From 6f9a3bd931039e95528730890e065479a377d884 Mon Sep 17 00:00:00 2001 From: Shay Schwartz Date: Tue, 1 Dec 2020 18:51:33 +0200 Subject: [PATCH 1/8] Commint new examples and paths --- .../2019-01-01-preview/SecurityInsights.json | 656 ++++++++++++++++++ .../examples/entities/GetQueries.json | 457 ++++++++++++ .../entities/insights/PostGetInsights.json | 101 +++ 3 files changed, 1214 insertions(+) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/insights/PostGetInsights.json diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index cdd9e3d27db7..73570d305699 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -2191,6 +2191,108 @@ } } }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/queries": { + "get": { + "x-ms-examples": { + "Get Entity Query": { + "$ref": "./examples/entities/GetQueries.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Execute Insights for an entity.", + "operationId": "Entities_Queries", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/EntitiesQueriesKindParameter" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/GetQueriesResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getInsights": { + "post": { + "x-ms-examples": { + "Entity Insight": { + "$ref": "./examples/entities/insights/PostGetInsights.json" + } + }, + "tags": [ + "Entities" + ], + "description": "Execute Insights for an entity.", + "operationId": "Entities_GetInsights", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/EntityId" + }, + { + "$ref": "#/parameters/GetInsightsEntityQueriesRequestBody" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/EntityGetInsightsResponse" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } + }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations": { "get": { "x-ms-examples": { @@ -4234,6 +4336,28 @@ } }, "definitions": { + "EntitiesQueriesKind": { + "description": "The entity query kind", + "enum": [ + "Activity", + "Insight" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "EntitiesQueriesKind", + "values": [ + { + "description": "activity", + "value": "Activity" + }, + { + "description": "insight", + "value": "Insight" + } + ] + } + }, "AADDataConnector": { "allOf": [ { @@ -6156,6 +6280,18 @@ } } }, + "GetQueriesResponse": { + "description": "Retrieve queries for entity result operation response.", + "properties": { + "value": { + "description": "The query result values.", + "items": { + "$ref": "#/definitions/EntityQueryItem" + }, + "type": "array" + } + } + }, "EntityInnerKind": { "description": "The kind of the entity", "enum": [ @@ -6776,6 +6912,251 @@ }, "type": "object" }, + "ShayEntityQueryProperties": { + "description": "Describes entity query properties", + "properties": { + "dataSources": { + "description": "List of the data sources that are required to run the query", + "items": { + "description": "data source", + "type": "string" + }, + "type": "array" + }, + "displayName": { + "description": "The query display name", + "type": "string" + }, + "inputEntityType": { + "$ref": "#/definitions/EntityInnerType", + "description": "The type of the query's source entity" + }, + "inputFields": { + "description": "List of the fields of the source entity that are required to run the query", + "items": { + "description": "input field", + "type": "string" + }, + "type": "array" + }, + "outputEntityTypes": { + "description": "List of the desired output types to be constructed from the result", + "items": { + "$ref": "#/definitions/EntityInnerType", + "description": "output entity type" + }, + "type": "array" + }, + "queryTemplate": { + "description": "The template query string to be parsed and formatted", + "type": "string" + } + }, + "type": "object" + }, + "InsightQueryItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityQueryItem" + } + ], + "description": "Represents Insight Query.", + "properties": { + "properties": { + "description": "Properties bag for InsightQueryItem", + "$ref": "#/definitions/InsightQueryItemProperties" + } + }, + "type": "object", + "x-ms-discriminator-value": "Insight" + }, + "InsightQueryItemProperties": { + "allOf": [ + { + "$ref": "#/definitions/ShayEntityQueryItemProperties" + } + ], + "description": "Represents Insight Query.", + "properties": { + "displayName": { + "type": "string", + "description": "The insight display name." + }, + "description": { + "type": "string", + "description": "The insight description." + }, + "baseQuery": { + "type": "string", + "description": "The base query of the insight." + }, + "tableQuery": { + "type": "object", + "description": "The insight table query.", + "properties": { + "columnsDefinitions": { + "type": "array", + "description": "List of insight column definitions.", + "items": { + "properties": { + "header": { + "type": "string", + "description": "Insight column header." + }, + "outputType": { + "type": "string", + "description": "Insights Column type.", + "enum": [ + "Number", + "String", + "Date", + "Entity" + ] + }, + "supportDeepLink": { + "type": "boolean", + "description": "Is query supports deep-link." + } + } + } + }, + "queriesDefinitions": { + "type": "array", + "description": "List of insight queries definitions.", + "items": { + "properties": { + "filter": { + "type": "string", + "description": "Insight column header." + }, + "summarize": { + "type": "string", + "description": "Insight column header." + }, + "project": { + "type": "string", + "description": "Insight column header." + }, + "linkColumnsDefinitions": { + "type": "array", + "description": "Insight column header.", + "items": { + "properties": { + "projectedName": { + "type": "string", + "description": "Insight Link Definition Projected Name." + }, + "Query": { + "type": "string", + "description": "Insight Link Definition Query." + } + } + } + } + } + } + } + } + }, + "chartQuery": { + "type": "object", + "description": "The insight chart query." + }, + "additionalQuery": { + "type": "object", + "description": "The activity query definitions.", + "properties": { + "query": { + "type": "string", + "description": "The insight query." + }, + "text": { + "type": "string", + "description": "The insight text." + } + } + }, + "defaultTimeRange": { + "type": "object", + "description": "The insight chart query.", + "properties": { + "beforeRange": { + "type": "string", + "description": "The padding for the start time of the query." + }, + "afterRange": { + "type": "string", + "description": "The padding for the end time of the query." + } + } + }, + "referenceTimeRange": { + "type": "object", + "description": "The insight chart query.", + "properties": { + "beforeRange": { + "type": "string", + "description": "Additional query time for looking back." + } + } + } + }, + "type": "object", + "x-ms-discriminator-value": "Insight" + }, + "ActivityQueryItem": { + "allOf": [ + { + "$ref": "#/definitions/EntityQueryItem" + } + ], + "description": "Represents Activity Query.", + "properties": { + "properties": { + "description": "Properties bag for InsightQueryItem", + "$ref": "#/definitions/ActivityQueryItemProperties" + } + }, + "type": "object", + "x-ms-discriminator-value": "Activity" + }, + "ActivityQueryItemProperties": { + "allOf": [ + { + "$ref": "#/definitions/ShayEntityQueryItemProperties" + } + ], + "description": "Represents Activity properties Query.", + "properties": { + "content": { + "type": "string", + "description": "The activity content." + }, + "title": { + "type": "string", + "description": "The activity title." + }, + "description": { + "type": "string", + "description": "The activity description." + }, + "enabledByDefault": { + "type": "boolean", + "description": "Is activity should be enabled by default." + }, + "queryDefinitions": { + "type": "object", + "description": "The activity query definitions.", + "properties": { + "query": { + "type": "string", + "description": "The activity query." + } + } + } + }, + "type": "object" + }, "ActivityTimelineItem": { "allOf": [ { @@ -10578,6 +10959,237 @@ } }, "type": "object" + }, + "EntityGetInsightsParameters": { + "description": "The parameters required to execute insights operation on the given entity.", + "type": "object", + "properties": { + "startTime": { + "description": "The start timeline date, so the results returned are after this date.", + "format": "date-time", + "type": "string" + }, + "endTime": { + "description": "The end timeline date, so the results returned are before this date.", + "format": "date-time", + "type": "string" + }, + "addDefaultExtendedTimeRange": { + "description": "Indicates if query time range should be extended with default time range of the query. Default value is false", + "type": "boolean" + }, + "insightQueryIds": { + "description": "List of Insights Query Id. If empty, default value is all insights of this entity", + "type": "array", + "items": { + "description": "Insight Query Id (GUID)", + "format": "uuid", + "type": "string" + } + } + }, + "required": [ + "startTime", + "endTime" + ] + }, + "EntityGetInsightsResponse": { + "description": "The Get Insights result operation response.", + "properties": { + "metaData": { + "$ref": "#/definitions/GetInsightsResultsMetadata", + "description": "The metadata from the get insights operation results." + }, + "value": { + "description": "The insights result values.", + "items": { + "$ref": "#/definitions/EntityInsightItem" + }, + "type": "array" + } + } + }, + "GetInsightsResultsMetadata": { + "description": "Get Insights result metadata.", + "properties": { + "totalCount": { + "description": "the total items found for the insights request", + "type": "integer", + "format": "int32" + }, + "errors": { + "description": "information about the failed queries", + "items": { + "$ref": "#/definitions/GetInsightsError" + }, + "type": "array" + } + }, + "required": [ + "totalCount" + ], + "type": "object" + }, + "GetInsightsError": { + "description": "GetInsights Query Errors.", + "properties": { + "kind": { + "description": "the query kind", + "type": "string", + "enum": [ + "Insight" + ] + }, + "queryId": { + "description": "the query id", + "type": "string" + }, + "errorMessage": { + "description": "the error message", + "type": "string" + } + }, + "required": [ + "kind", + "errorMessage" + ], + "type": "object" + }, + "EntityQueryItem": { + "description": "An abstract Query item for entity", + "type": "object", + "discriminator": "kind", + "properties": { + "kind": { + "$ref": "#/definitions/EntitiesQueriesKind", + "description": "The entity query kind type." + }, + "id": { + "description": "Query Template ARM ID", + "type": "string", + "format": "uuid", + "readOnly": true + }, + "name": { + "description": "Query Template ARM Name", + "type": "string" + }, + "type": { + "description": "ARM Type", + "type": "string" + } + }, + "required": [ + "kind" + ] + }, + "ShayEntityQueryItemProperties": { + "description": "An properties abstract Query item for entity", + "type": "object", + "properties": { + "dataTypes": { + "description": "Data types for template", + "type": "array", + "items": { + "properties": { + "dataType": { + "description": "Data type name", + "type": "string" + } + } + } + }, + "inputEntityType": { + "description": "The type of the entity", + "$ref": "#/definitions/EntityInnerType" + }, + "requiredInputFieldsSets": { + "description": "Data types for template", + "type": "array", + "items": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "entitiesFilter": { + "description": "The query applied only to entities matching to all filters", + "type": "object" + } + } + }, + "EntityInsightItem": { + "description": "Entity insight Item.", + "type": "object", + "properties": { + "queryId": { + "type": "string", + "description": "The query id of the insight" + }, + "queryTimeInterval": { + "type": "object", + "description": "The Time interval that the query actually executed on.", + "properties": { + "startTime": { + "format": "date-time", + "type": "string", + "description": "Insight query start time" + }, + "endTime": { + "format": "date-time", + "type": "string", + "description": "Insight query end time" + } + } + }, + "tableQueryResults": { + "$ref": "#/definitions/InsightsTableResult", + "description": "Query results for table insights query." + }, + "chartQueryResults": { + "type": "array", + "description": "Query results for table insights query.", + "items": { + "$ref": "#/definitions/InsightsTableResult", + "description": "Query results for table insights query." + } + } + } + }, + "InsightsTableResult": { + "type": "object", + "description": "Query results for table insights query.", + "properties": { + "columns": { + "type": "array", + "description": "Columns Metadata of the table", + "items": { + "properties": { + "type": { + "type": "string", + "description": "the type of the colum" + }, + "name": { + "type": "string", + "description": "the name of the colum" + } + } + } + }, + "rows": { + "type": "array", + "description": "Rows data of the table", + "items": { + "type": "array", + "description": "Single row of data", + "items": { + "type": "string", + "description": "Cell in the table" + } + } + } + } } }, "parameters": { @@ -10773,6 +11385,42 @@ }, "x-ms-parameter-location": "method" }, + "EntitiesQueriesKindParameter": { + "description": "The Kind parameter for queries", + "in": "query", + "name": "kind", + "required": true, + "type": "string", + "enum": [ + "Insight", + "Activity" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "ShayEntityQueryKind", + "values": [ + { + "description": "activity", + "value": "Activity" + }, + { + "description": "insight", + "value": "Insight" + } + ] + }, + "x-ms-parameter-location": "method" + }, + "GetInsightsEntityQueriesRequestBody": { + "description": "The parameters required to execute insights on the given entity.", + "name": "parameters", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/EntityGetInsightsParameters" + }, + "x-ms-parameter-location": "method" + }, "EntityId": { "description": "entity ID", "in": "path", @@ -10987,6 +11635,14 @@ }, "x-ms-parameter-location": "method" }, + "ThreatIntelligenceIndicatorEntityKind": { + "description": "The threat intelligence entity kind", + "in": "query", + "name": "ctiEntityKind", + "required": false, + "type": "string", + "x-ms-parameter-location": "method" + }, "ThreatIntelligenceAppendTags": { "description": "The threat intelligence append tags request body", "in": "body", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json new file mode 100644 index 000000000000..66b74405fedd --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json @@ -0,0 +1,457 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "kind": "Insight" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/queries/6db7f5d1-f41e-46c2-b935-230b36a569e6", + "name": "6db7f5d1-f41e-46c2-b935-230b36a569e6", + "type": "Microsoft.SecurityInsights/queries", + "kind": "Insight", + "properties": { + "displayName": "Actions on account", + "description": "Summary of actions taken on the specified account, grouped by action: password resets and changes, account lockouts (policy or admin), account creation and deletion, account enabled and disabled\n", + "baseQuery": "let GetAccountActions = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string, v_Account_AADUserId:string, v_Account_SID:string){\nAuditLogs\n| where OperationName in~ ('Delete user', 'Change user password', 'Reset user password', 'Change password (self-service)', 'Reset password (by admin)', 'Reset password (self-service)', 'Update user')\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| extend Account_Name = tostring(split(UserPrincipalName, '@')[0])\n| extend Account_UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n| extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\n| extend ModifiedProperty = parse_json(Action).displayName\n| extend ModifiedValue = parse_json(Action).newValue\n| extend Account_AADUserId = tostring(TargetResources[0].id)\n| extend DisableUser = iif(ModifiedProperty =~ 'AccountEnabled' and ModifiedValue =~ '[false]', 'True', 'False')\n| union isfuzzy=true (\nSecurityEvent\n| where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\n| extend OperationName = tostring(EventID)\n| where AccountType =~ \"user\" or isempty(AccountType)\n| extend Account_Name = TargetUserName, Account_NTDomain = TargetDomainName, Account_SID = TargetSid\n)\n| where (Account_Name =~ v_Account_Name and (Account_UPNSuffix =~ v_Account_UPNSuffix or Account_NTDomain =~ v_Account_NTDomain)) or Account_AADUserId =~ v_Account_AADUserId or Account_SID =~ v_Account_SID\n};\nGetAccountActions('CTFFUser4', '', 'seccxp.ninja', '', '')\n", + "tableQuery": { + "columnsDefinitions": [ + { + "header": "Action", + "outputType": "String", + "supportDeepLink": false + }, + { + "header": "Most Recent", + "outputType": "Date", + "supportDeepLink": false + }, + { + "header": "Count", + "outputType": "Number", + "supportDeepLink": true + } + ], + "queriesDefinitions": [ + { + "filter": "where OperationName in~ ('Change user password', 'Reset user password', 'Change password (self-service)', 'Reset password (by admin)', 'Reset password (self-service)', '4724', '4723')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('Blocked from self-service password reset', '4740')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName == '4725' or (OperationName =~ 'Update user' and DisableUser =~ 'True')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('Add user', '4720')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('Delete user', '4726')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('4725', 'Blocked from self-service password reset', '4740') or (OperationName =~ 'Update user' and DisableUser =~ 'True')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('4722', '4767') or (OperationName =~ 'Update user' and DisableUser =~ 'False')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where OperationName in~ ('Update user','4738')", + "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName", + "project": "project Title = OperationName, MostRecent, Count", + "linkColumnsDefinitions": [ + { + "projectedName": "Count", + "Query": "{{BaseQuery}} | " + } + ] + } + ] + }, + "chartQuery": { + "title": "Actions by type", + "dataSets": [ + { + "query": "summarize Count = count() by bin(TimeGenerated, 1h), OperationName", + "xColumnName": "TimeGenerated", + "yColumnName": "Count", + "legendColumnName": "OperationName" + } + ], + "type": "BarChart" + }, + "additionalQuery": { + "text": "See all account activity", + "query": "project TimeGenerated, UserPrincipalName, Account_Name, OperationName, Activity, DisableUser, TargetSid, AADUserId, InitiatedBy, AADTenantId, AccountType, Computer, SubjectAccount, SubjectUserSid, EventData" + }, + "defaultTimeRange": { + "beforeRange": "12h", + "afterRange": "12h" + }, + "referenceTimeRange": null, + "dataTypes": [ + { + "dataType": "AuditLogs" + }, + { + "dataType": "SecurityEvent" + } + ], + "inputEntityType": "Account", + "requiredInputFieldsSets": [ + [ + "Account_Name", + "Account_NTDomain" + ], + [ + "Account_Name", + "Account_UPNSuffix" + ], + [ + "Account_AADUserId" + ], + [ + "Account_SID" + ] + ], + "entitiesFilter": {} + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/queries/0a5d7b14-b485-450a-a0ac-4100c860ac32", + "name": "0a5d7b14-b485-450a-a0ac-4100c860ac32", + "type": "Microsoft.SecurityInsights/queries", + "kind": "Insight", + "properties": { + "displayName": "Anomalously high office operation count", + "description": "Highlight office operations of the user with anomalously high count compared to those observed in the preceding 14 days.", + "baseQuery": "let AScoreThresh = 3; \nlet maxAnomalies = 3;\nlet BeforeRange = 12d; \nlet EndTime = todatetime('{{EndTimeUTC}}'); \nlet StartTime = todatetime('{{StartTimeUTC}}');\nlet numDays = tolong((EndTime-StartTime)/1d); \nlet userData = (v_Account_Name:string, v_Account_UPNSuffix:string) { \n OfficeActivity \n | extend splitUserId=split(UserId, '@')\n | extend Account_Name = tostring(splitUserId[0]), Account_UPNSuffix = tostring(splitUserId[1])\n | where Account_Name =~ v_Account_Name and Account_UPNSuffix =~ v_Account_UPNSuffix }; \nuserData('CTFFUser4', 'seccxp.ninja')\n", + "tableQuery": { + "columnsDefinitions": [ + { + "header": "Operation", + "outputType": "String", + "supportDeepLink": true + }, + { + "header": "Expected Count", + "outputType": "Number", + "supportDeepLink": false + }, + { + "header": "Actual Count", + "outputType": "Number", + "supportDeepLink": false + } + ], + "queriesDefinitions": [ + { + "filter": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by Operation \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost=maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore-maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc\n", + "summarize": "take 1", + "project": "project Operation, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)", + "linkColumnsDefinitions": [ + { + "projectedName": "Operation", + "Query": "{{BaseQuery}} \n| where TimeGenerated between (StartTime .. EndTime) \n| where Operation == ''\n" + } + ] + } + ] + }, + "chartQuery": { + "title": "Anomalous operation timeline", + "dataSets": [ + { + "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by Operation \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost=maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore-maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,round(postExpectedCount,2)) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc \n| take 1 \n| project Operation, TimeGenerated, count_\n| mvexpand TimeGenerated, count_ | project todatetime(TimeGenerated), toint(count_), Operation\n", + "xColumnName": "TimeGenerated", + "yColumnName": "count_", + "legendColumnName": "Operation" + } + ], + "type": "LineChart" + }, + "additionalQuery": { + "text": "Query all anomalous operations", + "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by Operation \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_\n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies\n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh | order by maxAnomalyScorePost desc \n| project Operation, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)\n" + }, + "defaultTimeRange": { + "beforeRange": "1d", + "afterRange": "0d" + }, + "referenceTimeRange": { + "beforeRange": "12d" + }, + "dataTypes": [ + { + "dataType": "OfficeActivity" + } + ], + "inputEntityType": "Account", + "requiredInputFieldsSets": [ + [ + "Account_Name", + "Account_UPNSuffix" + ] + ], + "entitiesFilter": {} + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/queries/e6cf68e6-1eca-4fbb-9fad-6280f2a9476e", + "name": "e6cf68e6-1eca-4fbb-9fad-6280f2a9476e", + "type": "Microsoft.SecurityInsights/queries", + "kind": "Insight", + "properties": { + "displayName": "Resource access", + "description": "Provides the count and distinct resource accesses by a given user account\n", + "baseQuery": "let Operations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet UserOperationToSharePoint = (v_Account_Name:string, v_Account_UPNSuffix:string) {\nOfficeActivity\n// Select sharepoint activity that is relevant\n| where RecordType in~ ('SharePointFileOperation')\n| where Operation in~ (Operations)\n| extend Account_Name = tostring(split(UserId, '@')[0])\n| extend Account_UPNSuffix = tostring(split(UserId, '@')[1])\n| where Account_Name =~ v_Account_Name and Account_UPNSuffix =~ v_Account_UPNSuffix\n| project TimeGenerated, Account_Name, Account_UPNSuffix, UserId, OfficeId, RecordType, Operation, OrganizationId, UserType, UserKey, OfficeWorkload, OfficeObjectId, ClientIP, ItemType, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName, SourceFileExtension , Start_Time , ElevationTime , TenantId, SourceSystem , Type\n};\nUserOperationToSharePoint ('CTFFUser4','seccxp.ninja')\n", + "tableQuery": { + "columnsDefinitions": [ + { + "header": "Resource Type", + "outputType": "String", + "supportDeepLink": false + }, + { + "header": "Distinct Resources", + "outputType": "Number", + "supportDeepLink": true + }, + { + "header": "Total Resources", + "outputType": "Number", + "supportDeepLink": true + }, + { + "header": "IPAddress(es)", + "outputType": "String", + "supportDeepLink": false + } + ], + "queriesDefinitions": [ + { + "filter": "where Operation =~ 'FileUploaded'", + "summarize": "summarize DistinctResources = dcount(SourceFileName), TotalResources = count(SourceFileName), IPAddresses = make_set(ClientIP) by Operation", + "project": "project Title = Operation, DistinctResources, TotalResources, IPAddresses = case(array_length(IPAddresses) == 1, tostring(IPAddresses[0]), array_length(IPAddresses) > 1, 'Many', 'None')", + "linkColumnsDefinitions": [ + { + "projectedName": "DistinctResources", + "Query": "{{BaseQuery}} | " + }, + { + "projectedName": "TotalResources", + "Query": "{{BaseQuery}} | " + } + ] + }, + { + "filter": "where Operation =~ 'FileDownloaded'", + "summarize": "summarize DistinctResources = dcount(SourceFileName), TotalResources = count(SourceFileName), IPAddresses = make_set(ClientIP) by Operation", + "project": "project Title = Operation, DistinctResources, TotalResources, IPAddresses = case(array_length(IPAddresses) == 1, tostring(IPAddresses[0]), array_length(IPAddresses) > 1, 'Many', 'None')", + "linkColumnsDefinitions": [ + { + "projectedName": "DistinctResources", + "Query": "{{BaseQuery}} | " + }, + { + "projectedName": "TotalResources", + "Query": "{{BaseQuery}} | " + } + ] + } + ] + }, + "chartQuery": { + "title": "Resource access over time", + "dataSets": [ + { + "query": "summarize DistinctResources = dcountif(Operation, Operation =~ 'FileUploaded'), TotalResources = countif(Operation =~ 'FileUploaded') by bin(TimeGenerated, 1h) | extend Legend = 'File Uploads'", + "xColumnName": "TimeGenerated", + "yColumnName": "TotalResources", + "legendColumnName": "Legend" + }, + { + "query": "summarize DistinctResources = dcountif(Operation, Operation =~ 'FileDownloaded'), TotalResources = countif(Operation =~ 'FileDownloaded') by bin(TimeGenerated, 1h) | extend Legend = 'File Downloads'", + "xColumnName": "TimeGenerated", + "yColumnName": "TotalResources", + "legendColumnName": "Legend" + } + ], + "type": "LineChart" + }, + "additionalQuery": { + "text": "See all resource activity", + "query": "where Operation in~ (Operations)" + }, + "defaultTimeRange": { + "beforeRange": "12h", + "afterRange": "12h" + }, + "referenceTimeRange": null, + "dataTypes": [ + { + "dataType": "OfficeActivity" + } + ], + "inputEntityType": "Account", + "requiredInputFieldsSets": [ + [ + "Account_Name", + "Account_UPNSuffix" + ], + [ + "Account_AADUserId" + ] + ], + "entitiesFilter": {} + } + }, + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/queries/cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4", + "name": "cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4", + "type": "Microsoft.SecurityInsights/queries", + "kind": "Insight", + "properties": { + "displayName": "Anomalously high Azure sign-in result count", + "description": "Highlight Azure sign-in results by the user principal with anomalously high count compared to those observed in the preceding 14 days.", + "baseQuery": "let AScoreThresh=3; \nlet maxAnomalies=3; \nlet BeforeRange = 12d; \nlet EndTime=todatetime('{{EndTimeUTC}}');\nlet StartTime = todatetime('{{StartTimeUTC}}'); \nlet numDays = tolong((EndTime-StartTime)/1d); \nlet userData = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AADUserId:string) { \n SigninLogs \n | where TimeGenerated between ((StartTime-BeforeRange) .. EndTime)\n | extend splitUserId=split(UserPrincipalName, '@')\n | extend Account_Name = tostring(splitUserId[0]), Account_UPNSuffix = tostring(splitUserId[1])\n | where (Account_Name =~ v_Account_Name and Account_UPNSuffix =~ v_Account_UPNSuffix) or UserId =~ v_Account_AADUserId };\nuserData('CTFFUser4', 'seccxp.ninja', '')\n", + "tableQuery": { + "columnsDefinitions": [ + { + "header": "Result Description", + "outputType": "String", + "supportDeepLink": true + }, + { + "header": "Expected Count", + "outputType": "Number", + "supportDeepLink": false + }, + { + "header": "Actual Count", + "outputType": "Number", + "supportDeepLink": false + } + ], + "queriesDefinitions": [ + { + "filter": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by ResultDescription \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc\n", + "summarize": "take 1", + "project": "project ResultDescription, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)", + "linkColumnsDefinitions": [ + { + "projectedName": "ResultDescription", + "Query": "{{BaseQuery}} \n| where TimeGenerated between (StartTime .. EndTime) \n| where ResultDescription == ''\n" + } + ] + } + ] + }, + "chartQuery": { + "title": "Anomalous sign-in result timeline", + "dataSets": [ + { + "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by ResultDescription \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,round(postExpectedCount,2)) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc \n| take 1 \n| project ResultDescription, TimeGenerated, count_ \n| mvexpand TimeGenerated, count_ \n| project todatetime(TimeGenerated), toint(count_), ResultDescription \n", + "xColumnName": "TimeGenerated", + "yColumnName": "count_", + "legendColumnName": "ResultDescription" + } + ], + "type": "LineChart" + }, + "additionalQuery": { + "text": "Query all anomalous sign-in results", + "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by ResultDescription \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_\n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies\n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc \n| project ResultDescription, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)\n" + }, + "defaultTimeRange": { + "beforeRange": "1d", + "afterRange": "0d" + }, + "referenceTimeRange": { + "beforeRange": "12d" + }, + "dataTypes": [ + { + "dataType": "SigninLogs" + } + ], + "inputEntityType": "Account", + "requiredInputFieldsSets": [ + [ + "Account_Name", + "Account_UPNSuffix" + ], + [ + "Account_AADUserId" + ] + ], + "entitiesFilter": {} + } + } + ] + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/insights/PostGetInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/insights/PostGetInsights.json new file mode 100644 index 000000000000..74aed1a38eb8 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/insights/PostGetInsights.json @@ -0,0 +1,101 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1", + "parameters": { + "addDefaultExtendedTimeRange": false, + "startTime": "2019-04-25T00:00:00.000Z", + "endTime": "2019-05-26T00:00:00.000Z", + "insightQueryIds": [ + "cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4" + ] + } + }, + "responses": { + "200": { + "body": { + "value": [ + { + "tableQueryResults": { + "columns": [ + { + "name": "Title", + "type": "string" + }, + { + "name": "NameCount", + "type": "long" + }, + { + "name": "SIDCount", + "type": "long" + }, + { + "name": "InternalOrder", + "type": "long" + }, + { + "name": "Index", + "type": "long" + } + ], + "rows": [ + [ + "MyTitle", + "15", + "SID", + "1", + "1" + ] + ] + }, + "chartQueryResults": [ + { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Count", + "type": "long" + }, + { + "name": "Legend", + "type": "string" + } + ], + "rows": [ + [ + "2019-04-25T00:00:00.000Z", + "55", + "SomeLegend" + ] + ] + } + ], + "queryTimeInterval": { + "startTime": "2020-07-07T23:35:20Z", + "endTime": "2020-11-11T23:35:20Z" + }, + "queryId": "e29ee1ef-7445-455e-85f1-269f2d536d61" + } + ], + "metaData": { + "totalCount": 7, + "errors": [ + { + "kind": "Insight", + "queryId": "4a70a63d-25c4-6312-b73e-4f302a90c06a", + "errorMessage": "Internal server error" + } + ] + } + } + } + } +} From 535a382bbc0420fc3d389f3c58fab5b81c364943 Mon Sep 17 00:00:00 2001 From: Shay Schwartz Date: Thu, 3 Dec 2020 00:02:13 +0200 Subject: [PATCH 2/8] Remove shay prefix --- .../2019-01-01-preview/SecurityInsights.json | 50 ++----------------- 1 file changed, 4 insertions(+), 46 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 73570d305699..d33770ee0a8b 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -6912,48 +6912,6 @@ }, "type": "object" }, - "ShayEntityQueryProperties": { - "description": "Describes entity query properties", - "properties": { - "dataSources": { - "description": "List of the data sources that are required to run the query", - "items": { - "description": "data source", - "type": "string" - }, - "type": "array" - }, - "displayName": { - "description": "The query display name", - "type": "string" - }, - "inputEntityType": { - "$ref": "#/definitions/EntityInnerType", - "description": "The type of the query's source entity" - }, - "inputFields": { - "description": "List of the fields of the source entity that are required to run the query", - "items": { - "description": "input field", - "type": "string" - }, - "type": "array" - }, - "outputEntityTypes": { - "description": "List of the desired output types to be constructed from the result", - "items": { - "$ref": "#/definitions/EntityInnerType", - "description": "output entity type" - }, - "type": "array" - }, - "queryTemplate": { - "description": "The template query string to be parsed and formatted", - "type": "string" - } - }, - "type": "object" - }, "InsightQueryItem": { "allOf": [ { @@ -6973,7 +6931,7 @@ "InsightQueryItemProperties": { "allOf": [ { - "$ref": "#/definitions/ShayEntityQueryItemProperties" + "$ref": "#/definitions/EntityQueryItemProperties" } ], "description": "Represents Insight Query.", @@ -7123,7 +7081,7 @@ "ActivityQueryItemProperties": { "allOf": [ { - "$ref": "#/definitions/ShayEntityQueryItemProperties" + "$ref": "#/definitions/EntityQueryItemProperties" } ], "description": "Represents Activity properties Query.", @@ -11083,7 +11041,7 @@ "kind" ] }, - "ShayEntityQueryItemProperties": { + "EntityQueryItemProperties": { "description": "An properties abstract Query item for entity", "type": "object", "properties": { @@ -11397,7 +11355,7 @@ ], "x-ms-enum": { "modelAsString": true, - "name": "ShayEntityQueryKind", + "name": "EntityItemQueryKind", "values": [ { "description": "activity", From 80a1e74942783085a1027047a21d7c2cbc7f79f0 Mon Sep 17 00:00:00 2001 From: Shay Schwartz Date: Sun, 6 Dec 2020 23:30:35 +0200 Subject: [PATCH 3/8] Update id and type --- .../examples/entities/GetQueries.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json index 66b74405fedd..e0f5831092bf 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json @@ -13,9 +13,9 @@ "body": { "value": [ { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/queries/6db7f5d1-f41e-46c2-b935-230b36a569e6", + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/6db7f5d1-f41e-46c2-b935-230b36a569e6", "name": "6db7f5d1-f41e-46c2-b935-230b36a569e6", - "type": "Microsoft.SecurityInsights/queries", + "type": "Microsoft.SecurityInsights/entities/queries", "kind": "Insight", "properties": { "displayName": "Actions on account", @@ -180,9 +180,9 @@ } }, { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/queries/0a5d7b14-b485-450a-a0ac-4100c860ac32", + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/0a5d7b14-b485-450a-a0ac-4100c860ac32", "name": "0a5d7b14-b485-450a-a0ac-4100c860ac32", - "type": "Microsoft.SecurityInsights/queries", + "type": "Microsoft.SecurityInsights/entities/queries", "kind": "Insight", "properties": { "displayName": "Anomalously high office operation count", @@ -259,9 +259,9 @@ } }, { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/queries/e6cf68e6-1eca-4fbb-9fad-6280f2a9476e", + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/e6cf68e6-1eca-4fbb-9fad-6280f2a9476e", "name": "e6cf68e6-1eca-4fbb-9fad-6280f2a9476e", - "type": "Microsoft.SecurityInsights/queries", + "type": "Microsoft.SecurityInsights/entities/queries", "kind": "Insight", "properties": { "displayName": "Resource access", @@ -369,9 +369,9 @@ } }, { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/queries/cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4", + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4", "name": "cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4", - "type": "Microsoft.SecurityInsights/queries", + "type": "Microsoft.SecurityInsights/entities/queries", "kind": "Insight", "properties": { "displayName": "Anomalously high Azure sign-in result count", From 6ab1b6764de22d9c3ae682caaaca11c3a0ee786b Mon Sep 17 00:00:00 2001 From: Shay Schwartz Date: Sun, 6 Dec 2020 23:34:27 +0200 Subject: [PATCH 4/8] Rename Queries Descritpion --- .../preview/2019-01-01-preview/SecurityInsights.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index d33770ee0a8b..981f5ab24867 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -2201,7 +2201,7 @@ "tags": [ "Entities" ], - "description": "Execute Insights for an entity.", + "description": "Get Insights and Activities for an entity.", "operationId": "Entities_Queries", "parameters": [ { From 355c8a8eddd229384fb36fe8eddbf7a381989315 Mon Sep 17 00:00:00 2001 From: Shay Schwartz Date: Tue, 8 Dec 2020 14:50:02 +0200 Subject: [PATCH 5/8] Reuse same kind object and remove query to support only insights --- .../2019-01-01-preview/SecurityInsights.json | 111 ++---------------- 1 file changed, 7 insertions(+), 104 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 981f5ab24867..f16dd576ebeb 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -2223,7 +2223,7 @@ "$ref": "#/parameters/EntityId" }, { - "$ref": "#/parameters/EntitiesQueriesKindParameter" + "$ref": "#/definitions/EntityQueryKind" } ], "responses": { @@ -4336,28 +4336,6 @@ } }, "definitions": { - "EntitiesQueriesKind": { - "description": "The entity query kind", - "enum": [ - "Activity", - "Insight" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "EntitiesQueriesKind", - "values": [ - { - "description": "activity", - "value": "Activity" - }, - { - "description": "insight", - "value": "Insight" - } - ] - } - }, "AADDataConnector": { "allOf": [ { @@ -6525,7 +6503,8 @@ "kind": { "description": "The kind of the entity query", "enum": [ - "Expansion" + "Expansion", + "Insights" ], "type": "string", "x-ms-enum": { @@ -6534,6 +6513,9 @@ "values": [ { "value": "Expansion" + }, + { + "value": "Insights" } ] } @@ -7062,59 +7044,6 @@ "type": "object", "x-ms-discriminator-value": "Insight" }, - "ActivityQueryItem": { - "allOf": [ - { - "$ref": "#/definitions/EntityQueryItem" - } - ], - "description": "Represents Activity Query.", - "properties": { - "properties": { - "description": "Properties bag for InsightQueryItem", - "$ref": "#/definitions/ActivityQueryItemProperties" - } - }, - "type": "object", - "x-ms-discriminator-value": "Activity" - }, - "ActivityQueryItemProperties": { - "allOf": [ - { - "$ref": "#/definitions/EntityQueryItemProperties" - } - ], - "description": "Represents Activity properties Query.", - "properties": { - "content": { - "type": "string", - "description": "The activity content." - }, - "title": { - "type": "string", - "description": "The activity title." - }, - "description": { - "type": "string", - "description": "The activity description." - }, - "enabledByDefault": { - "type": "boolean", - "description": "Is activity should be enabled by default." - }, - "queryDefinitions": { - "type": "object", - "description": "The activity query definitions.", - "properties": { - "query": { - "type": "string", - "description": "The activity query." - } - } - } - }, - "type": "object" - }, "ActivityTimelineItem": { "allOf": [ { @@ -11019,7 +10948,7 @@ "discriminator": "kind", "properties": { "kind": { - "$ref": "#/definitions/EntitiesQueriesKind", + "$ref": "#/definitions/EntityQueryKind", "description": "The entity query kind type." }, "id": { @@ -11343,32 +11272,6 @@ }, "x-ms-parameter-location": "method" }, - "EntitiesQueriesKindParameter": { - "description": "The Kind parameter for queries", - "in": "query", - "name": "kind", - "required": true, - "type": "string", - "enum": [ - "Insight", - "Activity" - ], - "x-ms-enum": { - "modelAsString": true, - "name": "EntityItemQueryKind", - "values": [ - { - "description": "activity", - "value": "Activity" - }, - { - "description": "insight", - "value": "Insight" - } - ] - }, - "x-ms-parameter-location": "method" - }, "GetInsightsEntityQueriesRequestBody": { "description": "The parameters required to execute insights on the given entity.", "name": "parameters", From 0bf2c01105d204d58de92de7a5fd53450d80bb58 Mon Sep 17 00:00:00 2001 From: Shay Schwartz Date: Wed, 9 Dec 2020 09:52:29 +0200 Subject: [PATCH 6/8] Change insights to insight --- .../preview/2019-01-01-preview/SecurityInsights.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index f16dd576ebeb..1ed8f838836f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -6515,7 +6515,7 @@ "value": "Expansion" }, { - "value": "Insights" + "value": "Insight" } ] } From 22166c7bf15ebf665c1312345643286c9364ffe4 Mon Sep 17 00:00:00 2001 From: Shay Schwartz Date: Wed, 9 Dec 2020 11:10:16 +0200 Subject: [PATCH 7/8] Add EntityQueryKindParam It seems that param cannot use reference to an object. --- .../2019-01-01-preview/SecurityInsights.json | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 1ed8f838836f..10195fee554a 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -2223,7 +2223,7 @@ "$ref": "#/parameters/EntityId" }, { - "$ref": "#/definitions/EntityQueryKind" + "$ref": "#/parameters/EntityQueryKindParam" } ], "responses": { @@ -11334,6 +11334,27 @@ "type": "string", "x-ms-parameter-location": "method" }, + "EntityQueryKindParam": { + "description": "The Kind parameter for queries", + "in": "query", + "name": "kind", + "required": true, + "type": "string", + "enum": [ + "Insight" + ], + "x-ms-enum": { + "modelAsString": true, + "name": "EntityItemQueryKind", + "values": [ + { + "description": "insight", + "value": "Insight" + } + ] + }, + "x-ms-parameter-location": "method" + }, "ODataFilter": { "description": "Filters the results, based on a Boolean condition. Optional.", "in": "query", From 4801dbcff171c1d73d9105002a236687f3682da4 Mon Sep 17 00:00:00 2001 From: Shay Schwartz Date: Wed, 16 Dec 2020 08:44:49 +0200 Subject: [PATCH 8/8] Change "Insights" to "Insight" --- .../preview/2019-01-01-preview/SecurityInsights.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 10195fee554a..f2fb835491b8 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -6504,7 +6504,7 @@ "description": "The kind of the entity query", "enum": [ "Expansion", - "Insights" + "Insight" ], "type": "string", "x-ms-enum": {