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "propertyValues": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + } + }, + "AutomationRuleRunPlaybookAction": { + "type": "object", + "properties": { + "actionConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/PlaybookActionProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "actionType": { + "type": "string", + "enum": [ + "RunPlaybook" + ] + } + }, + "required": [ + "actionType" + ], + "description": "Describes an automation rule action to run a playbook" + }, + "AutomationRuleTriggeringLogic": { + "type": "object", + "properties": { + "conditions": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AutomationRuleCondition" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object." + }, + "expirationTimeUtc": { + "type": "string", + "format": "date-time", + "description": "Determines when the automation rule should automatically expire and be disabled." + }, + "isEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the automation rule is enabled or disabled." + }, + "triggersOn": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Incidents", + "Alerts" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "triggersWhen": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Created", + "Updated" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + }, + "required": [ + "isEnabled", + "triggersOn", + "triggersWhen" + ], + "description": "Describes automation rule triggering logic." + }, + "Availability": { + "type": "object", + "properties": { + "isPreview": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Set connector as preview" + }, + "status": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The connector Availability Status" + } + }, + "description": "Connector Availability Status" + }, + "AwsCloudTrailDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AmazonWebServicesCloudTrail" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Amazon Web Services CloudTrail data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents Amazon Web Services CloudTrail data connector." + }, + "AwsCloudTrailDataConnectorDataTypes": { + "type": "object", + "properties": { + "logs": { + "oneOf": [ + { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypesLogs" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Logs data type." + } + }, + "required": [ + "logs" + ], + "description": "The available data types for Amazon Web Services CloudTrail data connector." + }, + "AwsCloudTrailDataConnectorDataTypesLogs": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Logs data type." + }, + "AwsCloudTrailDataConnectorProperties": { + "type": "object", + "properties": { + "awsRoleArn": { + "type": "string", + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account." + }, + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for Amazon Web Services CloudTrail data connector." + } + }, + "required": [ + "dataTypes" + ], + "description": "Amazon Web Services CloudTrail data connector properties." + }, + "AwsS3DataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AmazonWebServicesS3" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AwsS3DataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Amazon Web Services S3 data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents Amazon Web Services S3 data connector." + }, + "AwsS3DataConnectorDataTypes": { + "type": "object", + "properties": { + "logs": { + "oneOf": [ + { + "$ref": "#/definitions/AwsS3DataConnectorDataTypesLogs" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Logs data type." + } + }, + "required": [ + "logs" + ], + "description": "The available data types for Amazon Web Services S3 data connector." + }, + "AwsS3DataConnectorDataTypesLogs": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Logs data type." + }, + "AwsS3DataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AwsS3DataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for Amazon Web Services S3 data connector." + }, + "destinationTable": { + "type": "string", + "description": "The logs destination table name in LogAnalytics." + }, + "roleArn": { + "type": "string", + "description": "The Aws Role Arn that is used to access the Aws account." + }, + "sqsUrls": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The AWS sqs urls for the connector." + } + }, + "required": [ + "dataTypes", + "destinationTable", + "roleArn", + "sqsUrls" + ], + "description": "Amazon Web Services S3 data connector properties." + }, + "AzureDevOpsResourceInfo": { + "type": "object", + "properties": { + "pipelineId": { + "type": "string", + "description": "Id of the pipeline created for the source-control." + }, + "serviceConnectionId": { + "type": "string", + "description": "Id of the service-connection created for the source-control." + } + }, + "description": "Resources created in Azure DevOps repository." + }, + "BookmarkEntityMappings": { + "type": "object", + "properties": { + "entityType": { + "type": "string", + "description": "The entity type" + }, + "fieldMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/EntityFieldMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Array of fields mapping for that entity type" + } + }, + "description": "Describes the entity mappings of a single entity" + }, + "BookmarkProperties": { + "type": "object", + "properties": { + "created": { + "type": "string", + "format": "date-time", + "description": "The time the bookmark was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "displayName": { + "type": "string", + "description": "The display name of the bookmark" + }, + "entityMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/BookmarkEntityMappings" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes the entity mappings of the bookmark" + }, + "eventTime": { + "type": "string", + "format": "date-time", + "description": "The bookmark event time" + }, + "incidentInfo": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes related incident information for the bookmark" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this bookmark" + }, + "notes": { + "type": "string", + "description": "The notes of the bookmark" + }, + "query": { + "type": "string", + "description": "The query of the bookmark." + }, + "queryEndTime": { + "type": "string", + "format": "date-time", + "description": "The end time for the query" + }, + "queryResult": { + "type": "string", + "description": "The query result of the bookmark." + }, + "queryStartTime": { + "type": "string", + "format": "date-time", + "description": "The start time for the query" + }, + "tactics": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "Reconnaissance", + "ResourceDevelopment", + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack", + "ImpairProcessControl", + "InhibitResponseFunction" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of relevant mitre attacks" + }, + "techniques": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of relevant mitre techniques" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the bookmark was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + } + }, + "required": [ + "displayName", + "query" + ], + "description": "Describes bookmark properties" + }, + "bookmarks_relations_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/bookmarks/relations" + }, + "CodelessApiPollingDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "APIPolling" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ApiPollingParameters" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Represents Codeless API Polling data connector" + } + }, + "required": [ + "kind" + ], + "description": "Represents Codeless API Polling data connector." + }, + "CodelessConnectorPollingAuthProperties": { + "type": "object", + "properties": { + "apiKeyIdentifier": { + "type": "string", + "description": "A prefix send in the header before the actual token" + }, + "apiKeyName": { + "type": "string", + "description": "The header name which the token is sent with" + }, + "authorizationEndpoint": { + "type": "string", + "description": "The endpoint used to authorize the user, used in Oauth 2.0 flow" + }, + "authorizationEndpointQueryParameters": { + "type": "object", + "properties": {}, + "description": "The query parameters used in authorization request, used in Oauth 2.0 flow" + }, + "authType": { + "type": "string", + "description": "The authentication type" + }, + "flowName": { + "type": "string", + "description": "Describes the flow name, for example 'AuthCode' for Oauth 2.0" + }, + "isApiKeyInPostPayload": { + "type": "string", + "description": "Marks if the key should sent in header" + }, + "isClientSecretInHeader": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow" + }, + "redirectionEndpoint": { + "type": "string", + "description": "The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow" + }, + "scope": { + "type": "string", + "description": "The OAuth token scope" + }, + "tokenEndpoint": { + "type": "string", + "description": "The endpoint used to issue a token, used in Oauth 2.0 flow" + }, + "tokenEndpointHeaders": { + "type": "object", + "properties": {}, + "description": "The query headers used in token request, used in Oauth 2.0 flow" + }, + "tokenEndpointQueryParameters": { + "type": "object", + "properties": {}, + "description": "The query parameters used in token request, used in Oauth 2.0 flow" + } + }, + "required": [ + "authType" + ], + "description": "Describe the authentication properties needed to successfully authenticate with the server" + }, + "CodelessConnectorPollingConfigProperties": { + "type": "object", + "properties": { + "auth": { + "oneOf": [ + { + "$ref": "#/definitions/CodelessConnectorPollingAuthProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe the authentication properties needed to successfully authenticate with the server" + }, + "isActive": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The poller active status" + }, + "paging": { + "oneOf": [ + { + "$ref": "#/definitions/CodelessConnectorPollingPagingProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe the properties needed to make a pagination call" + }, + "request": { + "oneOf": [ + { + "$ref": "#/definitions/CodelessConnectorPollingRequestProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe the request properties needed to successfully pull from the server" + }, + "response": { + "oneOf": [ + { + "$ref": "#/definitions/CodelessConnectorPollingResponseProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes the response from the external server" + } + }, + "required": [ + "auth", + "request" + ], + "description": "Config to describe the polling config for API poller connector" + }, + "CodelessConnectorPollingPagingProperties": { + "type": "object", + "properties": { + "nextPageParaName": { + "type": "string", + "description": "Defines the name of a next page attribute" + }, + "nextPageTokenJsonPath": { + "type": "string", + "description": "Defines the path to a next page token JSON" + }, + "pageCountAttributePath": { + "type": "string", + "description": "Defines the path to a page count attribute" + }, + "pageSize": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Defines the paging size" + }, + "pageSizeParaName": { + "type": "string", + "description": "Defines the name of the page size parameter" + }, + "pageTimeStampAttributePath": { + "type": "string", + "description": "Defines the path to a paging time stamp attribute" + }, + "pageTotalCountAttributePath": { + "type": "string", + "description": "Defines the path to a page total count attribute" + }, + "pagingType": { + "type": "string", + "description": "Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'" + }, + "searchTheLatestTimeStampFromEventsList": { + "type": "string", + "description": "Determines whether to search for the latest time stamp in the events list" + } + }, + "required": [ + "pagingType" + ], + "description": "Describe the properties needed to make a pagination call" + }, + "CodelessConnectorPollingRequestProperties": { + "type": "object", + "properties": { + "apiEndpoint": { + "type": "string", + "description": "Describe the endpoint we should pull the data from" + }, + "endTimeAttributeName": { + "type": "string", + "description": "This will be used the query events from the end of the time window" + }, + "headers": { + "type": "object", + "properties": {}, + "description": "Describe the headers sent in the poll request" + }, + "httpMethod": { + "type": "string", + "description": "The http method type we will use in the poll request, GET or POST" + }, + "queryParameters": { + "type": "object", + "properties": {}, + "description": "Describe the query parameters sent in the poll request" + }, + "queryParametersTemplate": { + "type": "string", + "description": "For advanced scenarios for example user name/password embedded in nested JSON payload" + }, + "queryTimeFormat": { + "type": "string", + "description": "The time format will be used the query events in a specific window" + }, + "queryWindowInMin": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The window interval we will use the pull the data" + }, + "rateLimitQps": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Defines the rate limit QPS" + }, + "retryCount": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe the amount of time we should try and poll the data in case of failure" + }, + "startTimeAttributeName": { + "type": "string", + "description": "This will be used the query events from a start of the time window" + }, + "timeoutInSeconds": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The number of seconds we will consider as a request timeout" + } + }, + "required": [ + "apiEndpoint", + "httpMethod", + "queryTimeFormat", + "queryWindowInMin" + ], + "description": "Describe the request properties needed to successfully pull from the server" + }, + "CodelessConnectorPollingResponseProperties": { + "type": "object", + "properties": { + "eventsJsonPaths": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes the path we should extract the data in the response" + }, + "isGzipCompressed": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes if the data in the response is Gzip" + }, + "successStatusJsonPath": { + "type": "string", + "description": "Describes the path we should extract the status code in the response" + }, + "successStatusValue": { + "type": "string", + "description": "Describes the path we should extract the status value in the response" + } + }, + "required": [ + "eventsJsonPaths" + ], + "description": "Describes the response from the external server" + }, + "CodelessParameters": { + "type": "object", + "properties": { + "connectorUiConfig": { + "oneOf": [ + { + "$ref": "#/definitions/CodelessUiConnectorConfigProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Config to describe the instructions blade" + } + }, + "description": "Represents Codeless UI data connector" + }, + "CodelessUiConnectorConfigProperties": { + "type": "object", + "properties": { + "availability": { + "oneOf": [ + { + "$ref": "#/definitions/Availability" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Connector Availability Status" + }, + "connectivityCriteria": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Define the way the connector check connectivity" + }, + "customImage": { + "type": "string", + "description": "An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery" + }, + "dataTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/CodelessUiConnectorConfigPropertiesDataTypesItem" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Data types to check for last data received" + }, + "descriptionMarkdown": { + "type": "string", + "description": "Connector description" + }, + "graphQueries": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/CodelessUiConnectorConfigPropertiesGraphQueriesItem" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The graph query to show the current data status" + }, + "graphQueriesTableName": { + "type": "string", + "description": "Name of the table the connector will insert the data to" + }, + "instructionSteps": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/CodelessUiConnectorConfigPropertiesInstructionStepsItem" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Instruction steps to enable the connector" + }, + "permissions": { + "oneOf": [ + { + "$ref": "#/definitions/Permissions" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions required for the connector" + }, + "publisher": { + "type": "string", + "description": "Connector publisher name" + }, + "sampleQueries": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/CodelessUiConnectorConfigPropertiesSampleQueriesItem" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The sample queries for the connector" + }, + "title": { + "type": "string", + "description": "Connector blade title" + } + }, + "required": [ + "availability", + "connectivityCriteria", + "dataTypes", + "descriptionMarkdown", + "graphQueries", + "graphQueriesTableName", + "instructionSteps", + "permissions", + "publisher", + "sampleQueries", + "title" + ], + "description": "Config to describe the instructions blade" + }, + "CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem": { + "type": "object", + "properties": { + "type": { + "oneOf": [ + { + "type": "string", + "enum": [ + "IsConnectedQuery" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "type of connectivity." + }, + "value": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Queries for checking connectivity" + } + } + }, + "CodelessUiConnectorConfigPropertiesDataTypesItem": { + "type": "object", + "properties": { + "lastDataReceivedQuery": { + "type": "string", + "description": "Query for indicate last data received" + }, + "name": { + "type": "string", + "description": "Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder" + } + } + }, + "CodelessUiConnectorConfigPropertiesGraphQueriesItem": { + "type": "object", + "properties": { + "baseQuery": { + "type": "string", + "description": "The base query for the graph" + }, + "legend": { + "type": "string", + "description": "The legend for the graph" + }, + "metricName": { + "type": "string", + "description": "the metric that the query is checking" + } + } + }, + "CodelessUiConnectorConfigPropertiesInstructionStepsItem": { + "type": "object", + "properties": { + "description": { + "type": "string", + "description": "Instruction step description" + }, + "instructions": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/InstructionStepsInstructionsItem" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Instruction step details" + }, + "title": { + "type": "string", + "description": "Instruction step title" + } + } + }, + "CodelessUiConnectorConfigPropertiesSampleQueriesItem": { + "type": "object", + "properties": { + "description": { + "type": "string", + "description": "The sample query description" + }, + "query": { + "type": "string", + "description": "the sample query" + } + } + }, + "CodelessUiDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "GenericUI" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/CodelessParameters" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Represents Codeless UI data connector" + } + }, + "required": [ + "kind" + ], + "description": "Represents Codeless UI data connector." + }, + "ContentPathMap": { + "type": "object", + "properties": { + "contentType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AnalyticRule", + "Workbook" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Content type." + }, + "path": { + "type": "string", + "description": "The path to the content." + } + }, + "description": "The mapping of content type to a repo path." + }, + "DataConnectorDataTypeCommon": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Common field for data type in data connectors." + }, + "Deployment": { + "type": "object", + "properties": { + "deploymentId": { + "type": "string", + "description": "Deployment identifier." + }, + "deploymentLogsUrl": { + "type": "string", + "description": "Url to access repository action logs." + }, + "deploymentResult": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Success", + "Canceled", + "Failed" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The outcome of the deployment." + }, + "deploymentState": { + "oneOf": [ + { + "type": "string", + "enum": [ + "In_Progress", + "Completed", + "Queued", + "Canceling" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Current status of the deployment." + }, + "deploymentTime": { + "type": "string", + "format": "date-time", + "description": "The time when the deployment finished." + } + }, + "description": "Description about a deployment." + }, + "DeploymentInfo": { + "type": "object", + "properties": { + "deployment": { + "oneOf": [ + { + "$ref": "#/definitions/Deployment" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Description about a deployment." + }, + "deploymentFetchStatus": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Success", + "Unauthorized", + "NotFound" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Status while fetching the last deployment." + }, + "message": { + "type": "string", + "description": "Additional details about the deployment that can be shown to the user." + } + }, + "description": "Information regarding a deployment." + }, + "Dynamics365DataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Dynamics365" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/Dynamics365DataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Dynamics365 data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents Dynamics365 data connector." + }, + "Dynamics365DataConnectorDataTypes": { + "type": "object", + "properties": { + "dynamics365CdsActivities": { + "oneOf": [ + { + "$ref": "#/definitions/Dynamics365DataConnectorDataTypesDynamics365CdsActivities" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common Data Service data type connection." + } + }, + "required": [ + "dynamics365CdsActivities" + ], + "description": "The available data types for Dynamics365 data connector." + }, + "Dynamics365DataConnectorDataTypesDynamics365CdsActivities": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Common Data Service data type connection." + }, + "Dynamics365DataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/Dynamics365DataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for Dynamics365 data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "dataTypes", + "tenantId" + ], + "description": "Dynamics365 data connector properties." + }, + "EntityAnalytics": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "EntityAnalytics" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/EntityAnalyticsProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "EntityAnalytics property bag." + } + }, + "required": [ + "kind" + ], + "description": "Settings with single toggle." + }, + "EntityAnalyticsProperties": { + "type": "object", + "properties": { + "entityProviders": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "ActiveDirectory", + "AzureActiveDirectory" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The relevant entity providers that are synced" + } + }, + "description": "EntityAnalytics property bag." + }, + "EntityFieldMapping": { + "type": "object", + "properties": { + "identifier": { + "type": "string", + "description": "Alert V3 identifier" + }, + "value": { + "type": "string", + "description": "The value of the identifier" + } + }, + "description": "Map identifiers of a single entity" + }, + "EntityMapping": { + "type": "object", + "properties": { + "entityType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "fieldMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/FieldMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "array of field mappings for the given entity mapping" + } + }, + "description": "Single entity mapping for the alert rule" + }, + "EventGroupingSettings": { + "type": "object", + "properties": { + "aggregationKind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SingleAlert", + "AlertPerResult" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + }, + "description": "Event grouping settings property bag." + }, + "EyesOn": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "EyesOn" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/EyesOnSettingsProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "EyesOn property bag." + } + }, + "required": [ + "kind" + ], + "description": "Settings with single toggle." + }, + "EyesOnSettingsProperties": { + "type": "object", + "properties": {}, + "description": "EyesOn property bag." + }, + "FieldMapping": { + "type": "object", + "properties": { + "columnName": { + "type": "string", + "description": "the column name to be mapped to the identifier" + }, + "identifier": { + "type": "string", + "description": "the V3 identifier of the entity" + } + }, + "description": "A single field mapping of the mapped entity" + }, + "FileImportProperties": { + "type": "object", + "properties": { + "contentType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "BasicIndicator", + "StixIndicator", + "Unspecified" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The content type of this file." + }, + "importFile": { + "oneOf": [ + { + "$ref": "#/definitions/FileMetadata" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Represents a file." + }, + "ingestionMode": { + "oneOf": [ + { + "type": "string", + "enum": [ + "IngestOnlyIfAllAreValid", + "IngestAnyValidRecords", + "Unspecified" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes how to ingest the records in the file." + }, + "source": { + "type": "string", + "description": "The source for the data in the file." + } + }, + "required": [ + "contentType", + "importFile", + "ingestionMode", + "source" + ], + "description": "Describes the FileImport's properties" + }, + "FileMetadata": { + "type": "object", + "properties": { + "fileFormat": { + "oneOf": [ + { + "type": "string", + "enum": [ + "CSV", + "JSON", + "Unspecified" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The format of the file." + }, + "fileName": { + "type": "string", + "description": "The name of the file." + }, + "fileSize": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The size of the file." + } + }, + "description": "Represents a file." + }, + "FusionAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Fusion" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/FusionAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Fusion alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents Fusion alert rule." + }, + "FusionAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "scenarioExclusionPatterns": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/FusionScenarioExclusionPattern" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Configuration to exclude scenarios in fusion detection." + }, + "sourceSettings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/FusionSourceSettings" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Configuration for all supported source signals in fusion detection." + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "description": "Fusion alert rule base property bag." + }, + "FusionScenarioExclusionPattern": { + "type": "object", + "properties": { + "dateAddedInUTC": { + "type": "string", + "description": "DateTime when scenario exclusion pattern is added in UTC." + }, + "exclusionPattern": { + "type": "string", + "description": "Scenario exclusion pattern." + } + }, + "required": [ + "dateAddedInUTC", + "exclusionPattern" + ], + "description": "Represents a Fusion scenario exclusion patterns in Fusion detection." + }, + "FusionSourceSettings": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this source signal is enabled or disabled in Fusion detection." + }, + "sourceName": { + "type": "string", + "description": "Name of the Fusion source signal. Refer to Fusion alert rule template for supported values." + }, + "sourceSubTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/FusionSourceSubTypeSetting" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Configuration for all source subtypes under this source signal consumed in fusion detection." + } + }, + "required": [ + "enabled", + "sourceName" + ], + "description": "Represents a supported source signal configuration in Fusion detection." + }, + "FusionSourceSubTypeSetting": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this source subtype under source signal is enabled or disabled in Fusion detection." + }, + "severityFilters": { + "oneOf": [ + { + "$ref": "#/definitions/FusionSubTypeSeverityFilter" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Represents severity configuration for a source subtype consumed in Fusion detection." + }, + "sourceSubTypeName": { + "type": "string", + "description": "The Name of the source subtype under a given source signal in Fusion detection. Refer to Fusion alert rule template for supported values." + } + }, + "required": [ + "enabled", + "severityFilters", + "sourceSubTypeName" + ], + "description": "Represents a supported source subtype configuration under a source signal in Fusion detection." + }, + "FusionSubTypeSeverityFilter": { + "type": "object", + "properties": { + "filters": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/FusionSubTypeSeverityFiltersItem" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Individual Severity configuration settings for a given source subtype consumed in Fusion detection." + } + }, + "description": "Represents severity configuration for a source subtype consumed in Fusion detection." + }, + "FusionSubTypeSeverityFiltersItem": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this severity is enabled or disabled for this source subtype consumed in Fusion detection." + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Severity for a given source subtype consumed in Fusion detection." + } + }, + "required": [ + "enabled", + "severity" + ], + "description": "Represents a Severity filter setting for a given source subtype consumed in Fusion detection." + }, + "GitHubResourceInfo": { + "type": "object", + "properties": { + "appInstallationId": { + "type": "string", + "description": "GitHub application installation id." + } + }, + "description": "Resources created in GitHub repository." + }, + "GroupingConfiguration": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping enabled" + }, + "groupByAlertDetails": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "DisplayName", + "Severity" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of alert details to group by (when matchingMethod is Selected)" + }, + "groupByCustomDetails": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used." + }, + "groupByEntities": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used." + }, + "lookbackDuration": { + "type": "string", + "format": "duration", + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)" + }, + "matchingMethod": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AllEntities", + "AnyAlert", + "Selected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty." + }, + "reopenClosedIncident": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Re-open closed matching incidents" + } + }, + "required": [ + "enabled", + "lookbackDuration", + "matchingMethod", + "reopenClosedIncident" + ], + "description": "Grouping configuration property bag." + }, + "IncidentCommentProperties": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "The comment message" + } + }, + "required": [ + "message" + ], + "description": "Incident comment property bag." + }, + "IncidentConfiguration": { + "type": "object", + "properties": { + "createIncident": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Create incidents from alerts triggered by this analytics rule" + }, + "groupingConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/GroupingConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping configuration property bag." + } + }, + "required": [ + "createIncident" + ], + "description": "Incident Configuration property bag." + }, + "IncidentInfo": { + "type": "object", + "properties": { + "incidentId": { + "type": "string", + "description": "Incident Id" + }, + "relationName": { + "type": "string", + "description": "Relation Name" + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity of the incident." + }, + "title": { + "type": "string", + "description": "The title of the incident" + } + }, + "description": "Describes related incident information for the bookmark" + }, + "IncidentLabel": { + "type": "object", + "properties": { + "labelName": { + "type": "string", + "description": "The name of the label" + }, + "labelType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "User", + "AutoAssigned" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + }, + "required": [ + "labelName" + ], + "description": "Represents an incident label" + }, + "IncidentOwnerInfo": { + "type": "object", + "properties": { + "assignedTo": { + "type": "string", + "description": "The name of the user the incident is assigned to." + }, + "email": { + "type": "string", + "description": "The email of the user the incident is assigned to." + }, + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user the incident is assigned to." + }, + "ownerType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Unknown", + "User", + "Group" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The type of the owner the incident is assigned to." + }, + "userPrincipalName": { + "type": "string", + "description": "The user principal name of the user the incident is assigned to." + } + }, + "description": "Information on the user an incident is assigned to" + }, + "IncidentProperties": { + "type": "object", + "properties": { + "classification": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The reason the incident was closed." + }, + "classificationComment": { + "type": "string", + "description": "Describes the reason the incident was closed" + }, + "classificationReason": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The classification reason the incident was closed with." + }, + "description": { + "type": "string", + "description": "The description of the incident" + }, + "firstActivityTimeUtc": { + "type": "string", + "format": "date-time", + "description": "The time of the first activity in the incident" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IncidentLabel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this incident" + }, + "lastActivityTimeUtc": { + "type": "string", + "format": "date-time", + "description": "The time of the last activity in the incident" + }, + "owner": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentOwnerInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Information on the user an incident is assigned to" + }, + "providerIncidentId": { + "type": "string", + "description": "The incident ID assigned by the incident provider" + }, + "providerName": { + "type": "string", + "description": "The name of the source provider that generated the incident" + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity of the incident." + }, + "status": { + "oneOf": [ + { + "type": "string", + "enum": [ + "New", + "Active", + "Closed" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The status of the incident." + }, + "teamInformation": { + "oneOf": [ + { + "$ref": "#/definitions/TeamInformation" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes team information" + }, + "title": { + "type": "string", + "description": "The title of the incident" + } + }, + "required": [ + "severity", + "status", + "title" + ], + "description": "Describes incident properties" + }, + "IncidentPropertiesAction": { + "type": "object", + "properties": { + "classification": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "classificationComment": { + "type": "string", + "description": "Describes the reason the incident was closed." + }, + "classificationReason": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IncidentLabel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels to add to the incident." + }, + "owner": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentOwnerInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Information on the user an incident is assigned to" + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "status": { + "oneOf": [ + { + "type": "string", + "enum": [ + "New", + "Active", + "Closed" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + } + }, + "incidents_comments_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident comment ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentCommentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident comment property bag." + }, + "type": { + "type": "string", + "enum": [ + "comments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/comments" + }, + "incidents_relations_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/relations" + }, + "InstructionStepsInstructionsItem": { + "type": "object", + "properties": { + "parameters": { + "type": "object", + "properties": {}, + "description": "The parameters for the setting" + }, + "type": { + "oneOf": [ + { + "type": "string", + "enum": [ + "CopyableLabel", + "InstructionStepsGroup", + "InfoMessage" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The kind of the setting." + } + }, + "required": [ + "type" + ] + }, + "IoTDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "IOT" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IoTDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "IoT data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents IoT data connector." + }, + "IoTDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "subscriptionId": { + "type": "string", + "description": "The subscription id to connect to, and get the data from." + } + }, + "description": "IoT data connector properties." + }, + "MCASDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftCloudAppSecurity" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MCASDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector." + }, + "MCASDataConnectorDataTypes": { + "type": "object", + "properties": { + "alerts": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + }, + "discoveryLogs": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + } + }, + "required": [ + "alerts" + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector." + }, + "MCASDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/MCASDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "dataTypes", + "tenantId" + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties." + }, + "MDATPDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftDefenderAdvancedThreatProtection" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MDATPDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector." + }, + "MDATPDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "tenantId" + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties." + }, + "MetadataAuthor": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email of author contact" + }, + "link": { + "type": "string", + "description": "Link for author/vendor page" + }, + "name": { + "type": "string", + "description": "Name of the author. Company or person." + } + }, + "description": "Publisher or creator of the content item." + }, + "MetadataCategories": { + "type": "object", + "properties": { + "domains": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "domain for the solution content item" + }, + "verticals": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Industry verticals for the solution content item" + } + }, + "description": "ies for the solution content item" + }, + "MetadataDependencies": { + "type": "object", + "properties": { + "contentId": { + "type": "string", + "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Can be optionally set for user created content to define dependencies. If an active content item is made from a template, both will have the same contentId." + }, + "criteria": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "object" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "This is the list of dependencies we must fulfill, according to the AND/OR operator" + }, + "kind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "DataConnector", + "DataType", + "Workbook", + "WorkbookTemplate", + "Playbook", + "PlaybookTemplate", + "AnalyticsRuleTemplate", + "AnalyticsRule", + "HuntingQuery", + "InvestigationQuery", + "Parser", + "Watchlist", + "WatchlistTemplate", + "Solution", + "AzureFunction", + "LogicAppsCustomConnector", + "AutomationRule" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Type of the content item we depend on." + }, + "name": { + "type": "string", + "description": "Name of the content item" + }, + "operator": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AND", + "OR" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Operator used for list of dependencies in criteria array." + }, + "version": { + "type": "string", + "description": "Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks" + } + }, + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies." + }, + "MetadataProperties": { + "type": "object", + "properties": { + "author": { + "oneOf": [ + { + "$ref": "#/definitions/MetadataAuthor" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Publisher or creator of the content item." + }, + "categories": { + "oneOf": [ + { + "$ref": "#/definitions/MetadataCategories" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "ies for the solution content item" + }, + "contentId": { + "type": "string", + "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Can be optionally set for user created content to define dependencies. If an active content item is made from a template, both will have the same contentId." + }, + "contentSchemaVersion": { + "type": "string", + "description": "Schema version of the content. Can be used to distinguish between different flow based on the schema version" + }, + "customVersion": { + "type": "string", + "description": "The custom version of the content. A optional free text" + }, + "dependencies": { + "oneOf": [ + { + "$ref": "#/definitions/MetadataDependencies" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies." + }, + "firstPublishDate": { + "type": "string", + "format": "date", + "description": "first publish date of solution content item" + }, + "icon": { + "type": "string", + "description": "the icon identifier. this id can later be fetched from the solution template" + }, + "kind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "DataConnector", + "DataType", + "Workbook", + "WorkbookTemplate", + "Playbook", + "PlaybookTemplate", + "AnalyticsRuleTemplate", + "AnalyticsRule", + "HuntingQuery", + "InvestigationQuery", + "Parser", + "Watchlist", + "WatchlistTemplate", + "Solution", + "AzureFunction", + "LogicAppsCustomConnector", + "AutomationRule" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The kind of content the metadata is for." + }, + "lastPublishDate": { + "type": "string", + "format": "date", + "description": "last publish date of solution content item" + }, + "parentId": { + "type": "string", + "description": "Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group)" + }, + "previewImages": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "preview image file names. These will be taken from the solution artifacts" + }, + "previewImagesDark": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "preview image file names. These will be taken from the solution artifacts. used for dark theme support" + }, + "providers": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Providers for the solution content item" + }, + "source": { + "oneOf": [ + { + "$ref": "#/definitions/MetadataSource" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The original source of the content item, where it comes from." + }, + "support": { + "oneOf": [ + { + "$ref": "#/definitions/MetadataSupport" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Support information for the content item." + }, + "threatAnalysisTactics": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the tactics the resource covers" + }, + "threatAnalysisTechniques": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the techniques the resource covers, these have to be aligned with the tactics being used" + }, + "version": { + "type": "string", + "description": "Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks" + } + }, + "required": [ + "kind", + "parentId" + ], + "description": "Metadata property bag." + }, + "MetadataSource": { + "type": "object", + "properties": { + "kind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "LocalWorkspace", + "Community", + "Solution", + "SourceRepository" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Source type of the content." + }, + "name": { + "type": "string", + "description": "Name of the content source. The repo name, solution name, LA workspace name etc." + }, + "sourceId": { + "type": "string", + "description": "ID of the content source. The solution ID, workspace ID, etc" + } + }, + "required": [ + "kind" + ], + "description": "The original source of the content item, where it comes from." + }, + "MetadataSupport": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email of support contact" + }, + "link": { + "type": "string", + "description": "Link for support help, like to support page to open a ticket etc." + }, + "name": { + "type": "string", + "description": "Name of the support contact. Company or person." + }, + "tier": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Microsoft", + "Partner", + "Community" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Type of support for content item." + } + }, + "required": [ + "tier" + ], + "description": "Support information for the content item." + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftSecurityIncidentCreation" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule." + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "displayNamesExcludeFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' displayNames on which the cases will not be generated" + }, + "displayNamesFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' displayNames on which the cases will be generated" + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "productFilter": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT", + "Office 365 Advanced Threat Protection", + "Microsoft Defender Advanced Threat Protection" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The alerts' productName on which the cases will be generated." + }, + "severitiesFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' severities on which the cases will be generated" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag." + }, + "MLBehaviorAnalyticsAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MLBehaviorAnalytics" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MLBehaviorAnalyticsAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MLBehaviorAnalytics alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents MLBehaviorAnalytics alert rule." + }, + "MLBehaviorAnalyticsAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "description": "MLBehaviorAnalytics alert rule base property bag." + }, + "MSTIDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftThreatIntelligence" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MSTIDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Microsoft Threat Intelligence data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents Microsoft Threat Intelligence data connector." + }, + "MSTIDataConnectorDataTypes": { + "type": "object", + "properties": { + "bingSafetyPhishingURL": { + "oneOf": [ + { + "$ref": "#/definitions/MSTIDataConnectorDataTypesBingSafetyPhishingURL" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Data type for Microsoft Threat Intelligence Platforms data connector." + }, + "microsoftEmergingThreatFeed": { + "oneOf": [ + { + "$ref": "#/definitions/MSTIDataConnectorDataTypesMicrosoftEmergingThreatFeed" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Data type for Microsoft Threat Intelligence Platforms data connector." + } + }, + "required": [ + "bingSafetyPhishingURL", + "microsoftEmergingThreatFeed" + ], + "description": "The available data types for Microsoft Threat Intelligence Platforms data connector." + }, + "MSTIDataConnectorDataTypesBingSafetyPhishingURL": { + "type": "object", + "properties": { + "lookbackPeriod": { + "type": "string", + "description": "lookback period" + }, + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "lookbackPeriod", + "state" + ], + "description": "Data type for Microsoft Threat Intelligence Platforms data connector." + }, + "MSTIDataConnectorDataTypesMicrosoftEmergingThreatFeed": { + "type": "object", + "properties": { + "lookbackPeriod": { + "type": "string", + "description": "lookback period" + }, + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "lookbackPeriod", + "state" + ], + "description": "Data type for Microsoft Threat Intelligence Platforms data connector." + }, + "MSTIDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/MSTIDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for Microsoft Threat Intelligence Platforms data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "dataTypes", + "tenantId" + ], + "description": "Microsoft Threat Intelligence data connector properties." + }, + "MTPDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftThreatProtection" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MTPDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MTP (Microsoft Threat Protection) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents MTP (Microsoft Threat Protection) data connector." + }, + "MTPDataConnectorDataTypes": { + "type": "object", + "properties": { + "incidents": { + "oneOf": [ + { + "$ref": "#/definitions/MTPDataConnectorDataTypesIncidents" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Data type for Microsoft Threat Protection Platforms data connector." + } + }, + "required": [ + "incidents" + ], + "description": "The available data types for Microsoft Threat Protection Platforms data connector." + }, + "MTPDataConnectorDataTypesIncidents": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Data type for Microsoft Threat Protection Platforms data connector." + }, + "MTPDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/MTPDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for Microsoft Threat Protection Platforms data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "dataTypes", + "tenantId" + ], + "description": "MTP (Microsoft Threat Protection) data connector properties." + }, + "NrtAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "NRT" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/NrtAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Nrt alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents NRT alert rule." + }, + "NrtAlertRuleProperties": { + "type": "object", + "properties": { + "alertDetailsOverride": { + "oneOf": [ + { + "$ref": "#/definitions/AlertDetailsOverride" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Settings for how to dynamically override alert static details" + }, + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "customDetails": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Dictionary of string key-value pairs of columns to be attached to the alert" + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "entityMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/EntityMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of entity mappings of the alert rule" + }, + "incidentConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident Configuration property bag." + }, + "query": { + "type": "string", + "description": "The query that creates alerts for this rule." + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity for alerts created by this alert rule." + }, + "suppressionDuration": { + "type": "string", + "format": "duration", + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered." + }, + "suppressionEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the suppression for this alert rule is enabled or disabled." + }, + "tactics": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "Reconnaissance", + "ResourceDevelopment", + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack", + "ImpairProcessControl", + "InhibitResponseFunction" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tactics of the alert rule" + }, + "techniques": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The techniques of the alert rule" + }, + "templateVersion": { + "type": "string", + "description": "The version of the alert rule template used to create this rule - in format , where all are numbers, for example 0 <1.0.2>" + } + }, + "required": [ + "displayName", + "enabled", + "query", + "severity", + "suppressionDuration", + "suppressionEnabled" + ], + "description": "Nrt alert rule base property bag." + }, + "Office365ProjectConnectorDataTypes": { + "type": "object", + "properties": { + "logs": { + "oneOf": [ + { + "$ref": "#/definitions/Office365ProjectConnectorDataTypesLogs" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Logs data type." + } + }, + "required": [ + "logs" + ], + "description": "The available data types for Office Microsoft Project data connector." + }, + "Office365ProjectConnectorDataTypesLogs": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Logs data type." + }, + "Office365ProjectDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Office365Project" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/Office365ProjectDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Office Microsoft Project data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents Office Microsoft Project data connector." + }, + "Office365ProjectDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/Office365ProjectConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for Office Microsoft Project data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "dataTypes", + "tenantId" + ], + "description": "Office Microsoft Project data connector properties." + }, + "OfficeATPDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "OfficeATP" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeATPDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents OfficeATP (Office 365 Advanced Threat Protection) data connector." + }, + "OfficeATPDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "tenantId" + ], + "description": "OfficeATP (Office 365 Advanced Threat Protection) data connector properties." + }, + "OfficeDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Office365" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Office data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents office data connector." + }, + "OfficeDataConnectorDataTypes": { + "type": "object", + "properties": { + "exchange": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypesExchange" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Exchange data type connection." + }, + "sharePoint": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypesSharePoint" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SharePoint data type connection." + }, + "teams": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypesTeams" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Teams data type connection." + } + }, + "required": [ + "exchange", + "sharePoint", + "teams" + ], + "description": "The available data types for office data connector." + }, + "OfficeDataConnectorDataTypesExchange": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Exchange data type connection." + }, + "OfficeDataConnectorDataTypesSharePoint": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "SharePoint data type connection." + }, + "OfficeDataConnectorDataTypesTeams": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Teams data type connection." + }, + "OfficeDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for office data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "dataTypes", + "tenantId" + ], + "description": "Office data connector properties." + }, + "OfficeIRMDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "OfficeIRM" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeIRMDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "OfficeIRM (Microsoft Insider Risk Management) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents OfficeIRM (Microsoft Insider Risk Management) data connector." + }, + "OfficeIRMDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "tenantId" + ], + "description": "OfficeIRM (Microsoft Insider Risk Management) data connector properties." + }, + "OfficePowerBIConnectorDataTypes": { + "type": "object", + "properties": { + "logs": { + "oneOf": [ + { + "$ref": "#/definitions/OfficePowerBIConnectorDataTypesLogs" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Logs data type." + } + }, + "required": [ + "logs" + ], + "description": "The available data types for Office Microsoft PowerBI data connector." + }, + "OfficePowerBIConnectorDataTypesLogs": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Logs data type." + }, + "OfficePowerBIDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "OfficePowerBI" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/OfficePowerBIDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Office Microsoft PowerBI data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents Office Microsoft PowerBI data connector." + }, + "OfficePowerBIDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/OfficePowerBIConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for Office Microsoft PowerBI data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "dataTypes", + "tenantId" + ], + "description": "Office Microsoft PowerBI data connector properties." + }, + "Permissions": { + "type": "object", + "properties": { + "customs": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/PermissionsCustomsItem" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Customs permissions required for the connector" + }, + "resourceProvider": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/PermissionsResourceProviderItem" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Resource provider permissions required for the connector" + } + }, + "description": "Permissions required for the connector" + }, + "PermissionsCustomsItem": { + "type": "object", + "properties": { + "description": { + "type": "string", + "description": "Customs permissions description" + }, + "name": { + "type": "string", + "description": "Customs permissions name" + } + } + }, + "PermissionsResourceProviderItem": { + "type": "object", + "properties": { + "permissionsDisplayText": { + "type": "string", + "description": "Permission description text" + }, + "provider": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Microsoft.OperationalInsights/solutions", + "Microsoft.OperationalInsights/workspaces", + "Microsoft.OperationalInsights/workspaces/datasources", + "microsoft.aadiam/diagnosticSettings", + "Microsoft.OperationalInsights/workspaces/sharedKeys", + "Microsoft.Authorization/policyAssignments" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Provider name." + }, + "providerDisplayName": { + "type": "string", + "description": "Permission provider display name" + }, + "requiredPermissions": { + "oneOf": [ + { + "$ref": "#/definitions/RequiredPermissions" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Required permissions for the connector" + }, + "scope": { + "oneOf": [ + { + "type": "string", + "enum": [ + "ResourceGroup", + "Subscription", + "Workspace" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permission provider scope." + } + } + }, + "PlaybookActionProperties": { + "type": "object", + "properties": { + "logicAppResourceId": { + "type": "string", + "description": "The resource id of the playbook resource." + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tenant id of the playbook resource." + } + } + }, + "PropertyArrayChangedConditionProperties": { + "type": "object", + "properties": { + "conditionProperties": { + "oneOf": [ + { + "$ref": "#/definitions/AutomationRulePropertyArrayChangedValuesCondition" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "conditionType": { + "type": "string", + "enum": [ + "PropertyArrayChanged" + ] + } + }, + "required": [ + "conditionType" + ], + "description": "Describes an automation rule condition that evaluates an array property's value change" + }, + "PropertyChangedConditionProperties": { + "type": "object", + "properties": { + "conditionProperties": { + "oneOf": [ + { + "$ref": "#/definitions/AutomationRulePropertyValuesChangedCondition" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "conditionType": { + "type": "string", + "enum": [ + "PropertyChanged" + ] + } + }, + "required": [ + "conditionType" + ], + "description": "Describes an automation rule condition that evaluates a property's value change" + }, + "PropertyConditionProperties": { + "type": "object", + "properties": { + "conditionProperties": { + "oneOf": [ + { + "$ref": "#/definitions/AutomationRulePropertyValuesCondition" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "conditionType": { + "type": "string", + "enum": [ + "Property" + ] + } + }, + "required": [ + "conditionType" + ], + "description": "Describes an automation rule condition that evaluates a property's value" + }, + "RelationProperties": { + "type": "object", + "properties": { + "relatedResourceId": { + "type": "string", + "description": "The resource ID of the related resource" + } + }, + "required": [ + "relatedResourceId" + ], + "description": "Relation property bag." + }, + "Repository": { + "type": "object", + "properties": { + "branch": { + "type": "string", + "description": "Branch name of repository." + }, + "deploymentLogsUrl": { + "type": "string", + "description": "Url to access repository action logs." + }, + "displayUrl": { + "type": "string", + "description": "Display url of repository." + }, + "pathMapping": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ContentPathMap" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Dictionary of source control content type and path mapping." + }, + "url": { + "type": "string", + "description": "Url of repository." + } + }, + "description": "metadata of a repository." + }, + "RepositoryResourceInfo": { + "type": "object", + "properties": { + "azureDevOpsResourceInfo": { + "oneOf": [ + { + "$ref": "#/definitions/AzureDevOpsResourceInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Resources created in Azure DevOps repository." + }, + "gitHubResourceInfo": { + "oneOf": [ + { + "$ref": "#/definitions/GitHubResourceInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Resources created in GitHub repository." + }, + "webhook": { + "oneOf": [ + { + "$ref": "#/definitions/Webhook" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Detail about the webhook object." + } + }, + "description": "Resources created in user's repository for the source-control." + }, + "RequiredPermissions": { + "type": "object", + "properties": { + "action": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "action permission" + }, + "delete": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "delete permission" + }, + "read": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "read permission" + }, + "write": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "write permission" + } + }, + "description": "Required permissions for the connector" + }, + "ScheduledAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Scheduled" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Scheduled alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents scheduled alert rule." + }, + "ScheduledAlertRuleProperties": { + "type": "object", + "properties": { + "alertDetailsOverride": { + "oneOf": [ + { + "$ref": "#/definitions/AlertDetailsOverride" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Settings for how to dynamically override alert static details" + }, + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "customDetails": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Dictionary of string key-value pairs of columns to be attached to the alert" + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "entityMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/EntityMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of entity mappings of the alert rule" + }, + "eventGroupingSettings": { + "oneOf": [ + { + "$ref": "#/definitions/EventGroupingSettings" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Event grouping settings property bag." + }, + "incidentConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident Configuration property bag." + }, + "query": { + "type": "string", + "description": "The query that creates alerts for this rule." + }, + "queryFrequency": { + "type": "string", + "format": "duration", + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run." + }, + "queryPeriod": { + "type": "string", + "format": "duration", + "description": "The period (in ISO 8601 duration format) that this alert rule looks at." + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity for alerts created by this alert rule." + }, + "suppressionDuration": { + "type": "string", + "format": "duration", + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered." + }, + "suppressionEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the suppression for this alert rule is enabled or disabled." + }, + "tactics": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "Reconnaissance", + "ResourceDevelopment", + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack", + "ImpairProcessControl", + "InhibitResponseFunction" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tactics of the alert rule" + }, + "techniques": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The techniques of the alert rule" + }, + "templateVersion": { + "type": "string", + "description": "The version of the alert rule template used to create this rule - in format , where all are numbers, for example 0 <1.0.2>" + }, + "triggerOperator": { + "oneOf": [ + { + "type": "string", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The threshold triggers this alert rule." + } + }, + "required": [ + "displayName", + "enabled", + "suppressionDuration", + "suppressionEnabled" + ], + "description": "Scheduled alert rule base property bag." + }, + "SecurityMLAnalyticsSettingsDataSource": { + "type": "object", + "properties": { + "connectorId": { + "type": "string", + "description": "The connector id that provides the following data types" + }, + "dataTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The data types used by the security ml analytics settings" + } + }, + "description": "security ml analytics settings data sources" + }, + "SentinelOnboardingStateProperties": { + "type": "object", + "properties": { + "customerManagedKey": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag that indicates the status of the CMK setting" + } + }, + "description": "The Sentinel onboarding state properties" + }, + "SourceControlProperties": { + "type": "object", + "properties": { + "contentTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "AnalyticRule", + "Workbook" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Array of source control content types." + }, + "description": { + "type": "string", + "description": "A description of the source control" + }, + "displayName": { + "type": "string", + "description": "The display name of the source control" + }, + "id": { + "type": "string", + "description": "The id (a Guid) of the source control" + }, + "lastDeploymentInfo": { + "oneOf": [ + { + "$ref": "#/definitions/DeploymentInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Information regarding a deployment." + }, + "repository": { + "oneOf": [ + { + "$ref": "#/definitions/Repository" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "metadata of a repository." + }, + "repositoryResourceInfo": { + "oneOf": [ + { + "$ref": "#/definitions/RepositoryResourceInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Resources created in user's repository for the source-control." + }, + "repoType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Github", + "DevOps" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The repository type of the source control." + }, + "version": { + "oneOf": [ + { + "type": "string", + "enum": [ + "V1", + "V2" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The version number associated with the source control." + } + }, + "required": [ + "contentTypes", + "displayName", + "repository", + "repoType" + ], + "description": "Describes source control properties" + }, + "TeamInformation": { + "type": "object", + "properties": {}, + "description": "Describes team information" + }, + "ThreatIntelligenceAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "ThreatIntelligence" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat Intelligence alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents Threat Intelligence alert rule." + }, + "ThreatIntelligenceAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "description": "Threat Intelligence alert rule base property bag." + }, + "ThreatIntelligenceExternalReference": { + "type": "object", + "properties": { + "description": { + "type": "string", + "description": "External reference description" + }, + "externalId": { + "type": "string", + "description": "External reference ID" + }, + "hashes": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "External reference hashes" + }, + "sourceName": { + "type": "string", + "description": "External reference source name" + }, + "url": { + "type": "string", + "description": "External reference URL" + } + }, + "description": "Describes external reference" + }, + "ThreatIntelligenceGranularMarkingModel": { + "type": "object", + "properties": { + "language": { + "type": "string", + "description": "Language granular marking model" + }, + "markingRef": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "marking reference granular marking model" + }, + "selectors": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "granular marking model selectors" + } + }, + "description": "Describes threat granular marking model entity" + }, + "ThreatIntelligenceIndicatorProperties": { + "type": "object", + "properties": { + "confidence": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Confidence of threat intelligence entity" + }, + "created": { + "type": "string", + "description": "Created by" + }, + "createdByRef": { + "type": "string", + "description": "Created by reference of threat intelligence entity" + }, + "defanged": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Is threat intelligence entity defanged" + }, + "description": { + "type": "string", + "description": "Description of a threat intelligence entity" + }, + "displayName": { + "type": "string", + "description": "Display name of a threat intelligence entity" + }, + "extensions": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "object", + "properties": {} + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Extensions map" + }, + "externalId": { + "type": "string", + "description": "External ID of threat intelligence entity" + }, + "externalLastUpdatedTimeUtc": { + "type": "string", + "description": "External last updated time in UTC" + }, + "externalReferences": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceExternalReference" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "External References" + }, + "granularMarkings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Granular Markings" + }, + "indicatorTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Indicator types of threat intelligence entities" + }, + "killChainPhases": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Kill chain phases" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Labels of threat intelligence entity" + }, + "language": { + "type": "string", + "description": "Language of threat intelligence entity" + }, + "lastUpdatedTimeUtc": { + "type": "string", + "description": "Last updated time in UTC" + }, + "modified": { + "type": "string", + "description": "Modified by" + }, + "objectMarkingRefs": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat intelligence entity object marking references" + }, + "parsedPattern": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceParsedPattern" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Parsed patterns" + }, + "pattern": { + "type": "string", + "description": "Pattern of a threat intelligence entity" + }, + "patternType": { + "type": "string", + "description": "Pattern type of a threat intelligence entity" + }, + "patternVersion": { + "type": "string", + "description": "Pattern version of a threat intelligence entity" + }, + "revoked": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Is threat intelligence entity revoked" + }, + "source": { + "type": "string", + "description": "Source of a threat intelligence entity" + }, + "threatIntelligenceTags": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of tags" + }, + "threatTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat types" + }, + "validFrom": { + "type": "string", + "description": "Valid from" + }, + "validUntil": { + "type": "string", + "description": "Valid until" + } + }, + "description": "Describes threat intelligence entity properties" + }, + "ThreatIntelligenceKillChainPhase": { + "type": "object", + "properties": { + "killChainName": { + "type": "string", + "description": "Kill chainName name" + }, + "phaseName": { + "type": "string", + "description": "Phase name" + } + }, + "description": "Describes threat kill chain phase entity" + }, + "ThreatIntelligenceParsedPattern": { + "type": "object", + "properties": { + "patternTypeKey": { + "type": "string", + "description": "Pattern type key" + }, + "patternTypeValues": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Pattern type keys" + } + }, + "description": "Describes parsed pattern entity" + }, + "ThreatIntelligenceParsedPatternTypeValue": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "Value of parsed pattern" + }, + "valueType": { + "type": "string", + "description": "Type of the value" + } + }, + "description": "Describes threat kill chain phase entity" + }, + "TIDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "ThreatIntelligence" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/TIDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "TI (Threat Intelligence) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents threat intelligence data connector." + }, + "TIDataConnectorDataTypes": { + "type": "object", + "properties": { + "indicators": { + "oneOf": [ + { + "$ref": "#/definitions/TIDataConnectorDataTypesIndicators" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Data type for indicators connection." + } + }, + "required": [ + "indicators" + ], + "description": "The available data types for TI (Threat Intelligence) data connector." + }, + "TIDataConnectorDataTypesIndicators": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Data type for indicators connection." + }, + "TIDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/TIDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for TI (Threat Intelligence) data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + }, + "tipLookbackPeriod": { + "type": "string", + "format": "date-time", + "description": "The lookback period for the feed to be imported." + } + }, + "required": [ + "dataTypes", + "tenantId" + ], + "description": "TI (Threat Intelligence) data connector properties." + }, + "TiTaxiiDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "ThreatIntelligenceTaxii" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/TiTaxiiDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat Intelligence TAXII data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server" + }, + "TiTaxiiDataConnectorDataTypes": { + "type": "object", + "properties": { + "taxiiClient": { + "oneOf": [ + { + "$ref": "#/definitions/TiTaxiiDataConnectorDataTypesTaxiiClient" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Data type for TAXII connector." + } + }, + "required": [ + "taxiiClient" + ], + "description": "The available data types for Threat Intelligence TAXII data connector." + }, + "TiTaxiiDataConnectorDataTypesTaxiiClient": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "required": [ + "state" + ], + "description": "Data type for TAXII connector." + }, + "TiTaxiiDataConnectorProperties": { + "type": "object", + "properties": { + "collectionId": { + "type": "string", + "description": "The collection id of the TAXII server." + }, + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/TiTaxiiDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for Threat Intelligence TAXII data connector." + }, + "friendlyName": { + "type": "string", + "description": "The friendly name for the TAXII server." + }, + "password": { + "type": "string", + "description": "The password for the TAXII server." + }, + "pollingFrequency": { + "oneOf": [ + { + "type": "string", + "enum": [ + "OnceAMinute", + "OnceAnHour", + "OnceADay" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The polling frequency for the TAXII server." + }, + "taxiiLookbackPeriod": { + "type": "string", + "format": "date-time", + "description": "The lookback period for the TAXII server." + }, + "taxiiServer": { + "type": "string", + "description": "The API root for the TAXII server." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + }, + "userName": { + "type": "string", + "description": "The userName for the TAXII server." + }, + "workspaceId": { + "type": "string", + "description": "The workspace id." + } + }, + "required": [ + "dataTypes", + "pollingFrequency", + "tenantId" + ], + "description": "Threat Intelligence TAXII data connector properties." + }, + "Ueba": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Ueba" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/UebaProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Ueba property bag." + } + }, + "required": [ + "kind" + ], + "description": "Settings with single toggle." + }, + "UebaProperties": { + "type": "object", + "properties": { + "dataSources": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "AuditLogs", + "AzureActivity", + "SecurityEvent", + "SigninLogs" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The relevant data sources that enriched by ueba" + } + }, + "description": "Ueba property bag." + }, + "UserInfo": { + "type": "object", + "properties": { + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user." + } + }, + "description": "User information that made some action" + }, + "WatchlistItemProperties": { + "type": "object", + "properties": { + "created": { + "type": "string", + "format": "date-time", + "description": "The time the watchlist item was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "entityMapping": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "object", + "properties": {} + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "key-value pairs for a watchlist item entity mapping" + }, + "isDeleted": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag that indicates if the watchlist item is deleted or not" + }, + "itemsKeyValue": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "object", + "properties": {} + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "key-value pairs for a watchlist item" + }, + "tenantId": { + "type": "string", + "description": "The tenantId to which the watchlist item belongs to" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the watchlist item was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "watchlistItemId": { + "type": "string", + "description": "The id (a Guid) of the watchlist item" + }, + "watchlistItemType": { + "type": "string", + "description": "The type of the watchlist item" + } + }, + "required": [ + "itemsKeyValue" + ], + "description": "Describes watchlist item properties" + }, + "WatchlistProperties": { + "type": "object", + "properties": { + "contentType": { + "type": "string", + "description": "The content type of the raw content. Example : text/csv or text/tsv " + }, + "created": { + "type": "string", + "format": "date-time", + "description": "The time the watchlist was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "defaultDuration": { + "type": "string", + "format": "duration", + "description": "The default duration of a watchlist (in ISO 8601 duration format)" + }, + "description": { + "type": "string", + "description": "A description of the watchlist" + }, + "displayName": { + "type": "string", + "description": "The display name of the watchlist" + }, + "isDeleted": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag that indicates if the watchlist is deleted or not" + }, + "itemsSearchKey": { + "type": "string", + "description": "The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address." + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this watchlist" + }, + "numberOfLinesToSkip": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The number of lines in a csv/tsv content to skip before the header" + }, + "provider": { + "type": "string", + "description": "The provider of the watchlist" + }, + "rawContent": { + "type": "string", + "description": "The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint" + }, + "source": { + "type": "string", + "description": "The filename of the watchlist, called 'source'" + }, + "sourceType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Local file", + "Remote storage" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The sourceType of the watchlist." + }, + "tenantId": { + "type": "string", + "description": "The tenantId where the watchlist belongs to" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the watchlist was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "uploadStatus": { + "type": "string", + "description": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted" + }, + "watchlistAlias": { + "type": "string", + "description": "The alias of the watchlist" + }, + "watchlistId": { + "type": "string", + "description": "The id (a Guid) of the watchlist" + }, + "watchlistType": { + "type": "string", + "description": "The type of the watchlist" + } + }, + "required": [ + "displayName", + "itemsSearchKey", + "provider" + ], + "description": "Describes watchlist properties" + }, + "watchlists_watchlistItems_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2022-08-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Watchlist Item Id (GUID)" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistItemProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist item properties" + }, + "type": { + "type": "string", + "enum": [ + "watchlistItems" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists/watchlistItems" + }, + "Webhook": { + "type": "object", + "properties": { + "rotateWebhookSecret": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag to instruct the backend service to rotate webhook secret." + }, + "webhookId": { + "type": "string", + "description": "Unique identifier for the webhook." + }, + "webhookSecretUpdateTime": { + "type": "string", + "description": "Time when the webhook secret was updated." + }, + "webhookUrl": { + "type": "string", + "description": "URL that gets invoked by the webhook." + } + }, + "description": "Detail about the webhook object." + } + } +} \ No newline at end of file