Skip to content

Commit

Permalink
New Incidents stable version (#14000)
Browse files Browse the repository at this point in the history 
* New stable version

* revert ApiVersion change

* add operation

* Add operations to README

* Add missing definition

* Fix ApiVersion

* Change ApiVersion

* Add update & delete incident comments

* extracting to common file

* Revert "extracting to common file"

* Add new API calls

* add parameters

* new parameters

* fix conflict

* fix conflict 2

* Add integer format

* fix readme

* fix Duplicate Schema

* fix ApiVersion

* ApiVersionParameter

* resolve conflict

* fix APIVersion

* Add Incident Relations

* Add missing parameters

* fix typo

* Add API version to common

* modelAsString

* revert last 2 changes

* Text changes in some descriptions
  • Loading branch information
@roherzbe
roherzbe authored Jun 7, 2021
1 parent f4a4bad commit 48bdeb7
Show file tree
Hide file tree
Showing 19 changed files with 4,683 additions and 4 deletions.
3,866 changes: 3,866 additions & 0 deletions ...rityinsights/resource-manager/Microsoft.SecurityInsights/stable/2021-04-01/Incidents.json
View file

Large diffs are not rendered by default.

104 changes: 104 additions & 0 deletions ...nager/Microsoft.SecurityInsights/stable/2021-04-01/examples/incidents/CreateIncident.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
{
"parameters": {
"api-version": "2021-04-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"incident": {
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
"description": "This is a demo incident",
"title": "My incident",
"owner": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70"
},
"severity": "High",
"classification": "FalsePositive",
"classificationComment": "Not a malicious activity",
"classificationReason": "IncorrectAlertLogic",
"status": "Closed"
}
}
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/incidents",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"",
"properties": {
"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
"createdTimeUtc": "2019-01-01T13:15:30Z",
"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
"description": "This is a demo incident",
"title": "My incident",
"owner": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"userPrincipalName": "john@contoso.com",
"assignedTo": "john doe"
},
"severity": "High",
"classification": "FalsePositive",
"classificationComment": "Not a malicious activity",
"classificationReason": "IncorrectAlertLogic",
"status": "Closed",
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"incidentNumber": 3177,
"labels": [],
"relatedAnalyticRuleIds": [],
"additionalData": {
"alertsCount": 0,
"bookmarksCount": 0,
"commentsCount": 3,
"alertProductNames": [],
"tactics": []
}
}
}
},
"201": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/incidents",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0001\"",
"properties": {
"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
"createdTimeUtc": "2019-01-01T13:15:30Z",
"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
"description": "This is a demo incident",
"title": "My incident",
"owner": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"userPrincipalName": "john@contoso.com",
"assignedTo": "john doe"
},
"severity": "High",
"classification": "FalsePositive",
"classificationComment": "Not a malicious activity",
"classificationReason": "IncorrectAlertLogic",
"status": "Closed",
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"incidentNumber": 3177,
"labels": [],
"relatedAnalyticRuleIds": [],
"additionalData": {
"alertsCount": 0,
"bookmarksCount": 0,
"commentsCount": 3,
"alertProductNames": [],
"tactics": []
}
}
}
}
}
}
13 changes: 13 additions & 0 deletions ...nager/Microsoft.SecurityInsights/stable/2021-04-01/examples/incidents/DeleteIncident.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"parameters": {
"api-version": "2021-04-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
},
"responses": {
"200": {},
"204": {}
}
}
50 changes: 50 additions & 0 deletions ...Microsoft.SecurityInsights/stable/2021-04-01/examples/incidents/GetAllIncidentAlerts.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"parameters": {
"api-version": "2021-04-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Entities/baa8a239-6fde-4ab7-a093-d09f7b75c58c",
"name": "baa8a239-6fde-4ab7-a093-d09f7b75c58c",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "SecurityAlert",
"properties": {
"systemAlertId": "baa8a239-6fde-4ab7-a093-d09f7b75c58c",
"tactics": [],
"alertDisplayName": "myAlert",
"confidenceLevel": "Unknown",
"severity": "Low",
"vendorName": "Microsoft",
"productName": "Azure Security Center",
"alertType": "myAlert",
"processingEndTime": "2020-07-20T18:21:53.6158361Z",
"status": "New",
"endTimeUtc": "2020-07-20T18:21:53.6158361Z",
"startTimeUtc": "2020-07-20T18:21:53.6158361Z",
"timeGenerated": "2020-07-20T18:21:53.6158361Z",
"resourceIdentifiers": [
{
"type": "LogAnalytics",
"workspaceId": "c8c99641-985d-4e4e-8e91-fb3466cd0e5b",
"subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a",
"resourceGroup": "myRG"
}
],
"additionalData": {
"AlertMessageEnqueueTime": "2020-07-20T18:21:57.304Z"
},
"friendlyName": "myAlert"
}
}
]
}
}
}
}
77 changes: 77 additions & 0 deletions ...rosoft.SecurityInsights/stable/2021-04-01/examples/incidents/GetAllIncidentBookmarks.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
{
"parameters": {
"api-version": "2021-04-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/afbd324f-6c48-459c-8710-8d1e1cd03812",
"name": "afbd324f-6c48-459c-8710-8d1e1cd03812",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "Bookmark",
"properties": {
"displayName": "SecurityEvent - 868f40f4698d",
"created": "2020-06-17T15:34:01.4265524+00:00",
"updated": "2020-06-17T15:34:01.4265524+00:00",
"createdBy": {
"objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
"email": "user@microsoft.com",
"name": "user"
},
"updatedBy": {
"objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
"email": "user@microsoft.com",
"name": "user"
},
"eventTime": "2020-06-17T15:34:01.4265524+00:00",
"labels": [],
"query": "SecurityEvent\r\n| take 1\n",
"queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}",
"additionalData": {
"ETag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"",
"EntityId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
},
"friendlyName": "SecurityEvent - 868f40f4698d"
}
},
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/bbbd324f-6c48-459c-8710-8d1e1cd03812",
"name": "bbbd324f-6c48-459c-8710-8d1e1cd03812",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "Bookmark",
"properties": {
"displayName": "SecurityEvent - 868f40f4698d",
"created": "2020-06-17T15:34:01.4265524+00:00",
"updated": "2020-06-17T15:34:01.4265524+00:00",
"createdBy": {
"objectId": "303ca914-5eb6-45e5-9417-fe0797c372fd",
"email": "user@microsoft.com",
"name": "user"
},
"updatedBy": {
"objectId": "b03ca914-5eb6-45e5-9417-fe0797c372fd",
"email": "user@microsoft.com",
"name": "user"
},
"eventTime": "2020-06-17T15:34:01.4265524+00:00",
"labels": [],
"query": "SecurityEvent\r\n| take 1\n",
"queryResult": "{\"TimeGenerated\":\"2020-05-24T01:24:25.67Z\",\"Account\":\"\\\\ADMINISTRATOR\",\"AccountType\":\"User\",\"Computer\":\"SecurityEvents\",\"EventSourceName\":\"Microsoft-Windows-Security-Auditing\",\"Channel\":\"Security\",\"Task\":12544,\"Level\":\"16\",\"EventID\":4625,\"Activity\":\"4625 - An account failed to log on.\",\"AuthenticationPackageName\":\"NTLM\",\"FailureReason\":\"%%2313\",\"IpAddress\":\"176.113.115.73\",\"IpPort\":\"0\",\"LmPackageName\":\"-\",\"LogonProcessName\":\"NtLmSsp \",\"LogonType\":3,\"LogonTypeName\":\"3 - Network\",\"Process\":\"-\",\"ProcessId\":\"0x0\",\"__entityMapping\":{\"\\\\ADMINISTRATOR\":\"Account\",\"SecurityEvents\":\"Host\"}}",
"additionalData": {
"ETag": "\"3b00acab-0000-0d00-0000-5f15e4ed0000\"",
"EntityId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
},
"friendlyName": "SecurityEvent - 868f40f4698d"
}
}
]
}
}
}
}
34 changes: 34 additions & 0 deletions ...crosoft.SecurityInsights/stable/2021-04-01/examples/incidents/GetAllIncidentEntities.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{
"parameters": {
"api-version": "2021-04-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
},
"responses": {
"200": {
"body": {
"entities": [
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Entities/e1d3d618-e11f-478b-98e3-bb381539a8e1",
"name": "e1d3d618-e11f-478b-98e3-bb381539a8e1",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "Account",
"properties": {
"friendlyName": "administrator",
"accountName": "administrator",
"ntDomain": "domain"
}
}
],
"metaData": [
{
"entityKind": "Account",
"count": 1
}
]
}
}
}
}
54 changes: 54 additions & 0 deletions ...ager/Microsoft.SecurityInsights/stable/2021-04-01/examples/incidents/GetIncidentById.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
{
"parameters": {
"api-version": "2021-04-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"incidentId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/incidents",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
"createdTimeUtc": "2019-01-01T13:15:30Z",
"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
"description": "This is a demo incident",
"title": "My incident",
"owner": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"userPrincipalName": "john@contoso.com",
"assignedTo": "john doe"
},
"severity": "High",
"classification": "FalsePositive",
"classificationComment": "Not a malicious activity",
"classificationReason": "InaccurateData",
"status": "Closed",
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"incidentNumber": 3177,
"labels": [],
"relatedAnalyticRuleIds": [
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7"
],
"additionalData": {
"alertsCount": 0,
"bookmarksCount": 0,
"commentsCount": 3,
"alertProductNames": [],
"tactics": [
"InitialAccess",
"Persistence"
]
}
}
}
}
}
}
59 changes: 59 additions & 0 deletions ...manager/Microsoft.SecurityInsights/stable/2021-04-01/examples/incidents/GetIncidents.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
{
"parameters": {
"api-version": "2021-04-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"$orderby": "properties/createdTimeUtc desc",
"$top": 1
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/incidents",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
"createdTimeUtc": "2019-01-01T13:15:30Z",
"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
"description": "This is a demo incident",
"title": "My incident",
"owner": {
"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
"email": "john.doe@contoso.com",
"userPrincipalName": "john@contoso.com",
"assignedTo": "john doe"
},
"severity": "High",
"classification": "FalsePositive",
"classificationComment": "Not a malicious activity",
"classificationReason": "IncorrectAlertLogic",
"status": "Closed",
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"incidentNumber": 3177,
"labels": [],
"relatedAnalyticRuleIds": [
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7",
"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/8deb8303-e94d-46ff-96e0-5fd94b33df1a"
],
"additionalData": {
"alertsCount": 0,
"bookmarksCount": 0,
"commentsCount": 3,
"alertProductNames": [],
"tactics": [
"Persistence"
]
}
}
}
]
}
}
}
}
Loading

0 comments on commit 48bdeb7

Please sign in to comment.