From 1774835f8ca26d9bdf1411a215d71571a8817fbf Mon Sep 17 00:00:00 2001 From: Igal Shapira Date: Tue, 4 Jan 2022 15:22:34 -0800 Subject: [PATCH 1/4] Bookmarks 2021-10-01-preview --- .../2021-09-01-preview/common/AlertTypes.json | 2 +- .../preview/2021-10-01-preview/Bookmarks.json | 22 ++++++- .../examples/bookmarks/CreateBookmark.json | 57 ++++++++++++++++++- .../examples/bookmarks/GetBookmarkById.json | 19 ++++++- .../examples/bookmarks/GetBookmarks.json | 19 ++++++- 5 files changed, 112 insertions(+), 7 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/common/AlertTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/common/AlertTypes.json index 9e981c6c3a2c..2187189ae25d 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/common/AlertTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/common/AlertTypes.json @@ -39,7 +39,7 @@ } }, "AttackTactic": { - "description": "The severity for alerts created by this alert rule.", + "description": "A list of relevant mitre attacks.", "enum": [ "InitialAccess", "Execution", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json index df226fda91fc..14473df9b040 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json @@ -580,7 +580,7 @@ "description": "List all the bookmarks.", "properties": { "nextLink": { - "description": "URL to fetch the next set of cases.", + "description": "URL to fetch the next set of bookmarks.", "readOnly": true, "type": "string" }, @@ -662,7 +662,27 @@ "$ref": "./common/IncidentTypes.json#/definitions/IncidentInfo", "description": "Describes an incident that relates to bookmark", "type": "object" + }, + "entityMappings": { + "$ref": "#/definitions/EntityMappingsList", + "description": "Describes the entity mappings of the bookmark", + "type": "object" + }, + "tactics": { + "items": { + "$ref": "./common/AlertTypes.json#/definitions/AttackTactic" + }, + "description": "A list of relevant mitre attacks", + "type": "array" + }, + "techniques": { + "items": { + "$ref": "#/definitions/AttackTechnique" + }, + "description": "A list of relevant mitre techniques", + "type": "array" } + }, "required": [ "displayName", diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/CreateBookmark.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/CreateBookmark.json index b94f1f76f729..e4297879555c 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/CreateBookmark.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/CreateBookmark.json @@ -23,7 +23,24 @@ "Tag2" ], "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", - "queryResult": "Security Event query result" + "queryResult": "Security Event query result", + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] } } }, @@ -54,7 +71,24 @@ "Tag2" ], "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", - "queryResult": "Security Event query result" + "queryResult": "Security Event query result", + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] } } }, @@ -84,7 +118,24 @@ "Tag2" ], "query": "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)", - "queryResult": "Security Event query result" + "queryResult": "Security Event query result", + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarkById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarkById.json index 15acbc299145..46bbaa9e4576 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarkById.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarkById.json @@ -39,7 +39,24 @@ "severity": "Low", "title": "New case 1", "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018" - } + }, + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarks.json index d386385c3588..7cf6bd07d9d1 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/bookmarks/GetBookmarks.json @@ -40,7 +40,24 @@ "severity": "Low", "title": "New case 1", "relationName": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0018" - } + }, + "tactics": [ + "Execution" + ], + "techniques": [ + "T1609" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "Fullname", + "value": "johndoe@microsoft.com" + } + ] + } + ] } } ] From c60a3f5c0206ed29305e687e92505fda80b9646e Mon Sep 17 00:00:00 2001 From: Igal Shapira Date: Tue, 4 Jan 2022 15:28:26 -0800 Subject: [PATCH 2/4] prettier --- .../preview/2021-10-01-preview/Bookmarks.json | 1 - 1 file changed, 1 deletion(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json index 14473df9b040..648183a5911f 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json @@ -682,7 +682,6 @@ "description": "A list of relevant mitre techniques", "type": "array" } - }, "required": [ "displayName", From 445aac6ca877a1472d116c2783c60584637aed7d Mon Sep 17 00:00:00 2001 From: Igal Shapira Date: Wed, 5 Jan 2022 13:58:55 -0800 Subject: [PATCH 3/4] definitions --- .../preview/2021-10-01-preview/Bookmarks.json | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json index 648183a5911f..e5641f72e758 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json @@ -702,6 +702,48 @@ } }, "type": "object" + }, + "EntityMappingsList": { + "description": "Describes the entity mappings of the bookmark", + "items": { + "$ref": "#/definitions/EntityMappings" + }, + "type": "array" + }, + "EntityMappings": { + "description": "Describes the entity mappings of a single entity", + "properties": { + "entityType": { + "description": "The entity type", + "type": "string" + }, + "fieldMappings": { + "description": "Array of fields mapping for that entity type", + "items": { + "$ref": "#/definitions/EntityFieldMapping" + }, + "type": "array" + } + }, + "type": "object" + }, + "EntityFieldMapping": { + "description": "Map identifiers of a single entity", + "properties": { + "identifier": { + "description": "Alert V3 identifier", + "type": "string" + }, + "value": { + "description": "The value of the identifier", + "type": "string" + } + }, + "type": "object" + }, + "AttackTechnique": { + "description": "Mitre technique (https://attack.mitre.org/matrices/enterprise/)", + "type": "string" } } } From fa64749abfa5ca3307c6d540c0a05b96eea77c22 Mon Sep 17 00:00:00 2001 From: Igal Shapira Date: Wed, 5 Jan 2022 14:23:03 -0800 Subject: [PATCH 4/4] rename --- .../preview/2021-10-01-preview/Bookmarks.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json index e5641f72e758..a7edb7ba4855 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/Bookmarks.json @@ -706,11 +706,11 @@ "EntityMappingsList": { "description": "Describes the entity mappings of the bookmark", "items": { - "$ref": "#/definitions/EntityMappings" + "$ref": "#/definitions/BookmarkEntityMappings" }, "type": "array" }, - "EntityMappings": { + "BookmarkEntityMappings": { "description": "Describes the entity mappings of a single entity", "properties": { "entityType": {