diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/alerts.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/alerts.json new file mode 100644 index 000000000000..1761bd6f335a --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/alerts.json @@ -0,0 +1,966 @@ +{ + "swagger": "2.0", + "info": { + "title": "Security Center", + "description": "API spec for Microsoft.Security (Azure Security Center) alerts resource provider", + "version": "2020-01-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts": { + "get": { + "x-ms-examples": { + "Get security alerts on a subscription": { + "$ref": "./examples/Alerts/GetAlertsSubscription_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "List all the alerts that are associated with the subscription", + "operationId": "Alerts_List", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/alerts": { + "get": { + "x-ms-examples": { + "Get security alerts on a resource group": { + "$ref": "./examples/Alerts/GetAlertsResourceGroup_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "List all the alerts that are associated with the resource group", + "operationId": "Alerts_ListByResourceGroup", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { + "get": { + "x-ms-examples": { + "Get security alerts on a subscription from a security data location": { + "$ref": "./examples/Alerts/GetAlertsSubscriptionsLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "List all the alerts that are associated with the subscription that are stored in a specific location", + "operationId": "Alerts_ListSubscriptionLevelByRegion", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { + "get": { + "x-ms-examples": { + "Get security alerts on a resource group from a security data location": { + "$ref": "./examples/Alerts/GetAlertsResourceGroupLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "List all the alerts that are associated with the resource group that are stored in a specific location", + "operationId": "Alerts_ListResourceGroupLevelByRegion", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/AlertList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { + "get": { + "x-ms-examples": { + "Get security alert on a subscription from a security data location": { + "$ref": "./examples/Alerts/GetAlertSubscriptionLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Get an alert that is associated with a subscription", + "operationId": "Alerts_GetSubscriptionLevel", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Alert" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { + "get": { + "x-ms-examples": { + "Get security alert on a resource group from a security data location": { + "$ref": "./examples/Alerts/GetAlertResourceGroupLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Get an alert that is associated a resource group or a resource in a resource group", + "operationId": "Alerts_GetResourceGroupLevel", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Alert" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss": { + "post": { + "x-ms-examples": { + "Update security alert state on a subscription from a security data location": { + "$ref": "./examples/Alerts/UpdateAlertSubscriptionLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Update the alert's state", + "operationId": "Alerts_UpdateSubscriptionLevelStateToDismiss", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/resolve": { + "post": { + "x-ms-examples": { + "Update security alert state on a subscription from a security data location": { + "$ref": "./examples/Alerts/UpdateAlertSubscriptionLocation_resolve_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Update the alert's state", + "operationId": "Alerts_UpdateSubscriptionLevelStateToResolve", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/activate": { + "post": { + "x-ms-examples": { + "Update security alert state on a subscription from a security data location": { + "$ref": "./examples/Alerts/UpdateAlertSubscriptionLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Update the alert's state", + "operationId": "Alerts_UpdateSubscriptionLevelStateToActivate", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/resolve": { + "post": { + "x-ms-examples": { + "Update security alert state on a resource group from a security data location": { + "$ref": "./examples/Alerts/UpdateAlertResourceGroupLocation_resolve_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Update the alert's state", + "operationId": "Alerts_UpdateResourceGroupLevelStateToResolve", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss": { + "post": { + "x-ms-examples": { + "Update security alert state on a resource group from a security data location": { + "$ref": "./examples/Alerts/UpdateAlertResourceGroupLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Update the alert's state", + "operationId": "Alerts_UpdateResourceGroupLevelStateToDismiss", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/activate": { + "post": { + "x-ms-examples": { + "Update security alert state on a resource group from a security data location": { + "$ref": "./examples/Alerts/UpdateAlertResourceGroupLocation_example.json" + } + }, + "tags": [ + "Alerts" + ], + "description": "Update the alert's state", + "operationId": "Alerts_UpdateResourceGroupLevelStateToActivate", + "parameters": [ + { + "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/AscLocation" + }, + { + "$ref": "#/parameters/AlertName" + }, + { + "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" + } + ], + "responses": { + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../../common/v1/types.json#/definitions/CloudError" + } + } + } + } + } + }, + "definitions": { + "Alert": { + "type": "object", + "description": "Security alert", + "properties": { + "properties": { + "x-ms-client-flatten": true, + "description": "describes security alert properties.", + "$ref": "#/definitions/AlertProperties" + } + }, + "allOf": [ + { + "$ref": "../../../common/v1/types.json#/definitions/Resource" + } + ] + }, + "AlertEntity": { + "type": "object", + "additionalProperties": { + "type": "object" + }, + "description": "Changing set of properties depending on the entity type.", + "properties": { + "type": { + "readOnly": true, + "type": "string", + "description": "Type of entity" + } + } + }, + "AlertExtendedLinks": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "Links related to the alert" + }, + "AlertExtendedProperties": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "Custom properties for the alert." + }, + "AlertList": { + "type": "object", + "description": "List of security alerts", + "properties": { + "value": { + "type": "array", + "description": "describes security alert properties.", + "items": { + "$ref": "#/definitions/Alert" + } + }, + "nextLink": { + "readOnly": true, + "type": "string", + "description": "The URI to fetch the next page." + } + } + }, + "AlertProperties": { + "type": "object", + "description": "describes security alert properties.", + "properties": { + "alertType": { + "readOnly": true, + "type": "string", + "description": "Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType)." + }, + "systemAlertId": { + "readOnly": true, + "type": "string", + "description": "Unique identifier for the alert." + }, + "productComponentName": { + "readOnly": true, + "type": "string", + "description": "The name of Azure Security Center pricing tier which powering this alert. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing" + }, + "alertDisplayName": { + "readOnly": true, + "type": "string", + "description": "The display name of the alert." + }, + "description": { + "readOnly": true, + "type": "string", + "description": "Description of the suspicious activity that was detected." + }, + "severity": { + "readOnly": true, + "type": "string", + "enum": [ + "Informational", + "Low", + "Medium", + "High" + ], + "x-ms-enum": { + "name": "alertSeverity", + "modelAsString": true, + "values": [ + { + "value": "Informational", + "description": "Informational" + }, + { + "value": "Low", + "description": "Low" + }, + { + "value": "Medium", + "description": "Medium" + }, + { + "value": "High", + "description": "High" + } + ] + }, + "description": "The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified." + }, + "intent": { + "readOnly": true, + "type": "string", + "enum": [ + "Unknown", + "PreAttack", + "InitialAccess", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Execution", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "Probing", + "Exploitation" + ], + "x-ms-enum": { + "name": "intent", + "modelAsString": true, + "values": [ + { + "value": "Unknown", + "description": "Unknown" + }, + { + "value": "PreAttack", + "description": "PreAttack could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system and find a way in. Further details on the PreAttack stage can be read in [MITRE Pre-Att&ck matrix](https://attack.mitre.org/matrices/pre/)." + }, + { + "value": "InitialAccess", + "description": "InitialAccess is the stage where an attacker manages to get foothold on the attacked resource." + }, + { + "value": "Persistence", + "description": "Persistence is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system." + }, + { + "value": "PrivilegeEscalation", + "description": "Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network." + }, + { + "value": "DefenseEvasion", + "description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses." + }, + { + "value": "CredentialAccess", + "description": "Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment." + }, + { + "value": "Discovery", + "description": "Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network." + }, + { + "value": "LateralMovement", + "description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems." + }, + { + "value": "Execution", + "description": "The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system." + }, + { + "value": "Collection", + "description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration." + }, + { + "value": "Exfiltration", + "description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network." + }, + { + "value": "CommandAndControl", + "description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network." + }, + { + "value": "Impact", + "description": "Impact events primarily try to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process." + }, + { + "value": "Probing", + "description": "Probing could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation." + }, + { + "value": "Exploitation", + "description": "Exploitation is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates etc." + } + ] + }, + "description": "The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents." + }, + "startTimeUtc": { + "readOnly": true, + "type": "string", + "format": "date-time", + "description": "The UTC time of the first event or activity included in the alert in ISO8601 format." + }, + "endTimeUtc": { + "readOnly": true, + "type": "string", + "format": "date-time", + "description": "The UTC time of the last event or activity included in the alert in ISO8601 format." + }, + "resourceIdentifiers": { + "readOnly": true, + "type": "array", + "description": "The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert.", + "items": { + "$ref": "#/definitions/ResourceIdentifier" + } + }, + "remediationSteps": { + "readOnly": true, + "type": "array", + "description": "Manual action items to take to remediate the alert.", + "items": { + "readOnly": true, + "type": "string" + } + }, + "vendorName": { + "readOnly": true, + "type": "string", + "description": "The name of the vendor that raises the alert." + }, + "status": { + "readOnly": true, + "type": "string", + "enum": [ + "Active", + "Resolved", + "Dismissed" + ], + "x-ms-enum": { + "name": "alertStatus", + "modelAsString": true, + "values": [ + { + "value": "Active", + "description": "An alert which doesn't specify a value is assigned the status 'Active'" + }, + { + "value": "Resolved", + "description": "Alert closed after handling" + }, + { + "value": "Dismissed", + "description": "Alert dismissed as false positive" + } + ] + }, + "description": "The life cycle status of the alert." + }, + "extendedLinks": { + "readOnly": true, + "type": "array", + "description": "Links related to the alert", + "items": { + "$ref": "#/definitions/AlertExtendedLinks" + } + }, + "alertUri": { + "readOnly": true, + "type": "string", + "description": "A direct link to the alert page in Azure Portal." + }, + "timeGeneratedUtc": { + "readOnly": true, + "type": "string", + "format": "date-time", + "description": "The UTC time the alert was generated in ISO8601 format." + }, + "productName": { + "readOnly": true, + "type": "string", + "description": "The name of the product which published this alert (Azure Security Center, Azure ATP, Microsoft Defender ATP, O365 ATP, MCAS, and so on)." + }, + "processingEndTimeUtc": { + "readOnly": true, + "type": "string", + "format": "date-time", + "description": "The UTC processing end time of the alert in ISO8601 format." + }, + "entities": { + "readOnly": true, + "type": "array", + "description": "A list of entities related to the alert.", + "items": { + "$ref": "#/definitions/AlertEntity" + } + }, + "isIncident": { + "readOnly": true, + "type": "boolean", + "description": "This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert." + }, + "correlationKey": { + "readOnly": true, + "type": "string", + "description": "Key for corelating related alerts. Alerts with the same correlation key considered to be related." + }, + "extendedProperties": { + "$ref": "#/definitions/AlertExtendedProperties", + "description": "Custom properties for the alert." + }, + "compromisedEntity": { + "readOnly": true, + "type": "string", + "description": "The display name of the resource most related to this alert." + } + } + }, + "AzureResourceIdentifier": { + "type": "object", + "description": "Azure resource identifier.", + "x-ms-discriminator-value": "AzureResource", + "allOf": [ + { + "$ref": "#/definitions/ResourceIdentifier" + } + ], + "properties": { + "azureResourceId": { + "readOnly": true, + "type": "string", + "description": "ARM resource identifier for the cloud resource being alerted on" + } + } + }, + "LogAnalyticsIdentifier": { + "type": "object", + "description": "Represents a Log Analytics workspace scope identifier.", + "x-ms-discriminator-value": "LogAnalytics", + "allOf": [ + { + "$ref": "#/definitions/ResourceIdentifier" + } + ], + "properties": { + "workspaceId": { + "readOnly": true, + "type": "string", + "description": "The LogAnalytics workspace id that stores this alert." + }, + "workspaceSubscriptionId": { + "readOnly": true, + "type": "string", + "description": "The azure subscription id for the LogAnalytics workspace storing this alert.", + "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$" + }, + "workspaceResourceGroup": { + "readOnly": true, + "type": "string", + "description": "The azure resource group for the LogAnalytics workspace storing this alert" + }, + "agentId": { + "readOnly": true, + "type": "string", + "description": "(optional) The LogAnalytics agent id reporting the event that this alert is based on." + } + } + }, + "ResourceIdentifier": { + "type": "object", + "description": "A resource identifier for an alert which can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.).", + "discriminator": "type", + "required": [ + "type" + ], + "properties": { + "type": { + "type": "string", + "description": "There can be multiple identifiers of different type per alert, this field specify the identifier type.", + "enum": [ + "AzureResource", + "LogAnalytics" + ], + "x-ms-enum": { + "name": "ResourceIdentifierType", + "modelAsString": true, + "values": [ + { + "value": "AzureResource" + }, + { + "value": "LogAnalytics" + } + ] + } + } + } + } + }, + "parameters": { + "AlertName": { + "name": "alertName", + "in": "path", + "required": true, + "type": "string", + "description": "Name of the alert object", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertResourceGroupLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertResourceGroupLocation_example.json new file mode 100644 index 000000000000..49446f9f4617 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertResourceGroupLocation_example.json @@ -0,0 +1,79 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg1", + "ascLocation": "westeurope", + "alertName": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "alertType": "VM_EICAR", + "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "productComponentName": "", + "alertDisplayName": "Azure Security Center test alert (not a threat)", + "description": "This is a test alert generated by Azure Security Center. No further action is needed.", + "severity": "High", + "intent": "Execution", + "startTimeUtc": "2020-02-22T00:00:00.0000000Z", + "endTimeUtc": "2020-02-22T00:00:00.0000000Z", + "resourceIdentifiers": [ + { + "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "type": "AzureResource" + }, + { + "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019", + "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "workspaceResourceGroup": "myRg1", + "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e", + "type": "LogAnalytics" + } + ], + "remediationSteps": [ + "No further action is needed." + ], + "vendorName": "Microsoft", + "status": "New", + "extendedLinks": [ + { + "Category": "threat_reports", + "Label": "Report: RDP Brute Forcing", + "Href": "https://contoso.com/reports/DisplayReport", + "Type": "webLink" + } + ], + "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope", + "timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z", + "productName": "Azure Security Center", + "processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z", + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "type": "ip" + } + ], + "isIncident": true, + "correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=", + "extendedProperties": { + "Property1": "Property1 information" + }, + "compromisedEntity": "vm1" + } + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertSubscriptionLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertSubscriptionLocation_example.json new file mode 100644 index 000000000000..50fb76fb502e --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertSubscriptionLocation_example.json @@ -0,0 +1,78 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "ascLocation": "westeurope", + "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "alertType": "VM_EICAR", + "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "productComponentName": "", + "alertDisplayName": "Azure Security Center test alert (not a threat)", + "description": "This is a test alert generated by Azure Security Center. No further action is needed.", + "severity": "High", + "intent": "Execution", + "startTimeUtc": "2020-02-22T00:00:00.0000000Z", + "endTimeUtc": "2020-02-22T00:00:00.0000000Z", + "resourceIdentifiers": [ + { + "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "type": "AzureResource" + }, + { + "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019", + "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "workspaceResourceGroup": "myRg1", + "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e", + "type": "LogAnalytics" + } + ], + "remediationSteps": [ + "No further action is needed." + ], + "vendorName": "Microsoft", + "status": "New", + "extendedLinks": [ + { + "Category": "threat_reports", + "Label": "Report: RDP Brute Forcing", + "Href": "https://contoso.com/reports/DisplayReport", + "Type": "webLink" + } + ], + "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope", + "timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z", + "productName": "Azure Security Center", + "processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z", + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "type": "ip" + } + ], + "isIncident": true, + "correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=", + "extendedProperties": { + "Property1": "Property1 information" + }, + "compromisedEntity": "vm1" + } + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsResourceGroupLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsResourceGroupLocation_example.json new file mode 100644 index 000000000000..cf33060d8dbd --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsResourceGroupLocation_example.json @@ -0,0 +1,82 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg1", + "ascLocation": "westeurope" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "alertType": "VM_EICAR", + "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "productComponentName": "", + "alertDisplayName": "Azure Security Center test alert (not a threat)", + "description": "This is a test alert generated by Azure Security Center. No further action is needed.", + "severity": "High", + "intent": "Execution", + "startTimeUtc": "2020-02-22T00:00:00.0000000Z", + "endTimeUtc": "2020-02-22T00:00:00.0000000Z", + "resourceIdentifiers": [ + { + "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "type": "AzureResource" + }, + { + "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019", + "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "workspaceResourceGroup": "myRg1", + "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e", + "type": "LogAnalytics" + } + ], + "remediationSteps": [ + "No further action is needed." + ], + "vendorName": "Microsoft", + "status": "New", + "extendedLinks": [ + { + "Category": "threat_reports", + "Label": "Report: RDP Brute Forcing", + "Href": "https://contoso.com/reports/DisplayReport", + "Type": "webLink" + } + ], + "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope", + "timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z", + "productName": "Azure Security Center", + "processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z", + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "type": "ip" + } + ], + "isIncident": true, + "correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=", + "extendedProperties": { + "Property1": "Property1 information" + }, + "compromisedEntity": "vm1" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsResourceGroup_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsResourceGroup_example.json new file mode 100644 index 000000000000..8cada3557ed0 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsResourceGroup_example.json @@ -0,0 +1,81 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg1" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "alertType": "VM_EICAR", + "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "productComponentName": "", + "alertDisplayName": "Azure Security Center test alert (not a threat)", + "description": "This is a test alert generated by Azure Security Center. No further action is needed.", + "severity": "High", + "intent": "Execution", + "startTimeUtc": "2020-02-22T00:00:00.0000000Z", + "endTimeUtc": "2020-02-22T00:00:00.0000000Z", + "resourceIdentifiers": [ + { + "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "type": "AzureResource" + }, + { + "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019", + "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "workspaceResourceGroup": "myRg1", + "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e", + "type": "LogAnalytics" + } + ], + "remediationSteps": [ + "No further action is needed." + ], + "vendorName": "Microsoft", + "status": "New", + "extendedLinks": [ + { + "Category": "threat_reports", + "Label": "Report: RDP Brute Forcing", + "Href": "https://contoso.com/reports/DisplayReport", + "Type": "webLink" + } + ], + "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope", + "timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z", + "productName": "Azure Security Center", + "processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z", + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "type": "ip" + } + ], + "isIncident": true, + "correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=", + "extendedProperties": { + "Property1": "Property1 information" + }, + "compromisedEntity": "vm1" + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsSubscription_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsSubscription_example.json new file mode 100644 index 000000000000..3d2769779efc --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsSubscription_example.json @@ -0,0 +1,186 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "alertType": "VM_EICAR", + "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "productComponentName": "", + "alertDisplayName": "Azure Security Center test alert (not a threat)", + "description": "This is a test alert generated by Azure Security Center. No further action is needed.", + "severity": "High", + "intent": "Execution", + "startTimeUtc": "2020-02-22T00:00:00.0000000Z", + "endTimeUtc": "2020-02-22T00:00:00.0000000Z", + "resourceIdentifiers": [ + { + "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "type": "AzureResource" + }, + { + "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019", + "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "workspaceResourceGroup": "myRg1", + "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e", + "type": "LogAnalytics" + } + ], + "remediationSteps": [ + "No further action is needed." + ], + "vendorName": "Microsoft", + "status": "New", + "extendedLinks": [ + { + "Category": "threat_reports", + "Label": "Report: RDP Brute Forcing", + "Href": "https://contoso.com/reports/DisplayReport", + "Type": "webLink" + } + ], + "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope", + "timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z", + "productName": "Azure Security Center", + "processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z", + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "type": "ip" + } + ], + "isIncident": true, + "correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=", + "extendedProperties": { + "Property1": "Property1 information" + }, + "compromisedEntity": "vm1" + } + }, + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "alertType": "VM_SuspiciousScreenSaver", + "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "productComponentName": "", + "alertDisplayName": "Suspicious Screensaver process executed", + "description": "The process ‘c:\\users\\contosoUser\\scrsave.scr’ was observed executing from an uncommon location. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.", + "severity": "Medium", + "intent": "Execution", + "startTimeUtc": "2019-05-07T13:51:45.0045913Z", + "endTimeUtc": "2019-05-07T13:51:45.0045913Z", + "resourceIdentifiers": [ + { + "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "type": "AzureResource" + }, + { + "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019", + "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "workspaceResourceGroup": "myRg1", + "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e", + "type": "LogAnalytics" + } + ], + "remediationSteps": [ + "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)", + "2. Make sure the machine is completely updated and has an updated anti-malware application installed", + "3. Run a full anti-malware scan and verify that the threat was removed", + "4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)", + "5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)", + "6. Escalate the alert to the information security team" + ], + "vendorName": "Microsoft", + "status": "New", + "extendedLinks": [ + { + "Category": "threat_reports", + "Label": "Report: RDP Brute Forcing", + "Href": "https://contoso.com/reports/DisplayReport", + "Type": "webLink" + } + ], + "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope", + "timeGeneratedUtc": "2019-05-07T13:51:48.3810457Z", + "productName": "Azure Security Center", + "processingEndTimeUtc": "2019-05-07T13:51:48.9810457Z", + "entities": [ + { + "dnsDomain": "", + "ntDomain": "", + "hostName": "vm2", + "netBiosName": "vm2", + "azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", + "omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a", + "operatingSystem": "Unknown", + "type": "host", + "OsVersion": null + }, + { + "name": "contosoUser", + "ntDomain": "vm2", + "logonId": "0x61450d87", + "sid": "S-1-5-21-2144575486-8928446540-5163864319-500", + "type": "account" + }, + { + "directory": "c:\\windows\\system32", + "name": "cmd.exe", + "type": "file" + }, + { + "processId": "0x3c44", + "type": "process" + }, + { + "directory": "c:\\users\\contosoUser", + "name": "scrsave.scr", + "type": "file" + }, + { + "processId": "0x4aec", + "commandLine": "c:\\users\\contosoUser\\scrsave.scr", + "creationTimeUtc": "2018-05-07T13:51:45.0045913Z", + "type": "process" + } + ], + "isIncident": true, + "correlationKey": "4hno6LF0xzCl5tqrk4nrBW+MY1BX816W6q6+0srk4", + "compromisedEntity": "vm2", + "extendedProperties": { + "domain name": "vm2", + "user name": "vm2\\contosoUser", + "process name": "c:\\users\\contosoUser\\scrsave.scr", + "command line": "c:\\users\\contosoUser\\scrsave.scr", + "parent process": "cmd.exe", + "process id": "0x4aec", + "account logon id": "0x61450d87", + "user SID": "S-1-5-21-2144575486-8928446540-5163864319-500", + "parent process id": "0x3c44", + "resourceType": "Virtual Machine" + } + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsSubscriptionsLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsSubscriptionsLocation_example.json new file mode 100644 index 000000000000..de7348db0c15 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/GetAlertsSubscriptionsLocation_example.json @@ -0,0 +1,187 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "ascLocation": "westeurope" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", + "name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "alertType": "VM_EICAR", + "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "productComponentName": "", + "alertDisplayName": "Azure Security Center test alert (not a threat)", + "description": "This is a test alert generated by Azure Security Center. No further action is needed.", + "severity": "High", + "intent": "Execution", + "startTimeUtc": "2020-02-22T00:00:00.0000000Z", + "endTimeUtc": "2020-02-22T00:00:00.0000000Z", + "resourceIdentifiers": [ + { + "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "type": "AzureResource" + }, + { + "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019", + "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "workspaceResourceGroup": "myRg1", + "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e", + "type": "LogAnalytics" + } + ], + "remediationSteps": [ + "No further action is needed." + ], + "vendorName": "Microsoft", + "status": "New", + "extendedLinks": [ + { + "Category": "threat_reports", + "Label": "Report: RDP Brute Forcing", + "Href": "https://contoso.com/reports/DisplayReport", + "Type": "webLink" + } + ], + "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope", + "timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z", + "productName": "Azure Security Center", + "processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z", + "entities": [ + { + "address": "192.0.2.1", + "location": { + "countryCode": "gb", + "state": "wokingham", + "city": "sonning", + "longitude": -0.909, + "latitude": 51.468, + "asn": 6584 + }, + "type": "ip" + } + ], + "isIncident": true, + "correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=", + "extendedProperties": { + "Property1": "Property1 information" + }, + "compromisedEntity": "vm1" + } + }, + { + "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "type": "Microsoft.Security/Locations/alerts", + "properties": { + "alertType": "VM_SuspiciousScreenSaver", + "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "productComponentName": "", + "alertDisplayName": "Suspicious Screensaver process executed", + "description": "The process ‘c:\\users\\contosoUser\\scrsave.scr’ was observed executing from an uncommon location. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.", + "severity": "Medium", + "intent": "Execution", + "startTimeUtc": "2019-05-07T13:51:45.0045913Z", + "endTimeUtc": "2019-05-07T13:51:45.0045913Z", + "resourceIdentifiers": [ + { + "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", + "type": "AzureResource" + }, + { + "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019", + "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "workspaceResourceGroup": "myRg1", + "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e", + "type": "LogAnalytics" + } + ], + "remediationSteps": [ + "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)", + "2. Make sure the machine is completely updated and has an updated anti-malware application installed", + "3. Run a full anti-malware scan and verify that the threat was removed", + "4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)", + "5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)", + "6. Escalate the alert to the information security team" + ], + "vendorName": "Microsoft", + "status": "New", + "extendedLinks": [ + { + "Category": "threat_reports", + "Label": "Report: RDP Brute Forcing", + "Href": "https://contoso.com/reports/DisplayReport", + "Type": "webLink" + } + ], + "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope", + "timeGeneratedUtc": "2019-05-07T13:51:48.3810457Z", + "productName": "Azure Security Center", + "processingEndTimeUtc": "2019-05-07T13:51:48.9810457Z", + "entities": [ + { + "dnsDomain": "", + "ntDomain": "", + "hostName": "vm2", + "netBiosName": "vm2", + "azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", + "omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a", + "operatingSystem": "Unknown", + "type": "host", + "OsVersion": null + }, + { + "name": "contosoUser", + "ntDomain": "vm2", + "logonId": "0x61450d87", + "sid": "S-1-5-21-2144575486-8928446540-5163864319-500", + "type": "account" + }, + { + "directory": "c:\\windows\\system32", + "name": "cmd.exe", + "type": "file" + }, + { + "processId": "0x3c44", + "type": "process" + }, + { + "directory": "c:\\users\\contosoUser", + "name": "scrsave.scr", + "type": "file" + }, + { + "processId": "0x4aec", + "commandLine": "c:\\users\\contosoUser\\scrsave.scr", + "creationTimeUtc": "2018-05-07T13:51:45.0045913Z", + "type": "process" + } + ], + "isIncident": true, + "correlationKey": "4hno6LF0xzCl5tqrk4nrBW+MY1BX816W6q6+0srk4", + "compromisedEntity": "vm2", + "extendedProperties": { + "domainName": "vm2", + "userName": "vm2\\contosoUser", + "processName": "c:\\users\\contosoUser\\scrsave.scr", + "command line": "c:\\users\\contosoUser\\scrsave.scr", + "parent process": "cmd.exe", + "process id": "0x4aec", + "account logon id": "0x61450d87", + "user SID": "S-1-5-21-2144575486-8928446540-5163864319-500", + "parent process id": "0x3c44", + "resourceType": "Virtual Machine" + } + } + } + ] + } + } + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertResourceGroupLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertResourceGroupLocation_example.json new file mode 100644 index 000000000000..b7be3ef5f435 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertResourceGroupLocation_example.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg2", + "ascLocation": "westeurope", + "alertName": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "alertUpdateActionType": "Dismiss" + }, + "responses": { + "204": {} + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertResourceGroupLocation_resolve_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertResourceGroupLocation_resolve_example.json new file mode 100644 index 000000000000..bdcbe43029d3 --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertResourceGroupLocation_resolve_example.json @@ -0,0 +1,13 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "resourceGroupName": "myRg2", + "ascLocation": "westeurope", + "alertName": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", + "alertUpdateActionType": "Resolve" + }, + "responses": { + "204": {} + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertSubscriptionLocation_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertSubscriptionLocation_example.json new file mode 100644 index 000000000000..52b671bde85c --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertSubscriptionLocation_example.json @@ -0,0 +1,12 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "ascLocation": "westeurope", + "alertName": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "alertUpdateActionType": "Dismiss" + }, + "responses": { + "204": {} + } +} diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertSubscriptionLocation_resolve_example.json b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertSubscriptionLocation_resolve_example.json new file mode 100644 index 000000000000..4fe76e01925d --- /dev/null +++ b/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/Alerts/UpdateAlertSubscriptionLocation_resolve_example.json @@ -0,0 +1,12 @@ +{ + "parameters": { + "api-version": "2020-01-01", + "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", + "ascLocation": "westeurope", + "alertName": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", + "alertUpdateActionType": "Resolve" + }, + "responses": { + "204": {} + } +} diff --git a/specification/security/resource-manager/readme.md b/specification/security/resource-manager/readme.md index 982c3d005409..72698037552b 100644 --- a/specification/security/resource-manager/readme.md +++ b/specification/security/resource-manager/readme.md @@ -137,7 +137,6 @@ These settings apply only when `--tag=package-composite-v3` is specified on the input-file: - Microsoft.Security/stable/2017-08-01/complianceResults.json - Microsoft.Security/stable/2018-06-01/pricings.json -- Microsoft.Security/stable/2019-01-01/alerts.json - Microsoft.Security/stable/2019-01-01/settings.json - Microsoft.Security/stable/2019-01-01/advancedThreatProtectionSettings.json - Microsoft.Security/stable/2019-08-01/deviceSecurityGroups.json @@ -163,6 +162,7 @@ input-file: - Microsoft.Security/stable/2020-01-01/adaptiveNetworkHardenings.json - Microsoft.Security/stable/2020-01-01/allowedConnections.json - Microsoft.Security/stable/2020-01-01/topologies.json +- Microsoft.Security/stable/2020-01-01/alerts.json - Microsoft.Security/stable/2020-01-01/jitNetworkAccessPolicies.json - Microsoft.Security/stable/2020-01-01/discoveredSecuritySolutions.json - Microsoft.Security/stable/2020-01-01/externalSecuritySolutions.json @@ -384,7 +384,6 @@ input-file: - $(this-folder)/Microsoft.Security/stable/2018-06-01/pricings.json - $(this-folder)/Microsoft.Security/preview/2017-08-01-preview/iotSecuritySolutions.json - $(this-folder)/Microsoft.Security/preview/2017-08-01-preview/iotSecuritySolutionAnalytics.json - - $(this-folder)/Microsoft.Security/stable/2019-01-01/alerts.json - $(this-folder)/Microsoft.Security/stable/2017-08-01/complianceResults.json - $(this-folder)/Microsoft.Security/stable/2019-01-01/settings.json - $(this-folder)/Microsoft.Security/stable/2019-01-01/advancedThreatProtectionSettings.json @@ -398,6 +397,7 @@ input-file: - $(this-folder)/Microsoft.Security/stable/2020-01-01/adaptiveNetworkHardenings.json - $(this-folder)/Microsoft.Security/stable/2020-01-01/allowedConnections.json - $(this-folder)/Microsoft.Security/stable/2020-01-01/topologies.json + - $(this-folder)/Microsoft.Security/stable/2020-01-01/alerts.json - $(this-folder)/Microsoft.Security/stable/2020-01-01/jitNetworkAccessPolicies.json - $(this-folder)/Microsoft.Security/stable/2020-01-01/discoveredSecuritySolutions.json - $(this-folder)/Microsoft.Security/stable/2020-01-01/externalSecuritySolutions.json