From 9fb60f23b2fb650e2958ec8b1e3ec832b2149526 Mon Sep 17 00:00:00 2001 From: hagba <48715560+hagba@users.noreply.github.com> Date: Wed, 9 Oct 2019 12:47:58 +0300 Subject: [PATCH] Add aggregated alert top devices information (#7409) * Add alert top 10 devices information * fix errors * fix errors * fix errors * fix errors * fix array error * fix time field * fix time field --- ...uritySolutionsSecurityAggregatedAlert.json | 14 +++++++++- ...ySolutionsSecurityAggregatedAlertList.json | 28 +++++++++++++++++-- .../iotSecuritySolutionAnalytics.json | 24 ++++++++++++++++ 3 files changed, 63 insertions(+), 3 deletions(-) diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/examples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlert.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/examples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlert.json index ceddc2e872b5..e5a4a8ad0a32 100644 --- a/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/examples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlert.json +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/examples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlert.json @@ -24,7 +24,19 @@ "effectedResourceType": "IoT Device", "systemSource": "Devices", "actionTaken": "Detected", - "logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties" + "logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties", + "topDevicesList": [ + { + "deviceId": "testDevice1", + "alertsCount": 100, + "lastOccurrence": "10:42" + }, + { + "deviceId": "testDevice2", + "alertsCount": 80, + "lastOccurrence": "15:42" + } + ] } } } diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/examples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlertList.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/examples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlertList.json index 91c29bdf1d04..a29bcea8950d 100644 --- a/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/examples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlertList.json +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/examples/IoTSecuritySolutionsAnalytics/GetIoTSecuritySolutionsSecurityAggregatedAlertList.json @@ -25,7 +25,19 @@ "effectedResourceType": "IoT Device", "systemSource": "Devices", "actionTaken": "Detected", - "logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties" + "logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties", + "topDevicesList": [ + { + "deviceId": "testDevice1", + "alertsCount": 45, + "lastOccurrence": "10:42" + }, + { + "deviceId": "testDevice2", + "alertsCount": 30, + "lastOccurrence": "15:42" + } + ] } }, { @@ -44,7 +56,19 @@ "effectedResourceType": "IoT Device", "systemSource": "Devices", "actionTaken": "Detected", - "logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties" + "logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties", + "topDevicesList": [ + { + "deviceId": "testDevice1", + "alertsCount": 12321, + "lastOccurrence": "10:42" + }, + { + "deviceId": "testDevice2", + "alertsCount": 455, + "lastOccurrence": "15:42" + } + ] } } ] diff --git a/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/iotSecuritySolutionAnalytics.json b/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/iotSecuritySolutionAnalytics.json index 96f234b8a9bf..b583c5a4ec44 100644 --- a/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/iotSecuritySolutionAnalytics.json +++ b/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/iotSecuritySolutionAnalytics.json @@ -628,6 +628,30 @@ "readOnly": true, "type": "string", "description": "Log analytics query for getting the list of affected devices/alerts." + }, + "topDevicesList": { + "description": "10 devices with the highest number of occurrences of this alert type, on this day.", + "type": "array", + "readOnly": true, + "items": { + "properties": { + "deviceId": { + "readOnly": true, + "type": "string", + "description": "Name of the device." + }, + "alertsCount": { + "readOnly": true, + "type": "integer", + "description": "Number of alerts raised for this device." + }, + "lastOccurrence": { + "readOnly": true, + "type": "string", + "description": "Most recent time this alert was raised for this device, on this day." + } + } + } } } },