Dev sentinel 2021 10 01 preview (#17314)

* Bookmarks 2021-10-01-preview * prettier * definitions * rename Co-authored-by: Igal Shapira <[email protected]>
Azure · Jan 13, 2022 · 7a38b11 · 7a38b11
1 parent 639b7a5
commit 7a38b11
Show file tree

Hide file tree

Showing 5 changed files with 153 additions and 7 deletions.
diff --git a/...urce-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/common/AlertTypes.json b/...urce-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/common/AlertTypes.json
@@ -39,7 +39,7 @@
       }
     },
     "AttackTactic": {
-      "description": "The severity for alerts created by this alert rule.",
+      "description": "A list of relevant mitre attacks.",
       "enum": [
         "InitialAccess",
         "Execution",

diff --git a/...hts/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json b/...hts/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json
@@ -580,7 +580,7 @@
       "description": "List all the bookmarks.",
       "properties": {
         "nextLink": {
-          "description": "URL to fetch the next set of cases.",
+          "description": "URL to fetch the next set of bookmarks.",
           "readOnly": true,
           "type": "string"
         },
@@ -662,6 +662,25 @@
           "$ref": "./common/IncidentTypes.json#/definitions/IncidentInfo",
           "description": "Describes an incident that relates to bookmark",
           "type": "object"
+        },
+        "entityMappings": {
+          "$ref": "#/definitions/EntityMappingsList",
+          "description": "Describes the entity mappings of the bookmark",
+          "type": "object"
+        },
+        "tactics": {
+          "items": {
+            "$ref": "./common/AlertTypes.json#/definitions/AttackTactic"
+          },
+          "description": "A list of relevant mitre attacks",
+          "type": "array"
+        },
+        "techniques": {
+          "items": {
+            "$ref": "#/definitions/AttackTechnique"
+          },
+          "description": "A list of relevant mitre techniques",
+          "type": "array"
         }
       },
       "required": [
@@ -683,6 +702,48 @@
         }
       },
       "type": "object"
+    },
+    "EntityMappingsList": {
+      "description": "Describes the entity mappings of the bookmark",
+      "items": {
+        "$ref": "#/definitions/BookmarkEntityMappings"
+      },
+      "type": "array"
+    },
+    "BookmarkEntityMappings": {
+      "description": "Describes the entity mappings of a single entity",
+      "properties": {
+        "entityType": {
+          "description": "The entity type",
+          "type": "string"
+        },
+        "fieldMappings": {
+          "description": "Array of fields mapping for that entity type",
+          "items": {
+            "$ref": "#/definitions/EntityFieldMapping"
+          },
+          "type": "array"
+        }
+      },
+      "type": "object"
+    },
+    "EntityFieldMapping": {
+      "description": "Map identifiers of a single entity",
+      "properties": {
+        "identifier": {
+          "description": "Alert V3 identifier",
+          "type": "string"
+        },
+        "value": {
+          "description": "The value of the identifier",
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
+    "AttackTechnique": {
+      "description": "Mitre technique (https://attack.mitre.org/matrices/enterprise/)",
+      "type": "string"
     }
   }
 }
diff --git a/...rosoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/CreateBookmark.json b/...rosoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/CreateBookmark.json
@@ -23,7 +23,24 @@
           "Tag2"
         ],
         "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)",
-        "queryResult": "Security Event query result"
+        "queryResult": "Security Event query result",
+        "tactics": [
+          "Execution"
+        ],
+        "techniques": [
+          "T1609"
+        ],
+        "entityMappings": [
+          {
+            "entityType": "Account",
+            "fieldMappings": [
+              {
+                "identifier": "Fullname",
+                "value": "[email protected]"
+              }
+            ]
+          }
+        ]
       }
     }
   },
@@ -54,7 +71,24 @@
             "Tag2"
           ],
           "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)",
-          "queryResult": "Security Event query result"
+          "queryResult": "Security Event query result",
+          "tactics": [
+            "Execution"
+          ],
+          "techniques": [
+            "T1609"
+          ],
+          "entityMappings": [
+            {
+              "entityType": "Account",
+              "fieldMappings": [
+                {
+                  "identifier": "Fullname",
+                  "value": "[email protected]"
+                }
+              ]
+            }
+          ]
         }
       }
     },
@@ -84,7 +118,24 @@
             "Tag2"
           ],
           "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)",
-          "queryResult": "Security Event query result"
+          "queryResult": "Security Event query result",
+          "tactics": [
+            "Execution"
+          ],
+          "techniques": [
+            "T1609"
+          ],
+          "entityMappings": [
+            {
+              "entityType": "Account",
+              "fieldMappings": [
+                {
+                  "identifier": "Fullname",
+                  "value": "[email protected]"
+                }
+              ]
+            }
+          ]
         }
       }
     }

diff --git a/...osoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarkById.json b/...osoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarkById.json
@@ -39,7 +39,24 @@
             "severity": "Low",
             "title": "New case 1",
             "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018"
-          }
+          },
+          "tactics": [
+            "Execution"
+          ],
+          "techniques": [
+            "T1609"
+          ],
+          "entityMappings": [
+            {
+              "entityType": "Account",
+              "fieldMappings": [
+                {
+                  "identifier": "Fullname",
+                  "value": "[email protected]"
+                }
+              ]
+            }
+          ]
         }
       }
     }

diff --git a/...icrosoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarks.json b/...icrosoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarks.json
@@ -40,7 +40,24 @@
                 "severity": "Low",
                 "title": "New case 1",
                 "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018"
-              }
+              },
+              "tactics": [
+                "Execution"
+              ],
+              "techniques": [
+                "T1609"
+              ],
+              "entityMappings": [
+                {
+                  "entityType": "Account",
+                  "fieldMappings": [
+                    {
+                      "identifier": "Fullname",
+                      "value": "[email protected]"
+                    }
+                  ]
+                }
+              ]
             }
           }
         ]