From 0ec8710e142f20fa0eef72acb4bed354c860b5ff Mon Sep 17 00:00:00 2001 From: Yifat Birnbaum Date: Mon, 23 Sep 2019 15:26:28 +0300 Subject: [PATCH 01/10] Create swagger for a new API: AutoDismissAlertsRules --- .../autoDismissAlertsRules.json | 355 ++++++++++++++++++ .../DeleteAutoDismissAlertsRule_example.json | 10 + .../GetAutoDismissAlertsRule_example.json | 40 ++ .../GetAutoDismissAlertsRules_example.json | 55 +++ .../PutAutoDismissAlertsRuleTest_example.json | 75 ++++ .../PutAutoDismissAlertsRule_example.json | 69 ++++ .../security/resource-manager/readme.md | 1 + 7 files changed, 605 insertions(+) create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRuleTest_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json new file mode 100644 index 000000000000..1717a8ee4332 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json @@ -0,0 +1,355 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Center", + "description": "API spec for Microsoft.Security (Azure Security Center) resource provider", + "version": "2019-01-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/autoDismissAlertsRules": { + "get": { + "x-ms-examples": { + "Get auto dismiss rules for subscription": { + "$ref": "./examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json" + } + }, + "tags": [ + "AutoDismissAlertsRules" + ], + "description": "List of all the dismiss rules for the given subscription", + "operationId": "AutoDismissAlertsRules_List", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AlertType" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutoDismissAlertsRulesList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/autoDismissAlertsRules/{autoDismissAlertsRuleName}": { + "get": { + "x-ms-examples": { + "Get auto dismiss alert rule for subscription": { + "$ref": "./examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json" + } + }, + "tags": [ + "AutoDismissAlertsRules" + ], + "description": "Get dismiss rule, with name: {autoDismissAlertsRuleName}, for the given subscription", + "operationId": "AutoDismissAlertsRules_Get", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AutoDismissAlertsRuleName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutoDismissAlertsRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Update or create auto dismiss rule for subscription": { + "$ref": "./examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json" + }, + "Test a rule for subscription": { + "$ref": "./examples/AutoDismissAlertsRules/PutAutoDismissAlertsRuleTest_example.json" + } + }, + "tags": [ + "AutoDismissAlertsRules" + ], + "description": "Update existing rule or create new rule if not exist", + "operationId": "AutoDismissAlertsRules_Update", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AutoDismissAlertsRuleName" + }, + { + "$ref": "#/parameters/AutoDismissAlertsRule" + }, + { + "$ref": "#/parameters/TestRule" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AutoDismissAlertsRule" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete auto dismiss rule data for a subscription": { + "$ref": "./examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json" + } + }, + "tags": [ + "AutoDismissAlertsRules" + ], + "description": "Delete dismiss alert rule for this subscription.", + "operationId": "AutoDismissAlertsRules_Delete", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/AutoDismissAlertsRuleName" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "AutoDismissAlertsRulesList": { + "type": "object", + "description": "Auto dismiss rules list for subscription.", + "properties": { + "value": { + "type": "array", + "items": { + "$ref": "#/definitions/AutoDismissAlertsRule" + } + }, + "nextLink": { + "readOnly": true, + "type": "string", + "description": "The URI to fetch the next page." + } + }, + "required": [ + "value" + ] + }, + "AutoDismissAlertsRule": { + "type": "object", + "description": "Describes the auto dismiss rule", + "properties": { + "properties": { + "x-ms-client-flatten": true, + "$ref": "#/definitions/AutoDismissAlertsRuleProperties" + } + }, + "allOf": [ + { + "$ref": "../../../common/v1/types.json#/definitions/Resource" + } + ] + }, + "AutoDismissAlertsRuleProperties": { + "type": "object", + "description": "describes AutoDismissAlertsRule properties", + "properties": { + "alertType": { + "type": "string", + "description": "Type of the auto dismissed alert. For all alert types, use '*'" + }, + "lastModifiedUTC": { + "readOnly": true, + "type": "string", + "format": "date-time", + "description": "The last time this rule was modified" + }, + "expirationDateUTC": { + "type": "string", + "format": "date-time", + "description": "Expiration date of the rule" + }, + "reason": { + "type": "string", + "description": "The reason for dismissing the alert" + }, + "state": { + "type": "string", + "description": "Possible states of the rule", + "x-ms-enum": { + "name": "State" + }, + "enum": [ + "Enabled", + "Disabled", + "Expired" + ] + }, + "comment": { + "type": "string", + "description": "Any comment regarding the rule" + }, + "autoDismissAlertsScope": { + "type": "object", + "description": "The auto dismiss conditions", + "$ref": "#/definitions/AutoDismissAlertsScope" + }, + "ruleImpact": { + "type": "object", + "description": "The impact of the rule. Use for testing the rule and will be returned only when the test flag is set", + "readOnly": true, + "$ref": "#/definitions/RuleImpact" + } + }, + "required": [ + "alertType", + "reason", + "state" + ] + }, + "AutoDismissAlertsScope": { + "type": "object", + "properties": { + "allOf": { + "type": "array", + "description": "All the conditions inside need to be true in order to auto dismiss the alert", + "items": {} + } + }, + "required": [ + "allOf" + ] + }, + "RuleImpact": { + "type": "object", + "required": [ + "scannedAlertsNumber", + "dismissedAlertsNumber" + ], + "properties": { + "scannedAlertsNumber" : { + "type": "integer" + }, + "dismissedAlertsNumber" : { + "type": "integer" + } + } + } + }, + "parameters": { + "AlertType": { + "name": "AlertType", + "in": "query", + "type": "string", + "description": "The type of the alert to get rules for", + "x-ms-parameter-location": "method" + }, + "TestRule": { + "name": "TestRule", + "in": "query", + "type": "boolean", + "description": "The type of the alert to get rules for", + "x-ms-parameter-location": "method" + }, + "AutoDismissAlertsRuleName": { + "name": "autoDismissAlertsRuleName", + "in": "path", + "required": true, + "type": "string", + "description": "The unique name of the auto dismiss alert rule", + "x-ms-parameter-location": "method" + }, + "AutoDismissAlertsRule": { + "name": "autoDismissAlertsRule", + "in": "body", + "required": true, + "description": "Auto dismiss rule object", + "schema": { + "$ref": "#/definitions/AutoDismissAlertsRule" + }, + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json new file mode 100644 index 000000000000..99f9c5ea3067 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json @@ -0,0 +1,10 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "autoDismissAlertsRuleName": "dismissIpAnomalyAlerts" + }, + "responses": { + "200": {} + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json new file mode 100644 index 000000000000..1b1abc386258 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json @@ -0,0 +1,40 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "autoDismissAlertsRuleName": "dismissIpAnomalyAlerts" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/autoDismissAlertsRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", + "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "Detects a normal activity (False Positive)", + "comment": "Test VM", + "autoDismissAlertsScope": { + "allOf": [ + { + "field": "CompromisedEntities", + "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] + }, + { + "field": "entities.ip.address", + "in": [ "104.215.95.187", "52.164.206.56" ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json new file mode 100644 index 000000000000..1c1932f133b5 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json @@ -0,0 +1,55 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/autoDismissAlertsRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", + "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "Detects a normal activity (False Positive)", + "comment": "Test VM", + "autoDismissAlertsScope": { + "allOf": [ + { + "field": "CompromisedEntities", + "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] + }, + { + "field": "entities.ip.address", + "in": [ "104.215.95.187", "52.164.206.56" ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + }, + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissDataExfiltrationAnomalyAlertsOnTestVMs", + "name": "dismissDataExfiltrationAnomalyAlertsOnTestVMs", + "type": "Microsoft.Security/autoDismissAlertsRules", + "properties": { + "alertType": "DataExfiltrationAnomaly", + "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", + "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "Not needed in tests VMs" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRuleTest_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRuleTest_example.json new file mode 100644 index 000000000000..cde7059a8a9a --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRuleTest_example.json @@ -0,0 +1,75 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "autoDismissAlertsRuleName": "dismissIpAnomalyAlerts", + "testRule": "true", + "autoDismissAlertsRule": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/autoDismissAlertsRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", + "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "Detects a normal activity (False Positive)", + "comment": "Test VM", + "autoDismissAlertsScope": { + "allOf": [ + { + "field": "CompromisedEntities", + "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] + }, + { + "field": "entities.ip.address", + "in": [ "104.215.95.187", "52.164.206.56" ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/autoDismissAlertsRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", + "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "Detects a normal activity (False Positive)", + "comment": "Test VM", + "autoDismissAlertsScope": { + "allOf": [ + { + "field": "CompromisedEntities", + "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] + }, + { + "field": "entities.ip.address", + "in": [ "104.215.95.187", "52.164.206.56" ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + }, + "ruleImpact": { + "scannedAlertsNumber": 250, + "dismissedAlertsNumber": 143 + } + } + } + } + } + } + \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json new file mode 100644 index 000000000000..e86b2f79ea04 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json @@ -0,0 +1,69 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "autoDismissAlertsRuleName": "dismissIpAnomalyAlerts", + "autoDismissAlertsRule": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/autoDismissAlertsRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", + "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "Detects a normal activity (False Positive)", + "comment": "Test VM", + "autoDismissAlertsScope": { + "allOf": [ + { + "field": "CompromisedEntities", + "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] + }, + { + "field": "entities.ip.address", + "in": [ "104.215.95.187", "52.164.206.56" ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/autoDismissAlertsRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", + "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "Detects a normal activity (False Positive)", + "comment": "Test VM", + "autoDismissAlertsScope": { + "allOf": [ + { + "field": "CompromisedEntities", + "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] + }, + { + "field": "entities.ip.address", + "in": [ "104.215.95.187", "52.164.206.56" ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + } + } + } +} diff --git a/specification/security/resource-manager/readme.md b/specification/security/resource-manager/readme.md index d7a2879d54a9..374f108f05a0 100644 --- a/specification/security/resource-manager/readme.md +++ b/specification/security/resource-manager/readme.md @@ -140,6 +140,7 @@ input-file: - Microsoft.Security/preview/2017-08-01-preview/iotSecuritySolutionAnalytics.json - Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json - Microsoft.Security/preview/2019-01-01-preview/serverVulnerabilityAssessments.json +- Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json # Needed when there is more than one input file override-info: From 4ff67e22a5c2311d2c518cb29b7a034a150f7d74 Mon Sep 17 00:00:00 2001 From: Yifat Birnbaum Date: Thu, 5 Dec 2019 15:38:19 +0200 Subject: [PATCH 02/10] Add AutoDismiss rule name parameter to alerts API. Fix some descriptions. --- .../autoDismissAlertsRules.json | 65 +++------ .../DeleteAutoDismissAlertsRule_example.json | 4 +- .../GetAutoDismissAlertsRule_example.json | 14 +- ...smissAlertsRulesWithAlertType_example.json | 50 +++++++ .../GetAutoDismissAlertsRules_example.json | 16 ++- .../PutAutoDismissAlertsRuleTest_example.json | 75 ----------- .../PutAutoDismissAlertsRule_example.json | 28 ++-- .../stable/2019-01-01/alerts.json | 124 +++++++++++++++--- ...upLocationWithAutoDismissRule_example.json | 86 ++++++++++++ ...ourceGroupWithAutoDismissRule_example.json | 85 ++++++++++++ ...bscriptionWithAutoDismissRule_example.json | 84 ++++++++++++ ...nsLocationWithAutoDismissRule_example.json | 85 ++++++++++++ .../security/resource-manager/readme.md | 15 ++- 13 files changed, 573 insertions(+), 158 deletions(-) create mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json delete mode 100644 specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRuleTest_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupLocationWithAutoDismissRule_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupWithAutoDismissRule_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionWithAutoDismissRule_example.json create mode 100644 specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionsLocationWithAutoDismissRule_example.json diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json index 1717a8ee4332..e825e2ae2207 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json @@ -39,6 +39,9 @@ "x-ms-examples": { "Get auto dismiss rules for subscription": { "$ref": "./examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json" + }, + "Get auto dismiss alert rule for subscription, filtered by AlertType": { + "$ref": "./examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json" } }, "tags": [ @@ -118,15 +121,12 @@ "x-ms-examples": { "Update or create auto dismiss rule for subscription": { "$ref": "./examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json" - }, - "Test a rule for subscription": { - "$ref": "./examples/AutoDismissAlertsRules/PutAutoDismissAlertsRuleTest_example.json" } }, "tags": [ "AutoDismissAlertsRules" ], - "description": "Update existing rule or create new rule if not exist", + "description": "Update existing rule or create new rule if it doesn't exist", "operationId": "AutoDismissAlertsRules_Update", "parameters": [ { @@ -140,9 +140,6 @@ }, { "$ref": "#/parameters/AutoDismissAlertsRule" - }, - { - "$ref": "#/parameters/TestRule" } ], "responses": { @@ -183,8 +180,8 @@ } ], "responses": { - "200": { - "description": "OK" + "204": { + "description": "OK, No Content" }, "default": { "description": "Error response describing why the operation failed.", @@ -210,7 +207,7 @@ "nextLink": { "readOnly": true, "type": "string", - "description": "The URI to fetch the next page." + "description": "URI to fetch the next page." } }, "required": [ @@ -259,7 +256,7 @@ "type": "string", "description": "Possible states of the rule", "x-ms-enum": { - "name": "State" + "name": "RuleState" }, "enum": [ "Enabled", @@ -275,12 +272,6 @@ "type": "object", "description": "The auto dismiss conditions", "$ref": "#/definitions/AutoDismissAlertsScope" - }, - "ruleImpact": { - "type": "object", - "description": "The impact of the rule. Use for testing the rule and will be returned only when the test flag is set", - "readOnly": true, - "$ref": "#/definitions/RuleImpact" } }, "required": [ @@ -301,21 +292,6 @@ "required": [ "allOf" ] - }, - "RuleImpact": { - "type": "object", - "required": [ - "scannedAlertsNumber", - "dismissedAlertsNumber" - ], - "properties": { - "scannedAlertsNumber" : { - "type": "integer" - }, - "dismissedAlertsNumber" : { - "type": "integer" - } - } } }, "parameters": { @@ -323,24 +299,9 @@ "name": "AlertType", "in": "query", "type": "string", - "description": "The type of the alert to get rules for", + "description": "Type of the alert to get rules for", "x-ms-parameter-location": "method" }, - "TestRule": { - "name": "TestRule", - "in": "query", - "type": "boolean", - "description": "The type of the alert to get rules for", - "x-ms-parameter-location": "method" - }, - "AutoDismissAlertsRuleName": { - "name": "autoDismissAlertsRuleName", - "in": "path", - "required": true, - "type": "string", - "description": "The unique name of the auto dismiss alert rule", - "x-ms-parameter-location": "method" - }, "AutoDismissAlertsRule": { "name": "autoDismissAlertsRule", "in": "body", @@ -350,6 +311,14 @@ "$ref": "#/definitions/AutoDismissAlertsRule" }, "x-ms-parameter-location": "method" + }, + "AutoDismissAlertsRuleName": { + "name": "autoDismissAlertsRuleName", + "in": "path", + "required": true, + "type": "string", + "description": "The unique name of the auto dismiss alert rule", + "x-ms-parameter-location": "method" } } } diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json index 99f9c5ea3067..9710f5e9d7cc 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json @@ -2,9 +2,9 @@ "parameters": { "api-version": "2019-01-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", - "autoDismissAlertsRuleName": "dismissIpAnomalyAlerts" + "autoDismissAlertsRuleName": "dismissIpAnomalyAlerts" }, "responses": { - "200": {} + "204": {} } } diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json index 1b1abc386258..b71d4e2049ce 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json @@ -15,17 +15,23 @@ "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", "expirationDateUTC": "2019-12-01T19:50:47.083633Z", "state": "Enabled", - "reason": "Detects a normal activity (False Positive)", + "reason": "FalsePositive", "comment": "Test VM", "autoDismissAlertsScope": { "allOf": [ { - "field": "CompromisedEntities", - "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] + "field": "CompromisedEntity", + "in": [ + "contoso", + "demoAccount@microsoft.com" + ] }, { "field": "entities.ip.address", - "in": [ "104.215.95.187", "52.164.206.56" ] + "in": [ + "104.215.95.187", + "52.164.206.56" + ] }, { "field": "entities.process.commandline", diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json new file mode 100644 index 000000000000..7f6c3ce13407 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json @@ -0,0 +1,50 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "alertType": "IpAnomaly" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "name": "dismissIpAnomalyAlerts", + "type": "Microsoft.Security/autoDismissAlertsRules", + "properties": { + "alertType": "IpAnomaly", + "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", + "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "state": "Enabled", + "reason": "FalsePositive", + "comment": "Test VM", + "autoDismissAlertsScope": { + "allOf": [ + { + "field": "CompromisedEntity", + "in": [ + "contoso", + "demoAccount@microsoft.com" + ] + }, + { + "field": "entities.ip.address", + "in": [ + "104.215.95.187", + "52.164.206.56" + ] + }, + { + "field": "entities.process.commandline", + "contains": "POWERSHELL.EXE" + } + ] + } + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json index 1c1932f133b5..960581ebf625 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json @@ -16,17 +16,23 @@ "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", "expirationDateUTC": "2019-12-01T19:50:47.083633Z", "state": "Enabled", - "reason": "Detects a normal activity (False Positive)", + "reason": "FalsePositive", "comment": "Test VM", "autoDismissAlertsScope": { "allOf": [ { - "field": "CompromisedEntities", - "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] + "field": "CompromisedEntity", + "in": [ + "contoso", + "demoAccount@microsoft.com" + ] }, { "field": "entities.ip.address", - "in": [ "104.215.95.187", "52.164.206.56" ] + "in": [ + "104.215.95.187", + "52.164.206.56" + ] }, { "field": "entities.process.commandline", @@ -45,7 +51,7 @@ "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", "expirationDateUTC": "2019-12-01T19:50:47.083633Z", "state": "Enabled", - "reason": "Not needed in tests VMs" + "reason": "FalsePositive" } } ] diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRuleTest_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRuleTest_example.json deleted file mode 100644 index cde7059a8a9a..000000000000 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRuleTest_example.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "parameters": { - "api-version": "2019-01-01-preview", - "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", - "autoDismissAlertsRuleName": "dismissIpAnomalyAlerts", - "testRule": "true", - "autoDismissAlertsRule": { - "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", - "name": "dismissIpAnomalyAlerts", - "type": "Microsoft.Security/autoDismissAlertsRules", - "properties": { - "alertType": "IpAnomaly", - "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", - "expirationDateUTC": "2019-12-01T19:50:47.083633Z", - "state": "Enabled", - "reason": "Detects a normal activity (False Positive)", - "comment": "Test VM", - "autoDismissAlertsScope": { - "allOf": [ - { - "field": "CompromisedEntities", - "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] - }, - { - "field": "entities.ip.address", - "in": [ "104.215.95.187", "52.164.206.56" ] - }, - { - "field": "entities.process.commandline", - "contains": "POWERSHELL.EXE" - } - ] - } - } - } - }, - "responses": { - "200": { - "body": { - "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", - "name": "dismissIpAnomalyAlerts", - "type": "Microsoft.Security/autoDismissAlertsRules", - "properties": { - "alertType": "IpAnomaly", - "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", - "expirationDateUTC": "2019-12-01T19:50:47.083633Z", - "state": "Enabled", - "reason": "Detects a normal activity (False Positive)", - "comment": "Test VM", - "autoDismissAlertsScope": { - "allOf": [ - { - "field": "CompromisedEntities", - "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] - }, - { - "field": "entities.ip.address", - "in": [ "104.215.95.187", "52.164.206.56" ] - }, - { - "field": "entities.process.commandline", - "contains": "POWERSHELL.EXE" - } - ] - }, - "ruleImpact": { - "scannedAlertsNumber": 250, - "dismissedAlertsNumber": 143 - } - } - } - } - } - } - \ No newline at end of file diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json index e86b2f79ea04..7932b4cf7daf 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json @@ -12,17 +12,23 @@ "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", "expirationDateUTC": "2019-12-01T19:50:47.083633Z", "state": "Enabled", - "reason": "Detects a normal activity (False Positive)", + "reason": "FalsePositive", "comment": "Test VM", "autoDismissAlertsScope": { "allOf": [ { - "field": "CompromisedEntities", - "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] + "field": "CompromisedEntity", + "in": [ + "contoso", + "demoAccount@microsoft.com" + ] }, { "field": "entities.ip.address", - "in": [ "104.215.95.187", "52.164.206.56" ] + "in": [ + "104.215.95.187", + "52.164.206.56" + ] }, { "field": "entities.process.commandline", @@ -44,17 +50,23 @@ "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", "expirationDateUTC": "2019-12-01T19:50:47.083633Z", "state": "Enabled", - "reason": "Detects a normal activity (False Positive)", + "reason": "FalsePositive", "comment": "Test VM", "autoDismissAlertsScope": { "allOf": [ { - "field": "CompromisedEntities", - "in": [ "ContosoVM1", "demoAccount@microsoft.com" ] + "field": "CompromisedEntity", + "in": [ + "contoso", + "demoAccount@microsoft.com" + ] }, { "field": "entities.ip.address", - "in": [ "104.215.95.187", "52.164.206.56" ] + "in": [ + "104.215.95.187", + "52.164.206.56" + ] }, { "field": "entities.process.commandline", diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/alerts.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/alerts.json index c7b90d3b5bf2..cc3894b377cb 100644 --- a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/alerts.json +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/alerts.json @@ -39,6 +39,9 @@ "x-ms-examples": { "Get security alerts on a subscription": { "$ref": "./examples/Alerts/GetAlertsSubscription_example.json" + }, + "Get security alerts, that were affected by auto dismiss rule, on a subscription": { + "$ref": "./examples/Alerts/GetAlertsSubscriptionWithAutoDismissRule_example.json" } }, "tags": [ @@ -61,6 +64,9 @@ }, { "$ref": "#/parameters/ODataExpand" + }, + { + "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { @@ -87,6 +93,9 @@ "x-ms-examples": { "Get security alerts on a resource group": { "$ref": "./examples/Alerts/GetAlertsResourceGroup_example.json" + }, + "Get security alerts, that should be dismissed by auto dismiss rule, on a resource group": { + "$ref": "./examples/Alerts/GetAlertsResourceGroupWithAutoDismissRule_example.json" } }, "tags": [ @@ -112,6 +121,9 @@ }, { "$ref": "#/parameters/ODataExpand" + }, + { + "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { @@ -138,6 +150,9 @@ "x-ms-examples": { "Get security alerts on a subscription from a security data location": { "$ref": "./examples/Alerts/GetAlertsSubscriptionsLocation_example.json" + }, + "Get security alerts, that should be dismissed by auto dismiss rule, on a subscription from a security data location": { + "$ref": "./examples/Alerts/GetAlertsSubscriptionsLocationWithAutoDismissRule_example.json" } }, "tags": [ @@ -163,6 +178,9 @@ }, { "$ref": "#/parameters/ODataExpand" + }, + { + "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { @@ -189,6 +207,9 @@ "x-ms-examples": { "Get security alerts on a resource group from a security data location": { "$ref": "./examples/Alerts/GetAlertsResourceGroupLocation_example.json" + }, + "Get security alerts, that should be dismissed by auto dismiss rule, on a resource group from a security data location": { + "$ref": "./examples/Alerts/GetAlertsResourceGroupLocationWithAutoDismissRule_example.json" } }, "tags": [ @@ -217,6 +238,9 @@ }, { "$ref": "#/parameters/ODataExpand" + }, + { + "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { @@ -325,7 +349,7 @@ } } }, - "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/{alertUpdateActionType}": { + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss": { "post": { "x-ms-examples": { "Update security alert state on a subscription from a security data location": { @@ -336,7 +360,7 @@ "Alerts" ], "description": "Update the alert's state", - "operationId": "Alerts_UpdateSubscriptionLevelAlertState", + "operationId": "Alerts_UpdateSubscriptionLevelAlertStateToDismiss", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" @@ -349,9 +373,45 @@ }, { "$ref": "#/parameters/AlertName" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/reactivate": { + "post": { + "x-ms-examples": { + "Update security alert state on a subscription from a security data location": { + "$ref": "./examples/Alerts/UpdateAlertSubscriptionLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Update the alert's state", + "operationId": "Alerts_UpdateSubscriptionLevelAlertStateToReactivate", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { - "$ref": "#/parameters/AlertUpdateActionType" + "$ref": "#/parameters/AlertName" } ], "responses": { @@ -367,7 +427,7 @@ } } }, - "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/{alertUpdateActionType}": { + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss": { "post": { "x-ms-examples": { "Update security alert state on a resource group from a security data location": { @@ -378,7 +438,7 @@ "Alerts" ], "description": "Update the alert's state", - "operationId": "Alerts_UpdateResourceGroupLevelAlertState", + "operationId": "Alerts_UpdateResourceGroupLevelAlertStateToDismiss", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" @@ -393,7 +453,46 @@ "$ref": "#/parameters/AlertName" }, { - "$ref": "#/parameters/AlertUpdateActionType" + "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/reactivate": { + "post": { + "x-ms-examples": { + "Update security alert state on a resource group from a security data location": { + "$ref": "./examples/Alerts/UpdateAlertResourceGroupLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Update the alert's state", + "operationId": "Alerts_UpdateResourceGroupLevelAlertStateToReactivate", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" @@ -665,16 +764,11 @@ "description": "Name of the alert object", "x-ms-parameter-location": "method" }, - "AlertUpdateActionType": { - "name": "alertUpdateActionType", - "in": "path", - "required": true, + "AutoDismissRuleName": { + "name": "autoDismissRuleName", + "in": "query", "type": "string", - "enum": [ - "Dismiss", - "Reactivate" - ], - "description": "Type of the action to do on the alert", + "description": "The name of an existing auto dismiss rule. Use it to simulate the rule on existing alerts and get the alerts that would have been dismissed if the rule was enabled when the alert was created", "x-ms-parameter-location": "method" } } diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupLocationWithAutoDismissRule_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupLocationWithAutoDismissRule_example.json new file mode 100644 index 000000000000..0815c5f5bd32 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupLocationWithAutoDismissRule_example.json @@ -0,0 +1,86 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg1", + "ascLocation": "westeurope", + "autoDismissRuleName": "dismissThreatIntelligence" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [ + { + "type": "User", + "reason": "Some user reason" + }, + { + "type": "Process", + "reason": "Some proccess reason" + }, + { + "type": "Computer", + "reason": "Some computer reason" + } + ], + "canBeInvestigated": true, + "isIncident": false, + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [ + { + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + } + ], + "type": "ip" + } + ], + "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupWithAutoDismissRule_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupWithAutoDismissRule_example.json new file mode 100644 index 000000000000..55f3b45eb732 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsResourceGroupWithAutoDismissRule_example.json @@ -0,0 +1,85 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg1", + "autoDismissRuleName": "dismissThreatIntelligence" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [ + { + "type": "User", + "reason": "Some user reason" + }, + { + "type": "Process", + "reason": "Some proccess reason" + }, + { + "type": "Computer", + "reason": "Some computer reason" + } + ], + "canBeInvestigated": true, + "isIncident": false, + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [ + { + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + } + ], + "type": "ip" + } + ], + "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionWithAutoDismissRule_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionWithAutoDismissRule_example.json new file mode 100644 index 000000000000..85011eda2695 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionWithAutoDismissRule_example.json @@ -0,0 +1,84 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "autoDismissRuleName": "dismissThreatIntelligence" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [ + { + "type": "User", + "reason": "Some user reason" + }, + { + "type": "Process", + "reason": "Some proccess reason" + }, + { + "type": "Computer", + "reason": "Some computer reason" + } + ], + "canBeInvestigated": true, + "isIncident": false, + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [ + { + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + } + ], + "type": "ip" + } + ], + "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionsLocationWithAutoDismissRule_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionsLocationWithAutoDismissRule_example.json new file mode 100644 index 000000000000..3b7698a86967 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/examples/Alerts/GetAlertsSubscriptionsLocationWithAutoDismissRule_example.json @@ -0,0 +1,85 @@ +{ + "parameters": { + "api-version": "2019-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "ascLocation": "westeurope", + "autoDismissRuleName": "dismissThreatIntelligence" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "vendorName": "Microsoft", + "alertDisplayName": "Threat Intelligence Alert", + "alertName": "ThreatIntelligence", + "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", + "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", + "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", + "actionTaken": "Detected", + "reportedSeverity": "High", + "compromisedEntity": "vm1", + "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", + "extendedProperties": { + "user Name": "administrator", + "domain Name": "Contoso", + "attacker IP": "192.0.2.1", + "resourceType": "Virtual Machine" + }, + "state": "Dismissed", + "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", + "confidenceScore": 0.8, + "confidenceReasons": [ + { + "type": "User", + "reason": "Some user reason" + }, + { + "type": "Process", + "reason": "Some proccess reason" + }, + { + "type": "Computer", + "reason": "Some computer reason" + } + ], + "canBeInvestigated": true, + "isIncident": false, + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "threatIntelligence": [ + { + "providerName": "Team Cymru", + "threatType": "C2", + "threatName": "rarog", + "confidence": 0.8, + "reportLink": "http://www.microsoft.com", + "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed." + } + ], + "type": "ip" + } + ], + "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/readme.md b/specification/security/resource-manager/readme.md index a38f9f4aaea3..6bfb3c90622c 100644 --- a/specification/security/resource-manager/readme.md +++ b/specification/security/resource-manager/readme.md @@ -28,6 +28,10 @@ directive: from: securityContacts.json where: $.definitions.SecurityContactProperties.properties.email.format reason: email format is allowed + - suppress: ValidFormats + from: automations.json + where: $.definitions.AutomationActionLogicAppInput.properties.uri.format + reason: uri format is allowed - suppress: PageableOperation from: iotSecuritySolutionAnalytics.json where: '$.paths["/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels"].get' @@ -55,7 +59,9 @@ These settings apply only when `--tag=package-composite-v1` is specified on the ``` yaml $(tag) == 'package-composite-v1' input-file: +- Microsoft.Security/preview/2019-01-01-preview/automations.json - Microsoft.Security/preview/2019-01-01-preview/subAssessments.json +- Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json - Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json - Microsoft.Security/preview/2017-08-01-preview/pricings.json - Microsoft.Security/preview/2017-08-01-preview/securityContacts.json @@ -89,7 +95,9 @@ These settings apply only when `--tag=package-composite-v2` is specified on the ``` yaml $(tag) == 'package-composite-v2' input-file: +- Microsoft.Security/preview/2019-01-01-preview/automations.json - Microsoft.Security/preview/2019-01-01-preview/subAssessments.json +- Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json - Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json - Microsoft.Security/stable/2018-06-01/pricings.json - Microsoft.Security/preview/2017-08-01-preview/securityContacts.json @@ -150,6 +158,8 @@ input-file: - Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json - Microsoft.Security/preview/2019-01-01-preview/serverVulnerabilityAssessments.json - Microsoft.Security/preview/2019-01-01-preview/subAssessments.json +- Microsoft.Security/preview/2019-01-01-preview/automations.json +- Microsoft.Security/preview/2019-01-01-preview/assessmentMetadata.json - Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json # Needed when there is more than one input file @@ -325,7 +335,9 @@ require: $(this-folder)/../../../profiles/readme.md # all the input files across all versions input-file: + - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/automations.json - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/subAssessments.json + - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json - $(this-folder)/Microsoft.Security/preview/2017-08-01-preview/pricings.json - $(this-folder)/Microsoft.Security/preview/2017-08-01-preview/securityContacts.json @@ -357,6 +369,7 @@ input-file: - $(this-folder)/Microsoft.Security/stable/2019-08-01/iotSecuritySolutions.json - $(this-folder)/Microsoft.Security/stable/2019-08-01/iotSecuritySolutionAnalytics.json - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/serverVulnerabilityAssessments.json + - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/assessmentMetadata.json ``` @@ -366,4 +379,4 @@ uncomment the `exclude-file` section below and add the file paths. ``` yaml $(tag) == 'all-api-versions' #exclude-file: # - $(this-folder)/Microsoft.Example/stable/2010-01-01/somefile.json -``` +``` \ No newline at end of file From 0ad95dace22ea96ab2e972f97aa71115803af562 Mon Sep 17 00:00:00 2001 From: Yifat Birnbaum Date: Sun, 15 Dec 2019 09:59:36 +0200 Subject: [PATCH 03/10] Remove CompromisedEntity from the examples --- .../GetAutoDismissAlertsRule_example.json | 7 ------- ...utoDismissAlertsRulesWithAlertType_example.json | 7 ------- .../GetAutoDismissAlertsRules_example.json | 7 ------- .../PutAutoDismissAlertsRule_example.json | 14 -------------- specification/security/resource-manager/readme.md | 2 +- 5 files changed, 1 insertion(+), 36 deletions(-) diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json index b71d4e2049ce..269969120b64 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json @@ -19,13 +19,6 @@ "comment": "Test VM", "autoDismissAlertsScope": { "allOf": [ - { - "field": "CompromisedEntity", - "in": [ - "contoso", - "demoAccount@microsoft.com" - ] - }, { "field": "entities.ip.address", "in": [ diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json index 7f6c3ce13407..d28b88370cf7 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json @@ -21,13 +21,6 @@ "comment": "Test VM", "autoDismissAlertsScope": { "allOf": [ - { - "field": "CompromisedEntity", - "in": [ - "contoso", - "demoAccount@microsoft.com" - ] - }, { "field": "entities.ip.address", "in": [ diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json index 960581ebf625..6e4c377ec7fa 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json @@ -20,13 +20,6 @@ "comment": "Test VM", "autoDismissAlertsScope": { "allOf": [ - { - "field": "CompromisedEntity", - "in": [ - "contoso", - "demoAccount@microsoft.com" - ] - }, { "field": "entities.ip.address", "in": [ diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json index 7932b4cf7daf..1597ee2a00e1 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json @@ -16,13 +16,6 @@ "comment": "Test VM", "autoDismissAlertsScope": { "allOf": [ - { - "field": "CompromisedEntity", - "in": [ - "contoso", - "demoAccount@microsoft.com" - ] - }, { "field": "entities.ip.address", "in": [ @@ -54,13 +47,6 @@ "comment": "Test VM", "autoDismissAlertsScope": { "allOf": [ - { - "field": "CompromisedEntity", - "in": [ - "contoso", - "demoAccount@microsoft.com" - ] - }, { "field": "entities.ip.address", "in": [ diff --git a/specification/security/resource-manager/readme.md b/specification/security/resource-manager/readme.md index 6bfb3c90622c..5b6d92f85244 100644 --- a/specification/security/resource-manager/readme.md +++ b/specification/security/resource-manager/readme.md @@ -221,6 +221,7 @@ These settings apply only when `--tag=package-2019-01-preview-only` is specified input-file: - Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json - Microsoft.Security/preview/2019-01-01-preview/serverVulnerabilityAssessments.json +- Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json # Needed when there is more than one input file override-info: @@ -337,7 +338,6 @@ require: $(this-folder)/../../../profiles/readme.md input-file: - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/automations.json - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/subAssessments.json - - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json - $(this-folder)/Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json - $(this-folder)/Microsoft.Security/preview/2017-08-01-preview/pricings.json - $(this-folder)/Microsoft.Security/preview/2017-08-01-preview/securityContacts.json From 3938d8b18e153341fb1c2ee6017de7118b18ad6e Mon Sep 17 00:00:00 2001 From: Yifat Birnbaum Date: Sun, 22 Dec 2019 12:06:41 +0200 Subject: [PATCH 04/10] update readmeFile --- specification/security/resource-manager/readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/specification/security/resource-manager/readme.md b/specification/security/resource-manager/readme.md index 5b6d92f85244..7c211d46af0a 100644 --- a/specification/security/resource-manager/readme.md +++ b/specification/security/resource-manager/readme.md @@ -30,7 +30,7 @@ directive: reason: email format is allowed - suppress: ValidFormats from: automations.json - where: $.definitions.AutomationActionLogicAppInput.properties.uri.format + where: $.definitions.AutomationActionLogicApp.properties.uri.format reason: uri format is allowed - suppress: PageableOperation from: iotSecuritySolutionAnalytics.json @@ -61,7 +61,6 @@ These settings apply only when `--tag=package-composite-v1` is specified on the input-file: - Microsoft.Security/preview/2019-01-01-preview/automations.json - Microsoft.Security/preview/2019-01-01-preview/subAssessments.json -- Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json - Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json - Microsoft.Security/preview/2017-08-01-preview/pricings.json - Microsoft.Security/preview/2017-08-01-preview/securityContacts.json @@ -83,6 +82,7 @@ input-file: - Microsoft.Security/preview/2015-06-01-preview/topologies.json - Microsoft.Security/preview/2015-06-01-preview/allowedConnections.json - Microsoft.Security/preview/2015-06-01-preview/adaptiveNetworkHardenings.json +- Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json # Needed when there is more than one input file override-info: @@ -97,7 +97,6 @@ These settings apply only when `--tag=package-composite-v2` is specified on the input-file: - Microsoft.Security/preview/2019-01-01-preview/automations.json - Microsoft.Security/preview/2019-01-01-preview/subAssessments.json -- Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json - Microsoft.Security/preview/2019-01-01-preview/regulatoryCompliance.json - Microsoft.Security/stable/2018-06-01/pricings.json - Microsoft.Security/preview/2017-08-01-preview/securityContacts.json @@ -121,6 +120,7 @@ input-file: - Microsoft.Security/preview/2015-06-01-preview/topologies.json - Microsoft.Security/preview/2015-06-01-preview/allowedConnections.json - Microsoft.Security/preview/2015-06-01-preview/adaptiveNetworkHardenings.json +- Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json # Needed when there is more than one input file override-info: From cdf4e56e776117bee43c81692367d59146ddab3e Mon Sep 17 00:00:00 2001 From: Nitsan Bracha Date: Mon, 20 Apr 2020 16:54:28 +0300 Subject: [PATCH 05/10] Renaming auto dismiss to suppression --- ...Rules.json => alertsSuppressionRules.json} | 98 +++++++++---------- .../DeleteAlertsSuppressionRule_example.json} | 2 +- .../GetAlertsSuppressionRule_example.json} | 8 +- ...uppressionRulesWithAlertType_example.json} | 6 +- .../GetAlertsSuppressionRules_example.json} | 10 +- .../PutAlertsSuppressionRule_example.json} | 16 +-- 6 files changed, 70 insertions(+), 70 deletions(-) rename specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/{autoDismissAlertsRules.json => alertsSuppressionRules.json} (70%) rename specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/{AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json => AlertsSuppressionRules/DeleteAlertsSuppressionRule_example.json} (73%) rename specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/{AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json => AlertsSuppressionRules/GetAlertsSuppressionRule_example.json} (81%) rename specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/{AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json => AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json} (87%) rename specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/{AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json => AlertsSuppressionRules/GetAlertsSuppressionRules_example.json} (84%) rename specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/{AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json => AlertsSuppressionRules/PutAlertsSuppressionRule_example.json} (80%) diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json similarity index 70% rename from specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json rename to specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json index e825e2ae2207..d4f6d15debd1 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/autoDismissAlertsRules.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json @@ -34,21 +34,21 @@ } }, "paths": { - "/subscriptions/{subscriptionId}/providers/Microsoft.Security/autoDismissAlertsRules": { + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules": { "get": { "x-ms-examples": { - "Get auto dismiss rules for subscription": { - "$ref": "./examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json" + "Get suppression rules for subscription": { + "$ref": "./examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json" }, - "Get auto dismiss alert rule for subscription, filtered by AlertType": { - "$ref": "./examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json" + "Get suppression alert rule for subscription, filtered by AlertType": { + "$ref": "./examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json" } }, "tags": [ - "AutoDismissAlertsRules" + "AlertsSuppressionRules" ], "description": "List of all the dismiss rules for the given subscription", - "operationId": "AutoDismissAlertsRules_List", + "operationId": "AlertsSuppressionRules_List", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" @@ -64,7 +64,7 @@ "200": { "description": "OK", "schema": { - "$ref": "#/definitions/AutoDismissAlertsRulesList" + "$ref": "#/definitions/AlertsSuppressionRulesList" } }, "default": { @@ -79,18 +79,18 @@ } } }, - "/subscriptions/{subscriptionId}/providers/Microsoft.Security/autoDismissAlertsRules/{autoDismissAlertsRuleName}": { + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alertsSuppressionRules/{alertsSuppressionRuleName}": { "get": { "x-ms-examples": { - "Get auto dismiss alert rule for subscription": { - "$ref": "./examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json" + "Get suppression alert rule for subscription": { + "$ref": "./examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json" } }, "tags": [ - "AutoDismissAlertsRules" + "AlertsSuppressionRules" ], - "description": "Get dismiss rule, with name: {autoDismissAlertsRuleName}, for the given subscription", - "operationId": "AutoDismissAlertsRules_Get", + "description": "Get dismiss rule, with name: {alertsSuppressionRuleName}, for the given subscription", + "operationId": "AlertsSuppressionRules_Get", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" @@ -99,14 +99,14 @@ "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { - "$ref": "#/parameters/AutoDismissAlertsRuleName" + "$ref": "#/parameters/AlertsSuppressionRuleName" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/AutoDismissAlertsRule" + "$ref": "#/definitions/AlertsSuppressionRule" } }, "default": { @@ -119,15 +119,15 @@ }, "put": { "x-ms-examples": { - "Update or create auto dismiss rule for subscription": { - "$ref": "./examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json" + "Update or create suppression rule for subscription": { + "$ref": "./examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json" } }, "tags": [ - "AutoDismissAlertsRules" + "AlertsSuppressionRules" ], "description": "Update existing rule or create new rule if it doesn't exist", - "operationId": "AutoDismissAlertsRules_Update", + "operationId": "AlertsSuppressionRules_Update", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" @@ -136,17 +136,17 @@ "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { - "$ref": "#/parameters/AutoDismissAlertsRuleName" + "$ref": "#/parameters/AlertsSuppressionRuleName" }, { - "$ref": "#/parameters/AutoDismissAlertsRule" + "$ref": "#/parameters/AlertsSuppressionRule" } ], "responses": { "200": { "description": "OK", "schema": { - "$ref": "#/definitions/AutoDismissAlertsRule" + "$ref": "#/definitions/AlertsSuppressionRule" } }, "default": { @@ -159,15 +159,15 @@ }, "delete": { "x-ms-examples": { - "Delete auto dismiss rule data for a subscription": { - "$ref": "./examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json" + "Delete suppression rule data for a subscription": { + "$ref": "./examples/AlertsSuppressionRules/DeleteAlertsSuppressionRule_example.json" } }, "tags": [ - "AutoDismissAlertsRules" + "AlertsSuppressionRules" ], "description": "Delete dismiss alert rule for this subscription.", - "operationId": "AutoDismissAlertsRules_Delete", + "operationId": "AlertsSuppressionRules_Delete", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" @@ -176,7 +176,7 @@ "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { - "$ref": "#/parameters/AutoDismissAlertsRuleName" + "$ref": "#/parameters/AlertsSuppressionRuleName" } ], "responses": { @@ -194,14 +194,14 @@ } }, "definitions": { - "AutoDismissAlertsRulesList": { + "AlertsSuppressionRulesList": { "type": "object", - "description": "Auto dismiss rules list for subscription.", + "description": "Suppression rules list for subscription.", "properties": { "value": { "type": "array", "items": { - "$ref": "#/definitions/AutoDismissAlertsRule" + "$ref": "#/definitions/AlertsSuppressionRule" } }, "nextLink": { @@ -214,13 +214,13 @@ "value" ] }, - "AutoDismissAlertsRule": { + "AlertsSuppressionRule": { "type": "object", - "description": "Describes the auto dismiss rule", + "description": "Describes the suppression rule", "properties": { "properties": { "x-ms-client-flatten": true, - "$ref": "#/definitions/AutoDismissAlertsRuleProperties" + "$ref": "#/definitions/AlertsSuppressionRuleProperties" } }, "allOf": [ @@ -229,13 +229,13 @@ } ] }, - "AutoDismissAlertsRuleProperties": { + "AlertsSuppressionRuleProperties": { "type": "object", - "description": "describes AutoDismissAlertsRule properties", + "description": "describes AlertsSuppressionRule properties", "properties": { "alertType": { "type": "string", - "description": "Type of the auto dismissed alert. For all alert types, use '*'" + "description": "Type of the alert to automatically suppress. For all alert types, use '*'" }, "lastModifiedUTC": { "readOnly": true, @@ -268,10 +268,10 @@ "type": "string", "description": "Any comment regarding the rule" }, - "autoDismissAlertsScope": { + "suppressionAlertsScope": { "type": "object", - "description": "The auto dismiss conditions", - "$ref": "#/definitions/AutoDismissAlertsScope" + "description": "The suppression conditions", + "$ref": "#/definitions/SuppressionAlertsScope" } }, "required": [ @@ -280,12 +280,12 @@ "state" ] }, - "AutoDismissAlertsScope": { + "SuppressionAlertsScope": { "type": "object", "properties": { "allOf": { "type": "array", - "description": "All the conditions inside need to be true in order to auto dismiss the alert", + "description": "All the conditions inside need to be true in order to suppress the alert", "items": {} } }, @@ -302,22 +302,22 @@ "description": "Type of the alert to get rules for", "x-ms-parameter-location": "method" }, - "AutoDismissAlertsRule": { - "name": "autoDismissAlertsRule", + "AlertsSuppressionRule": { + "name": "alertsSuppressionRule", "in": "body", "required": true, - "description": "Auto dismiss rule object", + "description": "Suppression rule object", "schema": { - "$ref": "#/definitions/AutoDismissAlertsRule" + "$ref": "#/definitions/AlertsSuppressionRule" }, "x-ms-parameter-location": "method" }, - "AutoDismissAlertsRuleName": { - "name": "autoDismissAlertsRuleName", + "AlertsSuppressionRuleName": { + "name": "alertsSuppressionRuleName", "in": "path", "required": true, "type": "string", - "description": "The unique name of the auto dismiss alert rule", + "description": "The unique name of the suppression alert rule", "x-ms-parameter-location": "method" } } diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/DeleteAlertsSuppressionRule_example.json similarity index 73% rename from specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json rename to specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/DeleteAlertsSuppressionRule_example.json index 9710f5e9d7cc..d8663e727d45 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/DeleteAutoDismissAlertsRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/DeleteAlertsSuppressionRule_example.json @@ -2,7 +2,7 @@ "parameters": { "api-version": "2019-01-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", - "autoDismissAlertsRuleName": "dismissIpAnomalyAlerts" + "alertsSuppressionRuleName": "dismissIpAnomalyAlerts" }, "responses": { "204": {} diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json similarity index 81% rename from specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json rename to specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json index 269969120b64..cb4a01dd448f 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json @@ -2,14 +2,14 @@ "parameters": { "api-version": "2019-01-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", - "autoDismissAlertsRuleName": "dismissIpAnomalyAlerts" + "alertsSuppressionRuleName": "dismissIpAnomalyAlerts" }, "responses": { "200": { "body": { - "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts", "name": "dismissIpAnomalyAlerts", - "type": "Microsoft.Security/autoDismissAlertsRules", + "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", @@ -17,7 +17,7 @@ "state": "Enabled", "reason": "FalsePositive", "comment": "Test VM", - "autoDismissAlertsScope": { + "suppressionAlertsScope": { "allOf": [ { "field": "entities.ip.address", diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json similarity index 87% rename from specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json rename to specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json index d28b88370cf7..9b35ab034d8f 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRulesWithAlertType_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json @@ -9,9 +9,9 @@ "body": { "value": [ { - "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts", "name": "dismissIpAnomalyAlerts", - "type": "Microsoft.Security/autoDismissAlertsRules", + "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", @@ -19,7 +19,7 @@ "state": "Enabled", "reason": "FalsePositive", "comment": "Test VM", - "autoDismissAlertsScope": { + "suppressionAlertsScope": { "allOf": [ { "field": "entities.ip.address", diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json similarity index 84% rename from specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json rename to specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json index 6e4c377ec7fa..819edcf170e6 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/GetAutoDismissAlertsRules_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json @@ -8,9 +8,9 @@ "body": { "value": [ { - "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts", "name": "dismissIpAnomalyAlerts", - "type": "Microsoft.Security/autoDismissAlertsRules", + "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", @@ -18,7 +18,7 @@ "state": "Enabled", "reason": "FalsePositive", "comment": "Test VM", - "autoDismissAlertsScope": { + "suppressionAlertsScope": { "allOf": [ { "field": "entities.ip.address", @@ -36,9 +36,9 @@ } }, { - "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissDataExfiltrationAnomalyAlertsOnTestVMs", + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissDataExfiltrationAnomalyAlertsOnTestVMs", "name": "dismissDataExfiltrationAnomalyAlertsOnTestVMs", - "type": "Microsoft.Security/autoDismissAlertsRules", + "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "DataExfiltrationAnomaly", "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json similarity index 80% rename from specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json rename to specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json index 1597ee2a00e1..420bdb9aba40 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AutoDismissAlertsRules/PutAutoDismissAlertsRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json @@ -2,11 +2,11 @@ "parameters": { "api-version": "2019-01-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", - "autoDismissAlertsRuleName": "dismissIpAnomalyAlerts", - "autoDismissAlertsRule": { - "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "alertsSuppressionRuleName": "dismissIpAnomalyAlerts", + "alertsSuppressionRule": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts", "name": "dismissIpAnomalyAlerts", - "type": "Microsoft.Security/autoDismissAlertsRules", + "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", @@ -14,7 +14,7 @@ "state": "Enabled", "reason": "FalsePositive", "comment": "Test VM", - "autoDismissAlertsScope": { + "suppressionAlertsScope": { "allOf": [ { "field": "entities.ip.address", @@ -35,9 +35,9 @@ "responses": { "200": { "body": { - "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/autoDismissAlertsRules/dismissIpAnomalyAlerts", + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts", "name": "dismissIpAnomalyAlerts", - "type": "Microsoft.Security/autoDismissAlertsRules", + "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", @@ -45,7 +45,7 @@ "state": "Enabled", "reason": "FalsePositive", "comment": "Test VM", - "autoDismissAlertsScope": { + "suppressionAlertsScope": { "allOf": [ { "field": "entities.ip.address", From f6ff29b1f2dd1fbf8f822a7f283b14330567f90f Mon Sep 17 00:00:00 2001 From: yibirnba <52132191+yibirnba@users.noreply.github.com> Date: Tue, 21 Apr 2020 12:25:46 +0300 Subject: [PATCH 06/10] Update PutAlertsSuppressionRule_example.json From d81ea95ce8db0e05f8a51455f0a0def7668e7d64 Mon Sep 17 00:00:00 2001 From: Nitsan Bracha Date: Tue, 21 Apr 2020 14:37:56 +0300 Subject: [PATCH 07/10] Fixing example - sending read-only property error --- .../AlertsSuppressionRules/PutAlertsSuppressionRule_example.json | 1 - 1 file changed, 1 deletion(-) diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json index 420bdb9aba40..8614517c084a 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json @@ -9,7 +9,6 @@ "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", - "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", "expirationDateUTC": "2019-12-01T19:50:47.083633Z", "state": "Enabled", "reason": "FalsePositive", From dc353eff676149d9d6637ec87a46b65c576d1579 Mon Sep 17 00:00:00 2001 From: Nitsan Bracha Date: Tue, 21 Apr 2020 18:00:35 +0300 Subject: [PATCH 08/10] Removing read-only fields from examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json --- .../PutAlertsSuppressionRule_example.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json index 8614517c084a..aa24bfc5fdf8 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json @@ -4,9 +4,6 @@ "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "alertsSuppressionRuleName": "dismissIpAnomalyAlerts", "alertsSuppressionRule": { - "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alertsSuppressionRules/dismissIpAnomalyAlerts", - "name": "dismissIpAnomalyAlerts", - "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", "expirationDateUTC": "2019-12-01T19:50:47.083633Z", From a171c45accb2126068e32766533be06d38c59342 Mon Sep 17 00:00:00 2001 From: Nitsan Bracha Date: Tue, 21 Apr 2020 19:06:53 +0300 Subject: [PATCH 09/10] ARM CR: changing `UTC` to `Utc` + updating expirationDateUtc description --- .../preview/2019-01-01-preview/alertsSuppressionRules.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json index d4f6d15debd1..fb678812de26 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json @@ -237,16 +237,16 @@ "type": "string", "description": "Type of the alert to automatically suppress. For all alert types, use '*'" }, - "lastModifiedUTC": { + "lastModifiedUtc": { "readOnly": true, "type": "string", "format": "date-time", "description": "The last time this rule was modified" }, - "expirationDateUTC": { + "expirationDateUtc": { "type": "string", "format": "date-time", - "description": "Expiration date of the rule" + "description": "Expiration date of the rule, if value is not provided or provided as null this field will default to the maximum allowed expiration date." }, "reason": { "type": "string", From 3415e93210c5808de64379e19dab60f4610ea900 Mon Sep 17 00:00:00 2001 From: Nitsan Bracha Date: Tue, 21 Apr 2020 23:03:14 +0300 Subject: [PATCH 10/10] Adding "ScopeElement" for "allOf" element + fixing examples --- .../alertsSuppressionRules.json | 15 ++++++++++++++- .../GetAlertsSuppressionRule_example.json | 4 ++-- ...ertsSuppressionRulesWithAlertType_example.json | 4 ++-- .../GetAlertsSuppressionRules_example.json | 8 ++++---- .../PutAlertsSuppressionRule_example.json | 6 +++--- 5 files changed, 25 insertions(+), 12 deletions(-) diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json index fb678812de26..87b002a47d20 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/alertsSuppressionRules.json @@ -280,13 +280,26 @@ "state" ] }, + "ScopeElement": { + "type": "object", + "additionalProperties": true, + "description": "A more specific scope used to identify the alerts to suppress.", + "properties": { + "field": { + "type": "string", + "description": "The alert entity type to suppress by." + } + } + }, "SuppressionAlertsScope": { "type": "object", "properties": { "allOf": { "type": "array", "description": "All the conditions inside need to be true in order to suppress the alert", - "items": {} + "items": { + "$ref": "#/definitions/ScopeElement" + } } }, "required": [ diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json index cb4a01dd448f..67228151c5fa 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRule_example.json @@ -12,8 +12,8 @@ "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", - "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", - "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "lastModifiedUtc": "2019-07-31T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", "state": "Enabled", "reason": "FalsePositive", "comment": "Test VM", diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json index 9b35ab034d8f..a12282315400 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRulesWithAlertType_example.json @@ -14,8 +14,8 @@ "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", - "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", - "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "lastModifiedUtc": "2019-07-31T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", "state": "Enabled", "reason": "FalsePositive", "comment": "Test VM", diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json index 819edcf170e6..493b914255bf 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/GetAlertsSuppressionRules_example.json @@ -13,8 +13,8 @@ "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", - "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", - "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "lastModifiedUtc": "2019-07-31T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", "state": "Enabled", "reason": "FalsePositive", "comment": "Test VM", @@ -41,8 +41,8 @@ "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "DataExfiltrationAnomaly", - "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", - "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "lastModifiedUtc": "2019-07-31T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", "state": "Enabled", "reason": "FalsePositive" } diff --git a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json index aa24bfc5fdf8..efd66de8a29d 100644 --- a/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json +++ b/specification/security/resource-manager/Microsoft.Security/preview/2019-01-01-preview/examples/AlertsSuppressionRules/PutAlertsSuppressionRule_example.json @@ -6,7 +6,7 @@ "alertsSuppressionRule": { "properties": { "alertType": "IpAnomaly", - "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", "state": "Enabled", "reason": "FalsePositive", "comment": "Test VM", @@ -36,8 +36,8 @@ "type": "Microsoft.Security/alertsSuppressionRules", "properties": { "alertType": "IpAnomaly", - "lastModifiedUTC": "2019-07-31T19:50:47.083633Z", - "expirationDateUTC": "2019-12-01T19:50:47.083633Z", + "lastModifiedUtc": "2019-07-31T19:50:47.083633Z", + "expirationDateUtc": "2019-12-01T19:50:47.083633Z", "state": "Enabled", "reason": "FalsePositive", "comment": "Test VM",