diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json new file mode 100644 index 000000000000..87b002a47d20 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json @@ -0,0 +1,337 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Center", + "description": "API spec for Microsoft.Security (Azure Security Center) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules": { + "get": { + "x-ms-examples": { + "Get suppression rules for subscription": { + "$ref": "./examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json" + }, + "Get suppression alert rule for subscription, filtered by AlertType": { + "$ref": "./examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json" + } + }, + "tags": [ + "AlertsSuppressionRules" + ], + "description": "List of all the dismiss rules for the given subscription", + "operationId": "AlertsSuppressionRules_List", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AlertType" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertsSuppressionRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules/{alertsSuppressionRuleName}": { + "get": { + "x-ms-examples": { + "Get suppression alert rule for subscription": { + "$ref": "./examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json" + } + }, + "tags": [ + "AlertsSuppressionRules" + ], + "description": "Get dismiss rule, with name: {alertsSuppressionRuleName}, for the given subscription", + "operationId": "AlertsSuppressionRules_Get", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AlertsSuppressionRuleName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertsSuppressionRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Update or create suppression rule for subscription": { + "$ref": "./examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json" + } + }, + "tags": [ + "AlertsSuppressionRules" + ], + "description": "Update existing rule or create new rule if it doesn't exist", + "operationId": "AlertsSuppressionRules_Update", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AlertsSuppressionRuleName" + }, + { + "$ref": "#/parameters/AlertsSuppressionRule" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertsSuppressionRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete suppression rule data for a subscription": { + "$ref": "./examples/AlertsSuppressionRules/DeleteAlertsSuppressionRule_example.json" + } + }, + "tags": [ + "AlertsSuppressionRules" + ], + "description": "Delete dismiss alert rule for this subscription.", + "operationId": "AlertsSuppressionRules_Delete", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AlertsSuppressionRuleName" + } + ], + "responses": { + "204": { + "description": "OK, No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "AlertsSuppressionRulesList": { + "type": "object", + "description": "Suppression rules list for subscription.", + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/AlertsSuppressionRule" + } + }, + "nextLink": { + "readOnly": true, + "type": "string", + "description": "URI to fetch the next page." + } + }, + "required": [ + "value" + ] + }, + "AlertsSuppressionRule": { + "type": "object", + "description": "Describes the suppression rule", + "properties": { + "properties": { + "x-ms-client-flatten": true, + "$ref": "#/definitions/AlertsSuppressionRuleProperties" + } + }, + "allOf": [ + { + "$ref": "../../../common/v1/types.json#/definitions/Resource" + } + ] + }, + "AlertsSuppressionRuleProperties": { + "type": "object", + "description": "describes AlertsSuppressionRule properties", + "properties": { + "alertType": { + "type": "string", + "description": "Type of the alert to automatically suppress. For all alert types, use '*'" + }, + "lastModifiedUtc": { + "readOnly": true, + "type": "string", + "format": "date-time", + "description": "The last time this rule was modified" + }, + "expirationDateUtc": { + "type": "string", + "format": "date-time", + "description": "Expiration date of the rule, if value is not provided or provided as null this field will default to the maximum allowed expiration date." + }, + "reason": { + "type": "string", + "description": "The reason for dismissing the alert" + }, + "state": { + "type": "string", + "description": "Possible states of the rule", + "x-ms-enum": { + "name": "RuleState" + }, + "enum": [ + "Enabled", + "Disabled", + "Expired" + ] + }, + "comment": { + "type": "string", + "description": "Any comment regarding the rule" + }, + "suppressionAlertsScope": { + "type": "object", + "description": "The suppression conditions", + "$ref": "#/definitions/SuppressionAlertsScope" + } + }, + "required": [ + "alertType", + "reason", + "state" + ] + }, + "ScopeElement": { + "type": "object", + "additionalProperties": true, + "description": "A more specific scope used to identify the alerts to suppress.", + "properties": { + "field": { + "type": "string", + "description": "The alert entity type to suppress by." + } + } + }, + "SuppressionAlertsScope": { + "type": "object", + "properties": { + "allOf": { + "type": "array", + "description": "All the conditions inside need to be true in order to suppress the alert", + "items": { + "$ref": "#/definitions/ScopeElement" + } + } + }, + "required": [ + "allOf" + ] + } + }, + "parameters": { + "AlertType": { + "name": "AlertType", + "in": "query", + "type": "string", + "description": "Type of the alert to get rules for", + "x-ms-parameter-location": "method" + }, + "AlertsSuppressionRule": { + "name": "alertsSuppressionRule", + "in": "body", + "required": true, + "description": "Suppression rule object", + "schema": { + "$ref": "#/definitions/AlertsSuppressionRule" + }, + "x-ms-parameter-location": "method" + }, + "AlertsSuppressionRuleName": { + "name": "alertsSuppressionRuleName", + "in": "path", + "required": true, + "type": "string", + "description": "The unique name of the suppression alert rule", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/DeleteAlertsSuppressionRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/DeleteAlertsSuppressionRule_example.json new file mode 100644 index 000000000000..d8663e727d45 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/DeleteAlertsSuppressionRule_example.json @@ -0,0 +1,10 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "alertsSuppressionRuleName": "dismissIpAnomalyAlerts" + }, + "responses": { + "204": {} + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json new file mode 100644 index 000000000000..67228151c5fa --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json @@ -0,0 +1,39 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "alertsSuppressionRuleName": "dismissIpAnomalyAlerts" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/alertsSuppressionRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUtc": "2019-07-31T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "FalsePositive", + "comment": "Test VM", + "suppressionAlertsScope": { + "allOf": [ + { + "field": "entities.ip.address", + "in": [ + "104.215.95.187", + "52.164.206.56" + ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json new file mode 100644 index 000000000000..a12282315400 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json @@ -0,0 +1,43 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "alertType": "IpAnomaly" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/alertsSuppressionRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUtc": "2019-07-31T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "FalsePositive", + "comment": "Test VM", + "suppressionAlertsScope": { + "allOf": [ + { + "field": "entities.ip.address", + "in": [ + "104.215.95.187", + "52.164.206.56" + ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json new file mode 100644 index 000000000000..493b914255bf --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json @@ -0,0 +1,54 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/alertsSuppressionRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUtc": "2019-07-31T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "FalsePositive", + "comment": "Test VM", + "suppressionAlertsScope": { + "allOf": [ + { + "field": "entities.ip.address", + "in": [ + "104.215.95.187", + "52.164.206.56" + ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + }, + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissDataExfiltrationAnomalyAlertsOnTestVMs", + "name": "dismissDataExfiltrationAnomalyAlertsOnTestVMs", + "type": "Microsoft.Security/alertsSuppressionRules", + "properties": { + "alertType": "DataExfiltrationAnomaly", + "lastModifiedUtc": "2019-07-31T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "FalsePositive" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json new file mode 100644 index 000000000000..efd66de8a29d --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json @@ -0,0 +1,63 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "alertsSuppressionRuleName": "dismissIpAnomalyAlerts", + "alertsSuppressionRule": { + "properties": { + "alertType": "IpAnomaly", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "FalsePositive", + "comment": "Test VM", + "suppressionAlertsScope": { + "allOf": [ + { + "field": "entities.ip.address", + "in": [ + "104.215.95.187", + "52.164.206.56" + ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/alertsSuppressionRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUtc": "2019-07-31T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "FalsePositive", + "comment": "Test VM", + "suppressionAlertsScope": { + "allOf": [ + { + "field": "entities.ip.address", + "in": [ + "104.215.95.187", + "52.164.206.56" + ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/alerts.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/alerts.json index 5f1aeadddebe..cc3894b377cb 100644 --- a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/alerts.json +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/alerts.json @@ -39,6 +39,9 @@ "x-ms-examples": { "Get security alerts on a subscription": { "$ref": "./examples/Alerts/GetAlertsSubscription_example.json" + }, + "Get security alerts, that were affected by auto dismiss rule, on a subscription": { + "$ref": "./examples/Alerts/GetAlertsSubscriptionWithAutoDismissRule_example.json" } }, "tags": [ @@ -61,6 +64,9 @@ }, { "$ref": "#/parameters/ODataExpand" + }, + { + "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { @@ -87,6 +93,9 @@ "x-ms-examples": { "Get security alerts on a resource group": { "$ref": "./examples/Alerts/GetAlertsResourceGroup_example.json" + }, + "Get security alerts, that should be dismissed by auto dismiss rule, on a resource group": { + "$ref": "./examples/Alerts/GetAlertsResourceGroupWithAutoDismissRule_example.json" } }, "tags": [ @@ -112,6 +121,9 @@ }, { "$ref": "#/parameters/ODataExpand" + }, + { + "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { @@ -138,6 +150,9 @@ "x-ms-examples": { "Get security alerts on a subscription from a security data location": { "$ref": "./examples/Alerts/GetAlertsSubscriptionsLocation_example.json" + }, + "Get security alerts, that should be dismissed by auto dismiss rule, on a subscription from a security data location": { + "$ref": "./examples/Alerts/GetAlertsSubscriptionsLocationWithAutoDismissRule_example.json" } }, "tags": [ @@ -163,6 +178,9 @@ }, { "$ref": "#/parameters/ODataExpand" + }, + { + "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { @@ -189,6 +207,9 @@ "x-ms-examples": { "Get security alerts on a resource group from a security data location": { "$ref": "./examples/Alerts/GetAlertsResourceGroupLocation_example.json" + }, + "Get security alerts, that should be dismissed by auto dismiss rule, on a resource group from a security data location": { + "$ref": "./examples/Alerts/GetAlertsResourceGroupLocationWithAutoDismissRule_example.json" } }, "tags": [ @@ -217,6 +238,9 @@ }, { "$ref": "#/parameters/ODataExpand" + }, + { + "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { @@ -739,6 +763,13 @@ "type": "string", "description": "Name of the alert object", "x-ms-parameter-location": "method" + }, + "AutoDismissRuleName": { + "name": "autoDismissRuleName", + "in": "query", + "type": "string", + "description": "The name of an existing auto dismiss rule. Use it to simulate the rule on existing alerts and get the alerts that would have been dismissed if the rule was enabled when the alert was created", + "x-ms-parameter-location": "method" } } } diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupLocationWithAutoDismissRule_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupLocationWithAutoDismissRule_example.json new file mode 100644 index 000000000000..0815c5f5bd32 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupLocationWithAutoDismissRule_example.json @@ -0,0 +1,86 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg1", + "ascLocation": "westeurope", + "autoDismissRuleName": "dismissThreatIntelligence" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [ + { + "type": "User", + "reason": "Some user reason" + }, + { + "type": "Process", + "reason": "Some proccess reason" + }, + { + "type": "Computer", + "reason": "Some computer reason" + } + ], + "canBeInvestigated": true, + "isIncident": false, + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [ + { + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + } + ], + "type": "ip" + } + ], + "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupWithAutoDismissRule_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupWithAutoDismissRule_example.json new file mode 100644 index 000000000000..55f3b45eb732 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupWithAutoDismissRule_example.json @@ -0,0 +1,85 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg1", + "autoDismissRuleName": "dismissThreatIntelligence" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [ + { + "type": "User", + "reason": "Some user reason" + }, + { + "type": "Process", + "reason": "Some proccess reason" + }, + { + "type": "Computer", + "reason": "Some computer reason" + } + ], + "canBeInvestigated": true, + "isIncident": false, + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [ + { + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + } + ], + "type": "ip" + } + ], + "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionWithAutoDismissRule_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionWithAutoDismissRule_example.json new file mode 100644 index 000000000000..85011eda2695 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionWithAutoDismissRule_example.json @@ -0,0 +1,84 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "autoDismissRuleName": "dismissThreatIntelligence" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [ + { + "type": "User", + "reason": "Some user reason" + }, + { + "type": "Process", + "reason": "Some proccess reason" + }, + { + "type": "Computer", + "reason": "Some computer reason" + } + ], + "canBeInvestigated": true, + "isIncident": false, + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [ + { + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + } + ], + "type": "ip" + } + ], + "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionsLocationWithAutoDismissRule_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionsLocationWithAutoDismissRule_example.json new file mode 100644 index 000000000000..3b7698a86967 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionsLocationWithAutoDismissRule_example.json @@ -0,0 +1,85 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "ascLocation": "westeurope", + "autoDismissRuleName": "dismissThreatIntelligence" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [ + { + "type": "User", + "reason": "Some user reason" + }, + { + "type": "Process", + "reason": "Some proccess reason" + }, + { + "type": "Computer", + "reason": "Some computer reason" + } + ], + "canBeInvestigated": true, + "isIncident": false, + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [ + { + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + } + ], + "type": "ip" + } + ], + "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/readme.md b/specification/security/resource-manager/readme.md index 4c9f60ada878..cfc3dd4c612c 100644 --- a/specification/security/resource-manager/readme.md +++ b/specification/security/resource-manager/readme.md @@ -82,6 +82,7 @@ input-file: - Microsoft.Security/preview/2015-06-01-preview/topologies.json - Microsoft.Security/preview/2015-06-01-preview/allowedConnections.json - Microsoft.Security/preview/2015-06-01-preview/adaptiveNetworkHardenings.json +- Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json # Needed when there is more than one input file override-info: @@ -119,6 +120,7 @@ input-file: - Microsoft.Security/preview/2015-06-01-preview/topologies.json - Microsoft.Security/preview/2015-06-01-preview/allowedConnections.json - Microsoft.Security/preview/2015-06-01-preview/adaptiveNetworkHardenings.json +- Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json # Needed when there is more than one input file override-info: @@ -151,6 +153,7 @@ input-file: - Microsoft.Security/preview/2019-01-01-preview/serverVulnerabilityAssessments.json - Microsoft.Security/preview/2019-01-01-preview/subAssessments.json - Microsoft.Security/preview/2019-01-01-preview/automations.json +- Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json - Microsoft.Security/stable/2020-01-01/assessmentMetadata.json - Microsoft.Security/stable/2020-01-01/assessments.json - Microsoft.Security/stable/2020-01-01/applicationWhitelistings.json @@ -220,6 +223,7 @@ These settings apply only when `--tag=package-2019-01-preview-only` is specified input-file: - Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json - Microsoft.Security/preview/2019-01-01-preview/serverVulnerabilityAssessments.json +- Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json - Microsoft.Security/preview/2019-01-01-preview/assessmentMetadata.json - Microsoft.Security/preview/2019-01-01-preview/assessments.json