Added classification reason to incident (#8661)

* Added case tactics * Added incident tactics * Removing redundant comma from incident additional data * Changed tabs to spaces to better match format in file * Rename tactics field (alertTactics=>tactics) * Rename unknown classification to undetermined classification * Undo last commmit * Added classification reason to incident * Examples updated
Azure · Mar 27, 2020 · 3abe2ea · 3abe2ea
1 parent 4cd7471
commit 3abe2ea
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 0 deletions.
diff --git a/...ource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/...ource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
@@ -6087,6 +6087,38 @@
             ]
           }
         },
+        "classificationReason": {
+          "description": "The classification reason the incident was closed with",
+          "enum": [
+            "SuspiciousActivity",
+            "SuspiciousButExpected",
+            "IncorrectAlertLogic",
+            "InaccurateData"
+          ],
+          "type": "string",
+          "x-ms-enum": {
+            "modelAsString": true,
+            "name": "IncidentClassificationReason",
+            "values": [
+              {
+                "description": "Classification reason was suspicious activity",
+                "value": "SuspiciousActivity"
+              },
+              {
+                "description": "Classification reason was suspicious but expected",
+                "value": "SuspiciousButExpected"
+              },
+              {
+                "description": "Classification reason was incorrect alert logic",
+                "value": "IncorrectAlertLogic"
+              },
+              {
+                "description": "Classification reason was inaccurate data",
+                "value": "InaccurateData"
+              }
+            ]
+          }
+        },
         "createdTimeUtc": {
           "description": "The time the incident was created",
           "format": "date-time",

diff --git a/...rosoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/CreateIncident.json b/...rosoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/CreateIncident.json
@@ -18,6 +18,7 @@
         },
         "severity": "High",
         "classification": "FalsePositive",
+        "classificationReason": "IncorrectAlertLogic",
         "status": "Closed"
       }
     }
@@ -44,6 +45,7 @@
           },
           "severity": "High",
           "classification": "FalsePositive",
+          "classificationReason": "IncorrectAlertLogic",
           "status": "Closed",
           "incidentNumber": 3177,
           "labels": [],
@@ -78,6 +80,7 @@
           },
           "severity": "High",
           "classification": "FalsePositive",
+          "classificationReason": "IncorrectAlertLogic",
           "status": "Closed",
           "incidentNumber": 3177,
           "labels": [],

diff --git a/...osoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/GetIncidentById.json b/...osoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/GetIncidentById.json
@@ -29,6 +29,7 @@
           },
           "severity": "High",
           "classification": "FalsePositive",
+          "classificationReason": "InaccurateData",
           "status": "Closed",
           "incidentNumber": 3177,
           "labels": [],

diff --git a/...icrosoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/GetIncidents.json b/...icrosoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/GetIncidents.json
@@ -32,6 +32,7 @@
               },
               "severity": "High",
               "classification": "FalsePositive",
+              "classificationReason": "IncorrectAlertLogic",
               "status": "Closed",
               "incidentNumber": 3177,
               "labels": [],