diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AutomationRules.json index c54286e1d45b..eb5d403d4635 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AutomationRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/AutomationRules.json @@ -3,49 +3,22 @@ "info": { "title": "Security Insights", "description": "API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider", - "version": "2021-10-01-preview" - }, - "host": "management.azure.com", - "schemes": [ - "https" - ], - "consumes": [ - "application/json" - ], - "produces": [ - "application/json" - ], - "security": [ - { - "azure_auth": [ - "user_impersonation" - ] - } - ], - "securityDefinitions": { - "azure_auth": { - "type": "oauth2", - "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", - "flow": "implicit", - "description": "Azure Active Directory OAuth2 Flow", - "scopes": { - "user_impersonation": "impersonate your user account" - } + "version": "2021-10-01-preview", + "x-ms-code-generation-settings": { + "name": "SecurityInsightsClient" } }, "paths": { - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}": { "get": { - "x-ms-examples": { - "Get all automation rules.": { - "$ref": "./examples/automationRules/GetAllAutomationRules.json" - } - }, "tags": [ - "Automation Rules" + "automationRules" + ], + "description": "Gets the automation rule.", + "operationId": "AutomationRules_Get", + "produces": [ + "application/json" ], - "description": "Gets all automation rules.", - "operationId": "AutomationRules_List", "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -58,13 +31,16 @@ }, { "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/AutomationRuleId" } ], "responses": { "200": { - "description": "OK", + "description": "Ok", "schema": { - "$ref": "#/definitions/AutomationRulesList" + "$ref": "#/definitions/AutomationRule" } }, "default": { @@ -74,23 +50,24 @@ } } }, - "x-ms-pageable": { - "nextLinkName": "nextLink" - } - } - }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules/{automationRuleId}": { - "get": { "x-ms-examples": { - "Get an automation rule.": { - "$ref": "./examples/automationRules/GetAutomationRule.json" + "AutomationRules_Get": { + "$ref": "./examples/automationRules/AutomationRules_Get.json" } - }, + } + }, + "put": { "tags": [ - "Automation Rules" + "automationRules" + ], + "description": "Creates or updates the automation rule.", + "operationId": "AutomationRules_CreateOrUpdate", + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" ], - "description": "Gets the automation rule.", - "operationId": "AutomationRules_Get", "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -106,11 +83,25 @@ }, { "$ref": "#/parameters/AutomationRuleId" + }, + { + "in": "body", + "name": "automationRuleToUpsert", + "description": "The automation rule", + "schema": { + "$ref": "#/definitions/AutomationRule" + } } ], "responses": { "200": { - "description": "OK", + "description": "Ok", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "201": { + "description": "Created", "schema": { "$ref": "#/definitions/AutomationRule" } @@ -121,19 +112,22 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } - } - }, - "put": { + }, "x-ms-examples": { - "Creates or updates an automation rule.": { - "$ref": "./examples/automationRules/CreateAutomationRule.json" + "AutomationRules_CreateOrUpdate": { + "$ref": "./examples/automationRules/AutomationRules_CreateOrUpdate.json" } - }, + } + }, + "delete": { "tags": [ - "Automation Rules" + "automationRules" + ], + "description": "Delete the automation rule.", + "operationId": "AutomationRules_Delete", + "produces": [ + "application/json" ], - "description": "Creates or updates the automation rule.", - "operationId": "AutomationRules_CreateOrUpdate", "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -149,22 +143,19 @@ }, { "$ref": "#/parameters/AutomationRuleId" - }, - { - "$ref": "#/parameters/AutomationRule" } ], "responses": { "200": { - "description": "OK", + "description": "Ok", "schema": { - "$ref": "#/definitions/AutomationRule" + "type": "object" } }, - "201": { - "description": "Created", + "204": { + "description": "No Content", "schema": { - "$ref": "#/definitions/AutomationRule" + "type": "object" } }, "default": { @@ -173,19 +164,75 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } - } - }, - "delete": { + }, "x-ms-examples": { - "Delete an automation rule.": { - "$ref": "./examples/automationRules/DeleteAutomationRule.json" + "AutomationRules_Delete": { + "$ref": "./examples/automationRules/AutomationRules_Delete.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/automationRules": { + "get": { + "tags": [ + "automationRules" + ], + "description": "Gets all automation rules.", + "operationId": "AutomationRules_List", + "produces": [ + "application/json" + ], + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "Ok", + "schema": { + "$ref": "#/definitions/AutomationRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/2.0/types.json#/definitions/CloudError" + } } }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + }, + "x-ms-examples": { + "AutomationRules_List": { + "$ref": "./examples/automationRules/AutomationRules_List.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentIdentifier}/runPlaybook": { + "post": { "tags": [ - "Automation Rule" + "manualTrigger" + ], + "description": "Triggers playbook on a specific incident", + "operationId": "AutomationRules_ManualTriggerPlaybook", + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" ], - "description": "Delete the automation rule.", - "operationId": "AutomationRules_Delete", "parameters": [ { "$ref": "../../../../../common-types/resource-management/v3/types.json#/parameters/ApiVersionParameter" @@ -200,15 +247,25 @@ "$ref": "../../../common/2.0/types.json#/parameters/WorkspaceName" }, { - "$ref": "#/parameters/AutomationRuleId" + "in": "path", + "name": "incidentIdentifier", + "required": true, + "type": "string" + }, + { + "in": "body", + "name": "requestBody", + "schema": { + "$ref": "#/definitions/ManualTriggerRequestBody" + } } ], "responses": { - "200": { - "description": "OK" - }, "204": { - "description": "No Content" + "description": "Success", + "schema": { + "type": "object" + } }, "default": { "description": "Error response describing why the operation failed.", @@ -216,277 +273,207 @@ "$ref": "../../../common/2.0/types.json#/definitions/CloudError" } } + }, + "x-ms-examples": { + "AutomationRules_ManualTriggerPlaybook": { + "$ref": "./examples/manualTrigger/AutomationRules_ManualTriggerPlaybook.json" + } } } } }, - "parameters": { - "AutomationRule": { - "description": "The automation rule", - "in": "body", - "name": "automationRule", - "required": true, - "schema": { - "$ref": "#/definitions/AutomationRule" - }, - "x-ms-parameter-location": "method" - }, - "AutomationRuleId": { - "description": "Automation rule ID", - "in": "path", - "name": "automationRuleId", - "required": true, - "type": "string", - "x-ms-parameter-location": "method" - } - }, "definitions": { + "ActionType": { + "description": "The type of the automation rule action", + "enum": [ + "ModifyProperties", + "RunPlaybook" + ], + "type": "string", + "example": "ModifyProperties", + "x-ms-enum": { + "name": "ActionType", + "modelAsString": true, + "values": [ + { + "value": "ModifyProperties", + "description": "Modify an object's properties" + }, + { + "value": "RunPlaybook", + "description": "Run a playbook on an object" + } + ] + } + }, "AutomationRule": { + "required": [ + "properties" + ], + "type": "object", "allOf": [ { "$ref": "../../../common/2.0/types.json#/definitions/ResourceWithEtag" } ], - "description": "Represents an automation rule.", "properties": { "properties": { + "type": "object", "$ref": "#/definitions/AutomationRuleProperties", - "description": "Automation rule properties", "x-ms-client-flatten": true } - }, - "type": "object" + } }, "AutomationRuleAction": { "description": "Describes an automation rule action", - "discriminator": "actionType", + "required": [ + "actionType", + "order" + ], + "type": "object", "properties": { "order": { - "description": "The order of execution of the automation rule action", - "type": "integer", - "format": "int32" + "format": "int32", + "type": "integer" }, "actionType": { - "description": "The type of the automation rule action", - "enum": [ - "ModifyProperties", - "RunPlaybook" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRuleActionType", - "values": [ - { - "description": "Modify an object's properties", - "value": "ModifyProperties" - }, - { - "description": "Run a playbook on an object", - "value": "RunPlaybook" - } - ] - } + "$ref": "#/definitions/ActionType" } }, - "required": [ - "order", - "actionType" - ], - "type": "object" + "discriminator": "actionType" }, "AutomationRuleCondition": { "description": "Describes an automation rule condition", - "discriminator": "conditionType", + "required": [ + "conditionType" + ], + "type": "object", "properties": { "conditionType": { - "description": "The type of the automation rule condition", - "enum": [ - "Property" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRuleConditionType", - "values": [ - { - "description": "Evaluate an object property value", - "value": "Property" - } - ] - } + "$ref": "#/definitions/ConditionType" } }, - "required": [ - "conditionType" + "discriminator": "conditionType" + }, + "AutomationRuleModifyPropertiesAction": { + "description": "Describes an automation rule action to modify an object's properties", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleAction" + } ], - "type": "object" + "properties": { + "actionConfiguration": { + "type": "object", + "x-ms-client-flatten": true, + "$ref": "#/definitions/IncidentPropertiesAction" + } + }, + "x-ms-discriminator-value": "ModifyProperties" }, "AutomationRuleProperties": { - "description": "Describes automation rule properties", + "description": "Automation rule properties", + "required": [ + "actions", + "displayName", + "order", + "triggeringLogic" + ], + "type": "object", "properties": { "displayName": { - "description": "The display name of the automation rule", + "description": "The display name of the automation rule", "type": "string" }, "order": { + "format": "int32", "description": "The order of execution of the automation rule", - "type": "integer", - "format": "int32" + "type": "integer" }, "triggeringLogic": { - "$ref": "#/definitions/AutomationRuleTriggeringLogic", - "description": "The triggering logic of the automation rule", - "type": "object" + "$ref": "#/definitions/AutomationRuleTriggeringLogic" }, "actions": { "description": "The actions to execute when the automation rule is triggered", + "type": "array", "items": { "$ref": "#/definitions/AutomationRuleAction" - }, - "type": "array" - }, - "createdTimeUtc": { - "description": "The time the automation rule was created", - "format": "date-time", - "readOnly": true, - "type": "string" + } }, "lastModifiedTimeUtc": { - "description": "The last time the automation rule was updated", "format": "date-time", - "readOnly": true, - "type": "string" + "description": "The last time the automation rule was updated", + "type": "string", + "readOnly": true }, - "createdBy": { - "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo", - "description": "Describes the client that created the automation rule", - "readOnly": true, - "type": "object" + "createdTimeUtc": { + "format": "date-time", + "description": "The time the automation rule was created", + "type": "string", + "readOnly": true }, "lastModifiedBy": { - "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo", - "description": "Describes the client that last updated the automation rule", "readOnly": true, - "type": "object" - } - }, - "required": [ - "displayName", - "order", - "triggeringLogic", - "actions" - ], - "type": "object" - }, - "AutomationRulesList": { - "description": "List all the automation rules.", - "properties": { - "nextLink": { - "description": "URL to fetch the next set of automation rules.", - "readOnly": true, - "type": "string" + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo" }, - "value": { - "description": "Array of automation rules.", - "items": { - "$ref": "#/definitions/AutomationRule" - }, - "type": "array" + "createdBy": { + "readOnly": true, + "$ref": "../../../common/2.0/types.json#/definitions/ClientInfo" } - }, - "required": [ - "value" - ], - "type": "object" + } }, - "AutomationRuleRunPlaybookAction": { - "description": "Describes an automation rule action to run a playbook", - "allOf": [ - { - "$ref": "#/definitions/AutomationRuleAction" - } + "AutomationRulePropertyConditionSupportedOperator": { + "enum": [ + "Equals", + "NotEquals", + "Contains", + "NotContains", + "StartsWith", + "NotStartsWith", + "EndsWith", + "NotEndsWith" ], - "properties": { - "actionConfiguration": { - "description": "The configuration of the run playbook automation rule action", - "properties": { - "logicAppResourceId": { - "description": "The resource id of the playbook resource", - "type": "string" - }, - "tenantId": { - "description": "The tenant id of the playbook resource", - "type": "string" - } + "type": "string", + "example": "Equals", + "x-ms-enum": { + "name": "AutomationRulePropertyConditionSupportedOperator", + "modelAsString": true, + "values": [ + { + "value": "Equals", + "description": "Evaluates if the property equals at least one of the condition values" }, - "type": "object" - } - }, - "required": [ - "actionConfiguration" - ], - "x-ms-client-flatten": true, - "type": "object", - "x-ms-discriminator-value": "RunPlaybook" - }, - "AutomationRuleModifyPropertiesAction": { - "description": "Describes an automation rule action to modify an object's properties", - "allOf": [ - { - "$ref": "#/definitions/AutomationRuleAction" - } - ], - "properties": { - "actionConfiguration": { - "description": "The configuration of the modify properties automation rule action", - "properties": { - "classification": { - "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationEnum", - "description": "The reason the incident was closed", - "type": "string" - }, - "classificationComment": { - "description": "Describes the reason the incident was closed", - "type": "string" - }, - "classificationReason": { - "description": "The classification reason the incident was closed with", - "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationReasonEnum", - "type": "string" - }, - "labels": { - "description": "List of labels to add to the incident", - "items": { - "$ref": "./common/IncidentTypes.json#/definitions/IncidentLabel" - }, - "type": "array" - }, - "owner": { - "$ref": "./common/IncidentTypes.json#/definitions/IncidentOwnerInfo", - "description": "Describes a user that the incident is assigned to", - "type": "object" - }, - "severity": { - "$ref": "./common/IncidentTypes.json#/definitions/IncidentSeverityEnum", - "description": "The severity of the incident", - "type": "string" - }, - "status": { - "$ref": "./common/IncidentTypes.json#/definitions/IncidentStatusEnum", - "description": "The status of the incident", - "type": "string" - } + { + "value": "NotEquals", + "description": "Evaluates if the property does not equal any of the condition values" }, - "type": "object" - } - }, - "required": [ - "actionConfiguration" - ], - "x-ms-client-flatten": true, - "type": "object", - "x-ms-discriminator-value": "ModifyProperties" + { + "value": "Contains", + "description": "Evaluates if the property contains at least one of the condition values" + }, + { + "value": "NotContains", + "description": "Evaluates if the property does not contain any of the condition values" + }, + { + "value": "StartsWith", + "description": "Evaluates if the property starts with any of the condition values" + }, + { + "value": "NotStartsWith", + "description": "Evaluates if the property does not start with any of the condition values" + }, + { + "value": "EndsWith", + "description": "Evaluates if the property ends with any of the condition values" + }, + { + "value": "NotEndsWith", + "description": "Evaluates if the property does not end with any of the condition values" + } + ] + } }, "AutomationRulePropertyConditionSupportedProperty": { "description": "The property to evaluate in an automation rule property condition", @@ -495,8 +482,9 @@ "IncidentDescription", "IncidentSeverity", "IncidentStatus", - "IncidentTactics", "IncidentRelatedAnalyticRuleIds", + "IncidentTactics", + "IncidentLabel", "IncidentProviderName", "AccountAadTenantId", "AccountAadUserId", @@ -506,6 +494,7 @@ "AccountSid", "AccountObjectGuid", "AccountUPNSuffix", + "AlertProductNames", "AzureResourceResourceId", "AzureResourceSubscriptionId", "CloudApplicationAppId", @@ -545,367 +534,489 @@ "Url" ], "type": "string", + "example": "IncidentTitle", "x-ms-enum": { - "modelAsString": true, "name": "AutomationRulePropertyConditionSupportedProperty", + "modelAsString": true, "values": [ { - "description": "The title of the incident", - "value": "IncidentTitle" + "value": "IncidentTitle", + "description": "The title of the incident" + }, + { + "value": "IncidentDescription", + "description": "The description of the incident" + }, + { + "value": "IncidentSeverity", + "description": "The severity of the incident" }, { - "description": "The description of the incident", - "value": "IncidentDescription" + "value": "IncidentStatus", + "description": "The status of the incident" }, { - "description": "The severity of the incident", - "value": "IncidentSeverity" + "value": "IncidentRelatedAnalyticRuleIds", + "description": "The related Analytic rule ids of the incident" }, { - "description": "The status of the incident", - "value": "IncidentStatus" + "value": "IncidentTactics", + "description": "The tactics of the incident" }, { - "description": "The tactics of the incident", - "value": "IncidentTactics" + "value": "IncidentLabel", + "description": "The labels of the incident" }, { - "description": "The related Analytic rule ids of the incident", - "value": "IncidentRelatedAnalyticRuleIds" + "value": "IncidentProviderName", + "description": "The provider name of the incident" }, { - "description": "The provider name of the incident", - "value": "IncidentProviderName" + "value": "AccountAadTenantId", + "description": "The account Azure Active Directory tenant id" }, { - "description": "The account Azure Active Directory tenant id", - "value": "AccountAadTenantId" + "value": "AccountAadUserId", + "description": "The account Azure Active Directory user id" }, { - "description": "The account Azure Active Directory user id.", - "value": "AccountAadUserId" + "value": "AccountName", + "description": "The account name" }, { - "description": "The account name", - "value": "AccountName" + "value": "AccountNTDomain", + "description": "The account NetBIOS domain name" }, { - "description": "The account NetBIOS domain name", - "value": "AccountNTDomain" + "value": "AccountPUID", + "description": "The account Azure Active Directory Passport User ID" }, { - "description": "The account Azure Active Directory Passport User ID", - "value": "AccountPUID" + "value": "AccountSid", + "description": "The account security identifier" }, { - "description": "The account security identifier", - "value": "AccountSid" + "value": "AccountObjectGuid", + "description": "The account unique identifier" }, { - "description": "The account unique identifier", - "value": "AccountObjectGuid" + "value": "AccountUPNSuffix", + "description": "The account user principal name suffix" }, { - "description": "The account user principal name suffix", - "value": "AccountUPNSuffix" + "value": "AlertProductNames", + "description": "The name of the product of the alert" }, { - "description": "The Azure resource id", - "value": "AzureResourceResourceId" + "value": "AzureResourceResourceId", + "description": "The Azure resource id" }, { - "description": "The Azure resource subscription id", - "value": "AzureResourceSubscriptionId" + "value": "AzureResourceSubscriptionId", + "description": "The Azure resource subscription id" }, { - "description": "The cloud application identifier", - "value": "CloudApplicationAppId" + "value": "CloudApplicationAppId", + "description": "The cloud application identifier" }, { - "description": "The cloud application name", - "value": "CloudApplicationAppName" + "value": "CloudApplicationAppName", + "description": "The cloud application name" }, { - "description": "The dns record domain name", - "value": "DNSDomainName" + "value": "DNSDomainName", + "description": "The dns record domain name" }, { - "description": "The file directory full path", - "value": "FileDirectory" + "value": "FileDirectory", + "description": "The file directory full path" }, { - "description": "The file name without path", - "value": "FileName" + "value": "FileName", + "description": "The file name without path" }, { - "description": "The file hash value", - "value": "FileHashValue" + "value": "FileHashValue", + "description": "The file hash value" }, { - "description": "The host Azure resource id", - "value": "HostAzureID" + "value": "HostAzureID", + "description": "The host Azure resource id" }, { - "description": "The host name without domain", - "value": "HostName" + "value": "HostName", + "description": "The host name without domain" }, { - "description": "The host NetBIOS name", - "value": "HostNetBiosName" + "value": "HostNetBiosName", + "description": "The host NetBIOS name" }, { - "description": "The host NT domain", - "value": "HostNTDomain" + "value": "HostNTDomain", + "description": "The host NT domain" }, { - "description": "The host operating system", - "value": "HostOSVersion" + "value": "HostOSVersion", + "description": "The host operating system" }, { - "description": "The IoT device id", - "value": "IoTDeviceId" + "value": "IoTDeviceId", + "description": "\"The IoT device id" }, { - "description": "The IoT device name", - "value": "IoTDeviceName" + "value": "IoTDeviceName", + "description": "The IoT device name" }, { - "description": "The IoT device type", - "value": "IoTDeviceType" + "value": "IoTDeviceType", + "description": "The IoT device type" }, { - "description": "The IoT device vendor", - "value": "IoTDeviceVendor" + "value": "IoTDeviceVendor", + "description": "The IoT device vendor" }, { - "description": "The IoT device model", - "value": "IoTDeviceModel" + "value": "IoTDeviceModel", + "description": "The IoT device model" }, { - "description": "The IoT device operating system", - "value": "IoTDeviceOperatingSystem" + "value": "IoTDeviceOperatingSystem", + "description": "The IoT device operating system" }, { - "description": "The IP address", - "value": "IPAddress" + "value": "IPAddress", + "description": "The IP address" }, { - "description": "The mailbox display name", - "value": "MailboxDisplayName" + "value": "MailboxDisplayName", + "description": "The mailbox display name" }, { - "description": "The mailbox primary address", - "value": "MailboxPrimaryAddress" + "value": "MailboxPrimaryAddress", + "description": "The mailbox primary address" }, { - "description": "The mailbox user principal name", - "value": "MailboxUPN" + "value": "MailboxUPN", + "description": "The mailbox user principal name" }, { - "description": "The mail message delivery action", - "value": "MailMessageDeliveryAction" + "value": "MailMessageDeliveryAction", + "description": "The mail message delivery action" }, { - "description": "The mail message delivery location", - "value": "MailMessageDeliveryLocation" + "value": "MailMessageDeliveryLocation", + "description": "The mail message delivery location" }, { - "description": "The mail message recipient", - "value": "MailMessageRecipient" + "value": "MailMessageRecipient", + "description": "The mail message recipient" }, { - "description": "The mail message sender IP address", - "value": "MailMessageSenderIP" + "value": "MailMessageSenderIP", + "description": "The mail message sender IP address" }, { - "description": "The mail message subject", - "value": "MailMessageSubject" + "value": "MailMessageSubject", + "description": "The mail message subject" }, { - "description": "The mail message P1 sender", - "value": "MailMessageP1Sender" + "value": "MailMessageP1Sender", + "description": "The mail message P1 sender" }, { - "description": "The mail message P2 sender", - "value": "MailMessageP2Sender" + "value": "MailMessageP2Sender", + "description": "The mail message P2 sender" }, { - "description": "The malware category", - "value": "MalwareCategory" + "value": "MalwareCategory", + "description": "The malware category" }, { - "description": "The malware name", - "value": "MalwareName" + "value": "MalwareName", + "description": "The malware name" }, { - "description": "The process execution command line", - "value": "ProcessCommandLine" + "value": "ProcessCommandLine", + "description": "The process execution command line" }, { - "description": "The process id", - "value": "ProcessId" + "value": "ProcessId", + "description": "The process id" }, { - "description": "The registry key path", - "value": "RegistryKey" + "value": "RegistryKey", + "description": "The registry key path" }, { - "description": "The registry key value in string formatted representation", - "value": "RegistryValueData" + "value": "RegistryValueData", + "description": "The registry key value in string formatted representation" }, { - "description": "The url", - "value": "Url" + "value": "Url", + "description": "The url" } ] } }, "AutomationRulePropertyValuesCondition": { - "description": "Describes an automation rule condition that evaluates a property's value", + "type": "object", + "properties": { + "propertyName": { + "$ref": "#/definitions/AutomationRulePropertyConditionSupportedProperty" + }, + "operator": { + "$ref": "#/definitions/AutomationRulePropertyConditionSupportedOperator" + }, + "propertyValues": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "AutomationRuleRunPlaybookAction": { + "description": "Describes an automation rule action to run a playbook", + "type": "object", "allOf": [ { - "$ref": "#/definitions/AutomationRuleCondition" + "$ref": "#/definitions/AutomationRuleAction" } ], "properties": { - "conditionProperties": { - "description": "The configuration of the automation rule condition", - "properties": { - "propertyName": { - "$ref": "#/definitions/AutomationRulePropertyConditionSupportedProperty", - "description": "The property to evaluate" - }, - "operator": { - "description": "The operator to use for evaluation the condition", - "enum": [ - "Equals", - "NotEquals", - "Contains", - "NotContains", - "StartsWith", - "NotStartsWith", - "EndsWith", - "NotEndsWith" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "AutomationRulePropertyConditionSupportedOperator", - "values": [ - { - "description": "Evaluates if the property equals at least one of the condition values", - "value": "Equals" - }, - { - "description": "Evaluates if the property does not equal any of the condition values", - "value": "NotEquals" - }, - { - "description": "Evaluates if the property contains at least one of the condition values", - "value": "Contains" - }, - { - "description": "Evaluates if the property does not contain any of the condition values", - "value": "NotContains" - }, - { - "description": "Evaluates if the property starts with any of the condition values", - "value": "StartsWith" - }, - { - "description": "Evaluates if the property does not start with any of the condition values", - "value": "NotStartsWith" - }, - { - "description": "Evaluates if the property ends with any of the condition values", - "value": "EndsWith" - }, - { - "description": "Evaluates if the property does not end with any of the condition values", - "value": "NotEndsWith" - } - ] - } - }, - "propertyValues": { - "description": "The values to use for evaluating the condition", - "items": { - "description": "A value to use for evaluating the condition", - "type": "string" - }, - "type": "array" - } - }, - "type": "object" + "actionConfiguration": { + "type": "object", + "x-ms-client-flatten": true, + "$ref": "#/definitions/PlaybookActionProperties" } }, - "required": [ - "conditionProperties" - ], - "x-ms-client-flatten": true, + "x-ms-discriminator-value": "RunPlaybook" + }, + "AutomationRulesList": { "type": "object", - "x-ms-discriminator-value": "Property" + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/AutomationRule" + } + }, + "nextLink": { + "type": "string" + } + } }, "AutomationRuleTriggeringLogic": { "description": "Describes automation rule triggering logic", + "required": [ + "isEnabled", + "triggersOn", + "triggersWhen" + ], + "type": "object", "properties": { "isEnabled": { - "description": "Determines whether the automation rule is enabled or disabled.", + "description": "Determines whether the automation rule is enabled or disabled", "type": "boolean" }, "expirationTimeUtc": { - "description": "Determines when the automation rule should automatically expire and be disabled.", "format": "date-time", + "description": "Determines when the automation rule should automatically expire and be disabled.", "type": "string" }, "triggersOn": { - "description": "The type of object the automation rule triggers on", - "enum": [ - "Incidents" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TriggersOn", - "values": [ - { - "description": "Trigger on Incidents", - "value": "Incidents" - } - ] - } + "$ref": "#/definitions/triggersOn" }, "triggersWhen": { - "description": "The type of event the automation rule triggers on", - "enum": [ - "Created" - ], - "type": "string", - "x-ms-enum": { - "modelAsString": true, - "name": "TriggersWhen", - "values": [ - { - "description": "Trigger on created objects", - "value": "Created" - } - ] - } + "$ref": "#/definitions/triggersWhen" }, "conditions": { "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object", + "type": "array", "items": { "$ref": "#/definitions/AutomationRuleCondition" - }, - "type": "array" + } + } + } + }, + "ConditionType": { + "enum": [ + "Property" + ], + "type": "string", + "example": "Property", + "x-ms-enum": { + "name": "ConditionType", + "modelAsString": true, + "values": [ + { + "value": "Property", + "description": "Evaluate an object property value" + } + ] + } + }, + "IncidentPropertiesAction": { + "type": "object", + "properties": { + "severity": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentSeverityEnum" + }, + "status": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentStatusEnum" + }, + "classification": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationEnum" + }, + "classificationReason": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentClassificationReasonEnum" + }, + "classificationComment": { + "description": "Describes the reason the incident was closed", + "type": "string" + }, + "owner": { + "$ref": "#/definitions/IncidentPropertiesActionOwnerInfo" + }, + "labels": { + "description": "List of labels to add to the incident", + "type": "array", + "x-ms-identifiers": [ + "labelName" + ], + "items": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentLabel" + } + } + } + }, + "IncidentPropertiesActionOwnerInfo": { + "$ref": "./common/IncidentTypes.json#/definitions/IncidentOwnerInfo" + }, + "ManualTriggerRequestBody": { + "type": "object", + "properties": { + "tenantId": { + "format": "uuid", + "type": "string" + }, + "logicAppsResourceId": { + "type": "string" + } + } + }, + "PlaybookActionProperties": { + "type": "object", + "properties": { + "logicAppResourceId": { + "description": "The resource id of the playbook resource", + "type": "string" + }, + "tenantId": { + "format": "uuid", + "description": "The tenant id of the playbook resource", + "type": "string" + } + } + }, + "PropertyConditionProperties": { + "description": "Describes an automation rule condition that evaluates a property's value", + "type": "object", + "allOf": [ + { + "$ref": "#/definitions/AutomationRuleCondition" + } + ], + "properties": { + "conditionProperties": { + "type": "object", + "x-ms-client-flatten": true, + "$ref": "#/definitions/AutomationRulePropertyValuesCondition" } }, - "required": [ - "isEnabled", - "triggersOn", - "triggersWhen" + "x-ms-discriminator-value": "Property" + }, + "triggersOn": { + "enum": [ + "Incidents" ], - "type": "object" + "type": "string", + "example": "Incidents", + "x-ms-enum": { + "name": "triggersOn", + "modelAsString": true, + "values": [ + { + "value": "Incidents", + "description": "Trigger on Incidents" + } + ] + } + }, + "triggersWhen": { + "enum": [ + "Created" + ], + "type": "string", + "example": "Created", + "x-ms-enum": { + "name": "triggersWhen", + "modelAsString": true, + "values": [ + { + "value": "Created", + "description": "Trigger on created objects" + } + ] + } } - } + }, + "parameters": { + "AutomationRule": { + "name": "automationRule", + "description": "The automation rule", + "required": true, + "in": "body", + "x-ms-parameter-location": "method", + "schema": { + "$ref": "#/definitions/AutomationRule" + } + }, + "AutomationRuleId": { + "in": "path", + "name": "automationRuleId", + "description": "Automation rule ID", + "required": true, + "x-ms-parameter-location": "method", + "type": "string" + } + }, + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "flow": "implicit", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "scopes": { + "user_impersonation": "impersonate your user account" + }, + "description": "Azure Active Directory OAuth2 Flow" + } + }, + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "host": "management.azure.com", + "schemes": [ + "https" + ], + "produces": [ + "application/json" + ], + "consumes": [ + "application/json" + ] } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/common/IncidentTypes.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/common/IncidentTypes.json index 2f78e4e96b20..b7c350d0b110 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/common/IncidentTypes.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/common/IncidentTypes.json @@ -78,27 +78,7 @@ "type": "string" }, "labelType": { - "description": "The type of the label", - "enum": [ - "User", - "System" - ], - "type": "string", - "readOnly": true, - "x-ms-enum": { - "modelAsString": true, - "name": "IncidentLabelType", - "values": [ - { - "description": "Label manually created by a user", - "value": "User" - }, - { - "description": "Label automatically created by the system", - "value": "System" - } - ] - } + "$ref": "#/definitions/IncidentLabelType" } }, "required": [ @@ -106,6 +86,29 @@ ], "type": "object" }, + "IncidentLabelType": { + "description": "The type of the label", + "enum": [ + "User", + "System" + ], + "type": "string", + "readOnly": true, + "x-ms-enum": { + "modelAsString": true, + "name": "IncidentLabelType", + "values": [ + { + "description": "Label manually created by a user", + "value": "User" + }, + { + "description": "Label automatically created by the system", + "value": "System" + } + ] + } + }, "IncidentSeverityEnum": { "description": "The severity of the incident", "enum": [ diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/CreateAutomationRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json similarity index 70% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/CreateAutomationRule.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json index 48eb720b4caa..48911abd9d83 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/CreateAutomationRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_CreateOrUpdate.json @@ -6,10 +6,13 @@ "workspaceName": "myWorkspace", "automationRuleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", "automationRule": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "order": 1, "displayName": "High severity incidents escalation", + "order": 1, "triggeringLogic": { "isEnabled": true, "triggersOn": "Incidents", @@ -35,43 +38,35 @@ "actionConfiguration": { "severity": "High" } - }, - { - "order": 2, - "actionType": "RunPlaybook", - "actionConfiguration": { - "tenantId": "ee48efaf-50c6-411b-9345-b2bdc3eb4abc", - "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook" - } } - ] + ], + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdTimeUtc": "2019-01-01T13:00:00Z", + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } } } }, "responses": { "200": { "body": { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/incidents", - "etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "order": 1, "displayName": "High severity incidents escalation", - "createdTimeUtc": "2021-09-01T13:00:30Z", - "lastModifiedTimeUtc": "2021-09-01T13:00:30Z", - "createdBy": { - "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", - "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" - }, - "lastModifiedBy": { - "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", - "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" - }, + "order": 1, "triggeringLogic": { "isEnabled": true, "triggersOn": "Incidents", @@ -97,42 +92,34 @@ "actionConfiguration": { "severity": "High" } - }, - { - "order": 2, - "actionType": "RunPlaybook", - "actionConfiguration": { - "tenantId": "ee48efaf-50c6-411b-9345-b2bdc3eb4abc", - "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook" - } } - ] + ], + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdTimeUtc": "2019-01-01T13:00:00Z", + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } } } }, "201": { "body": { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/incidents", - "etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "order": 1, "displayName": "High severity incidents escalation", - "createdTimeUtc": "2021-09-01T13:00:30Z", - "lastModifiedTimeUtc": "2021-09-01T13:00:30Z", - "createdBy": { - "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", - "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" - }, - "lastModifiedBy": { - "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", - "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" - }, + "order": 1, "triggeringLogic": { "isEnabled": true, "triggersOn": "Incidents", @@ -158,16 +145,22 @@ "actionConfiguration": { "severity": "High" } - }, - { - "order": 2, - "actionType": "RunPlaybook", - "actionConfiguration": { - "tenantId": "ee48efaf-50c6-411b-9345-b2bdc3eb4abc", - "logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/IncidentPlaybook" - } } - ] + ], + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdTimeUtc": "2019-01-01T13:00:00Z", + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/DeleteAutomationRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_Delete.json similarity index 79% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/DeleteAutomationRule.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_Delete.json index dcac90840b79..8fa82c1486f9 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/DeleteAutomationRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_Delete.json @@ -7,7 +7,11 @@ "automationRuleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5" }, "responses": { - "200": {}, - "204": {} + "200": { + "body": {} + }, + "204": { + "body": {} + } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/GetAutomationRule.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_Get.json similarity index 59% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/GetAutomationRule.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_Get.json index be4951133e80..964891b64a52 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/GetAutomationRule.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_Get.json @@ -9,27 +9,13 @@ "responses": { "200": { "body": { - "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5", + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/incidents", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "order": 1, "displayName": "High severity incidents escalation", - "createdTimeUtc": "2021-09-01T13:00:30Z", - "lastModifiedTimeUtc": "2021-09-01T13:00:30Z", - "createdBy": { - "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", - "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" - }, - "lastModifiedBy": { - "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", - "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" - }, + "order": 1, "triggeringLogic": { "isEnabled": true, "triggersOn": "Incidents", @@ -38,20 +24,11 @@ { "conditionType": "Property", "conditionProperties": { - "propertyName": "IncidentTitle", + "propertyName": "IncidentRelatedAnalyticRuleIds", "operator": "Contains", "propertyValues": [ - "logon failure" - ] - } - }, - { - "conditionType": "Property", - "conditionProperties": { - "propertyName": "HostName", - "operator": "Equals", - "propertyValues": [ - "TestVM" + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7", + "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a" ] } } @@ -62,12 +39,24 @@ "order": 1, "actionType": "ModifyProperties", "actionConfiguration": { - "status": "Closed", - "classification": "BenignPositive", - "classificationReason": "SuspiciousButExpected" + "severity": "High" } } - ] + ], + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdTimeUtc": "2019-01-01T13:00:00Z", + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/GetAllAutomationRules.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_List.json similarity index 86% rename from specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/GetAllAutomationRules.json rename to specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_List.json index 9349bdd4b51e..b51b48bbf628 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/GetAllAutomationRules.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/automationRules/AutomationRules_List.json @@ -3,8 +3,7 @@ "api-version": "2021-10-01-preview", "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", "resourceGroupName": "myRg", - "workspaceName": "myWorkspace", - "$top": 1 + "workspaceName": "myWorkspace" }, "responses": { "200": { @@ -13,25 +12,11 @@ { "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/automationRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5", "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5", - "type": "Microsoft.SecurityInsights/automationRules", "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "type": "Microsoft.SecurityInsights/automationRules", "properties": { - "order": 1, "displayName": "High severity incidents escalation", - "createdTimeUtc": "2021-09-01T13:00:30Z", - "lastModifiedTimeUtc": "2021-09-01T13:00:30Z", - "createdBy": { - "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", - "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" - }, - "lastModifiedBy": { - "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", - "email": "john.doe@contoso.com", - "userPrincipalName": "john@contoso.com", - "name": "john doe" - }, + "order": 1, "triggeringLogic": { "isEnabled": true, "triggersOn": "Incidents", @@ -58,7 +43,21 @@ "severity": "High" } } - ] + ], + "lastModifiedTimeUtc": "2019-01-01T13:00:30Z", + "createdTimeUtc": "2019-01-01T13:00:00Z", + "lastModifiedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + }, + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john.doe@contoso.com", + "name": "john doe", + "userPrincipalName": "john@contoso.com" + } } } ] diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/manualTrigger/AutomationRules_ManualTriggerPlaybook.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/manualTrigger/AutomationRules_ManualTriggerPlaybook.json new file mode 100644 index 000000000000..c6a417834c45 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-10-01-preview/examples/manualTrigger/AutomationRules_ManualTriggerPlaybook.json @@ -0,0 +1,18 @@ +{ + "parameters": { + "api-version": "2021-10-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "incidentIdentifier": "73e01a99-5cd7-4139-a149-9f2736ff2ar4", + "manualTriggerRequestBody": { + "logicAppsResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/my-playbook-name", + "tenantId": "qwere6b2-9ac0-4464-9919-dccaee2e4ddd" + } + }, + "responses": { + "204": { + "body": {} + } + } +}