diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/common/AlertTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/common/AlertTypes.json index 9e981c6c3a2c..2187189ae25d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/common/AlertTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/common/AlertTypes.json @@ -39,7 +39,7 @@ } }, "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", + "description": "A list of relevant mitre attacks.", "enum": [ "InitialAccess", "Execution", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json index df226fda91fc..a7edb7ba4855 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json @@ -580,7 +580,7 @@ "description": "List all the bookmarks.", "properties": { "nextLink": { - "description": "URL to fetch the next set of cases.", + "description": "URL to fetch the next set of bookmarks.", "readOnly": true, "type": "string" }, @@ -662,6 +662,25 @@ "$ref": "./common/IncidentTypes.json#/definitions/IncidentInfo", "description": "Describes an incident that relates to bookmark", "type": "object" + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappingsList", + "description": "Describes the entity mappings of the bookmark", + "type": "object" + }, + "tactics": { + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "description": "A list of relevant mitre attacks", + "type": "array" + }, + "techniques": { + "items": { + "$ref": "#/definitions/AttackTechnique" + }, + "description": "A list of relevant mitre techniques", + "type": "array" } }, "required": [ @@ -683,6 +702,48 @@ } }, "type": "object" + }, + "EntityMappingsList": { + "description": "Describes the entity mappings of the bookmark", + "items": { + "$ref": "#/definitions/BookmarkEntityMappings" + }, + "type": "array" + }, + "BookmarkEntityMappings": { + "description": "Describes the entity mappings of a single entity", + "properties": { + "entityType": { + "description": "The entity type", + "type": "string" + }, + "fieldMappings": { + "description": "Array of fields mapping for that entity type", + "items": { + "$ref": "#/definitions/EntityFieldMapping" + }, + "type": "array" + } + }, + "type": "object" + }, + "EntityFieldMapping": { + "description": "Map identifiers of a single entity", + "properties": { + "identifier": { + "description": "Alert V3 identifier", + "type": "string" + }, + "value": { + "description": "The value of the identifier", + "type": "string" + } + }, + "type": "object" + }, + "AttackTechnique": { + "description": "Mitre technique (https://attack.mitre.org/matrices/enterprise/)", + "type": "string" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/CreateBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/CreateBookmark.json index b94f1f76f729..e4297879555c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/CreateBookmark.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/CreateBookmark.json @@ -23,7 +23,24 @@ "Tag2" ], "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", - "queryResult": "Security Event query result" + "queryResult": "Security Event query result", + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] } } }, @@ -54,7 +71,24 @@ "Tag2" ], "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", - "queryResult": "Security Event query result" + "queryResult": "Security Event query result", + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] } } }, @@ -84,7 +118,24 @@ "Tag2" ], "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", - "queryResult": "Security Event query result" + "queryResult": "Security Event query result", + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarkById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarkById.json index 15acbc299145..46bbaa9e4576 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarkById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarkById.json @@ -39,7 +39,24 @@ "severity": "Low", "title": "New case 1", "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018" - } + }, + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarks.json index d386385c3588..7cf6bd07d9d1 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarks.json @@ -40,7 +40,24 @@ "severity": "Low", "title": "New case 1", "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018" - } + }, + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] } } ]