diff --git a/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json b/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json index fad32dcacd..ed1ee04c50 100644 --- a/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json +++ b/schemas/2021-03-01-preview/Microsoft.SecurityInsights.json @@ -5,6 +5,107 @@ "description": "Microsoft SecurityInsights Resource Types", "resourceDefinitions": {}, "extension_resourceDefinitions": { + "alertRules": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/MLBehaviorAnalyticsAlertRule" + }, + { + "$ref": "#/definitions/FusionAlertRule" + }, + { + "$ref": "#/definitions/ThreatIntelligenceAlertRule" + }, + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRule" + }, + { + "$ref": "#/definitions/ScheduledAlertRule" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-03-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Alert rule ID" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/alertRules_actions_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/alertRules" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules" + }, + "alertRules_actions": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-03-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Action ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ActionRequestProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Action property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/alertRules/actions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules/actions" + }, "dataConnectors": { "type": "object", "oneOf": [ @@ -116,6 +217,148 @@ ], "description": "Microsoft.SecurityInsights/entityQueries" }, + "incidents": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-03-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes incident properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/incidents_comments_childResource" + }, + { + "$ref": "#/definitions/incidents_relations_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents" + }, + "incidents_comments": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-03-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident comment ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentCommentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident comment property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents/comments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/comments" + }, + "incidents_relations": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-03-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents/relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/relations" + }, "metadata": { "type": "object", "properties": { @@ -485,6 +728,24 @@ ], "description": "AATP (Azure Advanced Threat Protection) data connector properties." }, + "ActionRequestProperties": { + "type": "object", + "properties": { + "logicAppResourceId": { + "type": "string", + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}." + }, + "triggerUri": { + "type": "string", + "description": "Logic App Callback URL for this specific workflow." + } + }, + "required": [ + "logicAppResourceId", + "triggerUri" + ], + "description": "Action property bag." + }, "ActivityCustomEntityQuery": { "type": "object", "properties": { @@ -634,48 +895,113 @@ }, "description": "The Activity query definitions" }, - "AlertsDataTypeOfDataConnector": { + "AlertDetailsOverride": { "type": "object", "properties": { - "alerts": { - "oneOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "Common field for data type in data connectors." + "alertDescriptionFormat": { + "type": "string", + "description": "the format containing columns name(s) to override the alert description" + }, + "alertDisplayNameFormat": { + "type": "string", + "description": "the format containing columns name(s) to override the alert name" + }, + "alertSeverityColumnName": { + "type": "string", + "description": "the column name to take the alert severity from" + }, + "alertTacticsColumnName": { + "type": "string", + "description": "the column name to take the alert tactics from" } }, - "required": [ - "alerts" - ], - "description": "Alerts data type for data connectors." + "description": "Settings for how to dynamically override alert static details" }, - "ASCDataConnector": { + "alertRules_actions_childResource": { "type": "object", "properties": { - "kind": { + "apiVersion": { "type": "string", "enum": [ - "AzureSecurityCenter" + "2021-03-01-preview" ] }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Action ID" + }, "properties": { "oneOf": [ { - "$ref": "#/definitions/ASCDataConnectorProperties" + "$ref": "#/definitions/ActionRequestProperties" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "ASC (Azure Security Center) data connector properties." - } - }, - "required": [ + "description": "Action property bag." + }, + "type": { + "type": "string", + "enum": [ + "actions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules/actions" + }, + "AlertsDataTypeOfDataConnector": { + "type": "object", + "properties": { + "alerts": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + } + }, + "required": [ + "alerts" + ], + "description": "Alerts data type for data connectors." + }, + "ASCDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AzureSecurityCenter" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ASCDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "ASC (Azure Security Center) data connector properties." + } + }, + "required": [ "kind" ], "description": "Represents ASC (Azure Security Center) data connector." @@ -1275,266 +1601,828 @@ "properties": {}, "description": "EntityAnalytics property bag." }, - "EyesOn": { + "EntityMapping": { "type": "object", "properties": { - "kind": { - "type": "string", - "enum": [ - "EyesOn" + "entityType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } ] }, - "properties": { + "fieldMappings": { "oneOf": [ { - "$ref": "#/definitions/EyesOnSettingsProperties" + "type": "array", + "items": { + "$ref": "#/definitions/FieldMapping" + } }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "EyesOn property bag." + "description": "array of field mappings for the given entity mapping" } }, - "required": [ - "kind" - ], - "description": "Settings with single toggle." - }, - "EyesOnSettingsProperties": { - "type": "object", - "properties": {}, - "description": "EyesOn property bag." + "description": "Single entity mapping for the alert rule" }, - "InstructionStepsInstructionsItem": { + "EventGroupingSettings": { "type": "object", "properties": { - "parameters": { - "type": "object", - "properties": {}, - "description": "The parameters for the setting" - }, - "type": { + "aggregationKind": { "oneOf": [ { "type": "string", "enum": [ - "CopyableLabel", - "InstructionStepsGroup", - "InfoMessage" + "SingleAlert", + "AlertPerResult" ] }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } - ], - "description": "The kind of the setting." + ] } }, - "required": [ - "type" - ] + "description": "Event grouping settings property bag." }, - "MCASDataConnector": { + "EyesOn": { "type": "object", "properties": { "kind": { "type": "string", "enum": [ - "MicrosoftCloudAppSecurity" + "EyesOn" ] }, "properties": { "oneOf": [ { - "$ref": "#/definitions/MCASDataConnectorProperties" + "$ref": "#/definitions/EyesOnSettingsProperties" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "MCAS (Microsoft Cloud App Security) data connector properties." + "description": "EyesOn property bag." } }, "required": [ "kind" ], - "description": "Represents MCAS (Microsoft Cloud App Security) data connector." + "description": "Settings with single toggle." }, - "MCASDataConnectorDataTypes": { + "EyesOnSettingsProperties": { "type": "object", - "properties": { - "alerts": { - "oneOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "Common field for data type in data connectors." - }, - "discoveryLogs": { - "oneOf": [ - { - "$ref": "#/definitions/DataConnectorDataTypeCommon" - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "Common field for data type in data connectors." - } - }, - "required": [ - "alerts" - ], - "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector." + "properties": {}, + "description": "EyesOn property bag." }, - "MCASDataConnectorProperties": { + "FieldMapping": { "type": "object", "properties": { - "dataTypes": { - "oneOf": [ - { - "$ref": "#/definitions/MCASDataConnectorDataTypes" - }, - { - "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" - } - ], - "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector." + "columnName": { + "type": "string", + "description": "the column name to be mapped to the identifier" }, - "tenantId": { + "identifier": { "type": "string", - "description": "The tenant id to connect to, and get the data from." + "description": "the V3 identifier of the entity" } }, - "required": [ - "dataTypes", - "tenantId" - ], - "description": "MCAS (Microsoft Cloud App Security) data connector properties." + "description": "A single field mapping of the mapped entity" }, - "MDATPDataConnector": { + "FusionAlertRule": { "type": "object", "properties": { "kind": { "type": "string", "enum": [ - "MicrosoftDefenderAdvancedThreatProtection" + "Fusion" ] }, "properties": { "oneOf": [ { - "$ref": "#/definitions/MDATPDataConnectorProperties" + "$ref": "#/definitions/FusionAlertRuleProperties" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties." + "description": "Fusion alert rule base property bag." } }, "required": [ "kind" ], - "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector." + "description": "Represents Fusion alert rule." }, - "MDATPDataConnectorProperties": { + "FusionAlertRuleProperties": { "type": "object", "properties": { - "dataTypes": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "enabled": { "oneOf": [ { - "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + "type": "boolean" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Alerts data type for data connectors." - }, - "tenantId": { - "type": "string", - "description": "The tenant id to connect to, and get the data from." + "description": "Determines whether this alert rule is enabled or disabled." } }, "required": [ - "tenantId" + "alertRuleTemplateName", + "enabled" ], - "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties." - }, - "MetadataAuthor": { - "type": "object", - "properties": { - "email": { - "type": "string", - "description": "Email of author contact" - }, - "link": { - "type": "string", - "description": "Link for author/vendor page" - }, - "name": { - "type": "string", - "description": "Name of the author. Company or person." - } - }, - "description": "Publisher or creator of the content item." + "description": "Fusion alert rule base property bag." }, - "MetadataDependencies": { + "GroupingConfiguration": { "type": "object", "properties": { - "contentId": { - "type": "string", - "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name" - }, - "criteria": { + "enabled": { "oneOf": [ { - "type": "array", - "items": { - "type": "object" - } + "type": "boolean" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "This is the list of dependencies we must fulfill, according to the AND/OR operator" + "description": "Grouping enabled" }, - "kind": { + "groupByAlertDetails": { "oneOf": [ { - "type": "string", - "enum": [ - "dataConnector", - "dataType", - "workbook", - "workbookTemplate", - "playbook", - "playbookTemplate", - "analyticRuleTemplate", - "analyticRule", - "huntingQuery", - "investigationQuery", - "parser", - "watchlist", - "watchlistTemplate", - "solution" - ] + "type": "array", + "items": { + "type": "string", + "enum": [ + "DisplayName", + "Severity" + ] + } }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Type of the content item we depend on." + "description": "A list of alert details to group by (when matchingMethod is Selected)" }, - "name": { - "type": "string", + "groupByCustomDetails": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used." + }, + "groupByEntities": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used." + }, + "lookbackDuration": { + "type": "string", + "format": "duration", + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)" + }, + "matchingMethod": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AllEntities", + "AnyAlert", + "Selected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty." + }, + "reopenClosedIncident": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Re-open closed matching incidents" + } + }, + "required": [ + "enabled", + "lookbackDuration", + "matchingMethod", + "reopenClosedIncident" + ], + "description": "Grouping configuration property bag." + }, + "IncidentCommentProperties": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "The comment message" + } + }, + "required": [ + "message" + ], + "description": "Incident comment property bag." + }, + "IncidentConfiguration": { + "type": "object", + "properties": { + "createIncident": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Create incidents from alerts triggered by this analytics rule" + }, + "groupingConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/GroupingConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping configuration property bag." + } + }, + "required": [ + "createIncident" + ], + "description": "Incident Configuration property bag." + }, + "IncidentLabel": { + "type": "object", + "properties": { + "labelName": { + "type": "string", + "description": "The name of the label" + } + }, + "required": [ + "labelName" + ], + "description": "Represents an incident label" + }, + "IncidentOwnerInfo": { + "type": "object", + "properties": { + "assignedTo": { + "type": "string", + "description": "The name of the user the incident is assigned to." + }, + "email": { + "type": "string", + "description": "The email of the user the incident is assigned to." + }, + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user the incident is assigned to." + }, + "userPrincipalName": { + "type": "string", + "description": "The user principal name of the user the incident is assigned to." + } + }, + "description": "Information on the user an incident is assigned to" + }, + "IncidentProperties": { + "type": "object", + "properties": { + "classification": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The reason the incident was closed." + }, + "classificationComment": { + "type": "string", + "description": "Describes the reason the incident was closed" + }, + "classificationReason": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The classification reason the incident was closed with." + }, + "description": { + "type": "string", + "description": "The description of the incident" + }, + "firstActivityTimeUtc": { + "type": "string", + "format": "date-time", + "description": "The time of the first activity in the incident" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IncidentLabel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this incident" + }, + "lastActivityTimeUtc": { + "type": "string", + "format": "date-time", + "description": "The time of the last activity in the incident" + }, + "owner": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentOwnerInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Information on the user an incident is assigned to" + }, + "providerIncidentId": { + "type": "string", + "description": "The incident ID assigned by the incident provider" + }, + "providerName": { + "type": "string", + "description": "The name of the source provider that generated the incident" + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity of the incident." + }, + "status": { + "oneOf": [ + { + "type": "string", + "enum": [ + "New", + "Active", + "Closed" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The status of the incident." + }, + "title": { + "type": "string", + "description": "The title of the incident" + } + }, + "required": [ + "severity", + "status", + "title" + ], + "description": "Describes incident properties" + }, + "incidents_comments_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-03-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident comment ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentCommentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident comment property bag." + }, + "type": { + "type": "string", + "enum": [ + "comments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/comments" + }, + "incidents_relations_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-03-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/relations" + }, + "InstructionStepsInstructionsItem": { + "type": "object", + "properties": { + "parameters": { + "type": "object", + "properties": {}, + "description": "The parameters for the setting" + }, + "type": { + "oneOf": [ + { + "type": "string", + "enum": [ + "CopyableLabel", + "InstructionStepsGroup", + "InfoMessage" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The kind of the setting." + } + }, + "required": [ + "type" + ] + }, + "MCASDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftCloudAppSecurity" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MCASDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector." + }, + "MCASDataConnectorDataTypes": { + "type": "object", + "properties": { + "alerts": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + }, + "discoveryLogs": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + } + }, + "required": [ + "alerts" + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector." + }, + "MCASDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/MCASDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "dataTypes", + "tenantId" + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties." + }, + "MDATPDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftDefenderAdvancedThreatProtection" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MDATPDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector." + }, + "MDATPDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "required": [ + "tenantId" + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties." + }, + "MetadataAuthor": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email of author contact" + }, + "link": { + "type": "string", + "description": "Link for author/vendor page" + }, + "name": { + "type": "string", + "description": "Name of the author. Company or person." + } + }, + "description": "Publisher or creator of the content item." + }, + "MetadataDependencies": { + "type": "object", + "properties": { + "contentId": { + "type": "string", + "description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name" + }, + "criteria": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/MetadataDependencies" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "This is the list of dependencies we must fulfill, according to the AND/OR operator" + }, + "kind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "dataConnector", + "dataType", + "workbook", + "workbookTemplate", + "playbook", + "playbookTemplate", + "analyticRuleTemplate", + "analyticRule", + "huntingQuery", + "investigationQuery", + "parser", + "watchlist", + "watchlistTemplate", + "solution" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Type of the content item we depend on." + }, + "name": { + "type": "string", "description": "Name of the content item" }, "operator": { @@ -1651,78 +2539,257 @@ "kind", "parentId" ], - "description": "Metadata property bag." + "description": "Metadata property bag." + }, + "MetadataSource": { + "type": "object", + "properties": { + "kind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "localWorkspace", + "community", + "solution", + "sourceRepository" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Source type of the content." + }, + "name": { + "type": "string", + "description": "Name of the content source. The repo name, solution name, LA workspace name etc." + }, + "sourceId": { + "type": "string", + "description": "ID of the content source. The solution ID, workspace ID, etc" + } + }, + "required": [ + "kind" + ], + "description": "The original source of the content item, where it comes from." + }, + "MetadataSupport": { + "type": "object", + "properties": { + "email": { + "type": "string", + "description": "Email of support contact" + }, + "link": { + "type": "string", + "description": "Link for support help, like to support page to open a ticket etc." + }, + "name": { + "type": "string", + "description": "Name of the support contact. Company or person." + }, + "tier": { + "oneOf": [ + { + "type": "string", + "enum": [ + "microsoft", + "developer", + "community" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Type of support for content item." + } + }, + "required": [ + "tier" + ], + "description": "Support information for the content item." + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftSecurityIncidentCreation" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule." + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "displayNamesExcludeFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' displayNames on which the cases will not be generated" + }, + "displayNamesFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' displayNames on which the cases will be generated" + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "productFilter": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT", + "Office 365 Advanced Threat Protection", + "Microsoft Defender Advanced Threat Protection" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The alerts' productName on which the cases will be generated." + }, + "severitiesFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' severities on which the cases will be generated" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag." }, - "MetadataSource": { + "MLBehaviorAnalyticsAlertRule": { "type": "object", "properties": { "kind": { + "type": "string", + "enum": [ + "MLBehaviorAnalytics" + ] + }, + "properties": { "oneOf": [ { - "type": "string", - "enum": [ - "localWorkspace", - "community", - "solution", - "sourceRepository" - ] + "$ref": "#/definitions/MLBehaviorAnalyticsAlertRuleProperties" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Source type of the content." - }, - "name": { - "type": "string", - "description": "Name of the content source. The repo name, solution name, LA workspace name etc." - }, - "sourceId": { - "type": "string", - "description": "ID of the content source. The solution ID, workspace ID, etc" + "description": "MLBehaviorAnalytics alert rule base property bag." } }, "required": [ "kind" ], - "description": "The original source of the content item, where it comes from." + "description": "Represents MLBehaviorAnalytics alert rule." }, - "MetadataSupport": { + "MLBehaviorAnalyticsAlertRuleProperties": { "type": "object", "properties": { - "email": { - "type": "string", - "description": "Email of support contact" - }, - "link": { - "type": "string", - "description": "Link for support help, like to support page to open a ticket etc." - }, - "name": { + "alertRuleTemplateName": { "type": "string", - "description": "Name of the support contact. Company or person." + "description": "The Name of the alert rule template used to create this rule." }, - "tier": { + "enabled": { "oneOf": [ { - "type": "string", - "enum": [ - "microsoft", - "developer", - "community" - ] + "type": "boolean" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Type of support for content item." + "description": "Determines whether this alert rule is enabled or disabled." } }, "required": [ - "tier" + "alertRuleTemplateName", + "enabled" ], - "description": "Support information for the content item." + "description": "MLBehaviorAnalytics alert rule base property bag." }, "MSTIDataConnector": { "type": "object", @@ -2283,6 +3350,19 @@ } } }, + "RelationProperties": { + "type": "object", + "properties": { + "relatedResourceId": { + "type": "string", + "description": "The resource ID of the related resource" + } + }, + "required": [ + "relatedResourceId" + ], + "description": "Relation property bag." + }, "Repository": { "type": "object", "properties": { @@ -2361,6 +3441,233 @@ }, "description": "Required permissions for the connector" }, + "ScheduledAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Scheduled" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Scheduled alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents scheduled alert rule." + }, + "ScheduledAlertRuleProperties": { + "type": "object", + "properties": { + "alertDetailsOverride": { + "oneOf": [ + { + "$ref": "#/definitions/AlertDetailsOverride" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Settings for how to dynamically override alert static details" + }, + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "customDetails": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Dictionary of string key-value pairs of columns to be attached to the alert" + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "entityMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/EntityMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of entity mappings of the alert rule" + }, + "eventGroupingSettings": { + "oneOf": [ + { + "$ref": "#/definitions/EventGroupingSettings" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Event grouping settings property bag." + }, + "incidentConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident Configuration property bag." + }, + "query": { + "type": "string", + "description": "The query that creates alerts for this rule." + }, + "queryFrequency": { + "type": "string", + "format": "duration", + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run." + }, + "queryPeriod": { + "type": "string", + "format": "duration", + "description": "The period (in ISO 8601 duration format) that this alert rule looks at." + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity for alerts created by this alert rule." + }, + "suppressionDuration": { + "type": "string", + "format": "duration", + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered." + }, + "suppressionEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the suppression for this alert rule is enabled or disabled." + }, + "tactics": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tactics of the alert rule" + }, + "triggerOperator": { + "oneOf": [ + { + "type": "string", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The threshold triggers this alert rule." + } + }, + "required": [ + "displayName", + "enabled", + "suppressionDuration", + "suppressionEnabled" + ], + "description": "Scheduled alert rule base property bag." + }, "SentinelOnboardingStateProperties": { "type": "object", "properties": { @@ -2446,6 +3753,57 @@ ], "description": "Describes source control properties" }, + "ThreatIntelligenceAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "ThreatIntelligence" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat Intelligence alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents Threat Intelligence alert rule." + }, + "ThreatIntelligenceAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "description": "Threat Intelligence alert rule base property bag." + }, "TIDataConnector": { "type": "object", "properties": { diff --git a/schemas/2021-04-01/Microsoft.SecurityInsights.json b/schemas/2021-04-01/Microsoft.SecurityInsights.json index ce56290105..203a32122f 100644 --- a/schemas/2021-04-01/Microsoft.SecurityInsights.json +++ b/schemas/2021-04-01/Microsoft.SecurityInsights.json @@ -146,6 +146,102 @@ "type" ], "description": "Microsoft.SecurityInsights/incidents/relations" + }, + "watchlists": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-04-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist alias" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/watchlists_watchlistItems_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/watchlists" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists" + }, + "watchlists_watchlistItems": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-04-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist item id (GUID)" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistItemProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist item properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/watchlists/watchlistItems" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists/watchlistItems" } }, "definitions": { @@ -428,6 +524,285 @@ "relatedResourceId" ], "description": "Relation property bag." + }, + "UserInfo": { + "type": "object", + "properties": { + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user." + } + }, + "description": "User information that made some action" + }, + "WatchlistItemProperties": { + "type": "object", + "properties": { + "created": { + "type": "string", + "format": "date-time", + "description": "The time the watchlist item was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "entityMapping": { + "type": "object", + "properties": {}, + "description": "key-value pairs for a watchlist item entity mapping" + }, + "isDeleted": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag that indicates if the watchlist item is deleted or not" + }, + "itemsKeyValue": { + "type": "object", + "properties": {}, + "description": "key-value pairs for a watchlist item" + }, + "tenantId": { + "type": "string", + "description": "The tenantId to which the watchlist item belongs to" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the watchlist item was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "watchlistItemId": { + "type": "string", + "description": "The id (a Guid) of the watchlist item" + }, + "watchlistItemType": { + "type": "string", + "description": "The type of the watchlist item" + } + }, + "required": [ + "itemsKeyValue" + ], + "description": "Describes watchlist item properties" + }, + "WatchlistProperties": { + "type": "object", + "properties": { + "contentType": { + "type": "string", + "description": "The content type of the raw content. For now, only text/csv is valid" + }, + "created": { + "type": "string", + "format": "date-time", + "description": "The time the watchlist was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "defaultDuration": { + "type": "string", + "format": "duration", + "description": "The default duration of a watchlist (in ISO 8601 duration format)" + }, + "description": { + "type": "string", + "description": "A description of the watchlist" + }, + "displayName": { + "type": "string", + "description": "The display name of the watchlist" + }, + "isDeleted": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag that indicates if the watchlist is deleted or not" + }, + "itemsSearchKey": { + "type": "string", + "description": "The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address." + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this watchlist" + }, + "numberOfLinesToSkip": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The number of lines in a csv content to skip before the header" + }, + "provider": { + "type": "string", + "description": "The provider of the watchlist" + }, + "rawContent": { + "type": "string", + "description": "The raw content that represents to watchlist items to create. Example : This line will be skipped\nheader1,header2\nvalue1,value2" + }, + "source": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Local file", + "Remote storage" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The source of the watchlist." + }, + "tenantId": { + "type": "string", + "description": "The tenantId where the watchlist belongs to" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the watchlist was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "uploadStatus": { + "type": "string", + "description": "The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted" + }, + "watchlistAlias": { + "type": "string", + "description": "The alias of the watchlist" + }, + "watchlistId": { + "type": "string", + "description": "The id (a Guid) of the watchlist" + }, + "watchlistType": { + "type": "string", + "description": "The type of the watchlist" + } + }, + "required": [ + "displayName", + "itemsSearchKey", + "provider", + "source" + ], + "description": "Describes watchlist properties" + }, + "watchlists_watchlistItems_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-04-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist item id (GUID)" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistItemProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist item properties" + }, + "type": { + "type": "string", + "enum": [ + "watchlistItems" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists/watchlistItems" } } } \ No newline at end of file