diff --git a/schemas/2021-10-01/Microsoft.SecurityInsights.json b/schemas/2021-10-01/Microsoft.SecurityInsights.json new file mode 100644 index 0000000000..5ff4365eea --- /dev/null +++ b/schemas/2021-10-01/Microsoft.SecurityInsights.json @@ -0,0 +1,3514 @@ +{ + "id": "https://schema.management.azure.com/schemas/2021-10-01/Microsoft.SecurityInsights.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.SecurityInsights", + "description": "Microsoft SecurityInsights Resource Types", + "resourceDefinitions": {}, + "extension_resourceDefinitions": { + "alertRules": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/FusionAlertRule" + }, + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRule" + }, + { + "$ref": "#/definitions/ScheduledAlertRule" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Alert rule ID" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/alertRules_actions_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/alertRules" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules" + }, + "alertRules_actions": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Action ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ActionRequestProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Action property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/alertRules/actions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules/actions" + }, + "automationRules": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Automation rule ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AutomationRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Automation rule properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/automationRules" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/automationRules" + }, + "bookmarks": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Bookmark ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/BookmarkProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes bookmark properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/bookmarks" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/bookmarks" + }, + "dataConnectors": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/AADDataConnector" + }, + { + "$ref": "#/definitions/AATPDataConnector" + }, + { + "$ref": "#/definitions/ASCDataConnector" + }, + { + "$ref": "#/definitions/AwsCloudTrailDataConnector" + }, + { + "$ref": "#/definitions/MCASDataConnector" + }, + { + "$ref": "#/definitions/MDATPDataConnector" + }, + { + "$ref": "#/definitions/TIDataConnector" + }, + { + "$ref": "#/definitions/OfficeDataConnector" + } + ], + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Connector ID" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/dataConnectors" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.SecurityInsights/dataConnectors" + }, + "incidents": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes incident properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/incidents_comments_childResource" + }, + { + "$ref": "#/definitions/incidents_relations_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents" + }, + "incidents_comments": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident comment ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentCommentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident comment property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents/comments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/comments" + }, + "incidents_relations": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/incidents/relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/relations" + }, + "onboardingStates": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The Sentinel onboarding state name. Supports - default" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SentinelOnboardingStateProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Sentinel onboarding state properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/onboardingStates" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/onboardingStates" + }, + "threatIntelligence_indicators": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Threat intelligence indicator name field." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ThreatIntelligenceIndicatorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes threat intelligence entity properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/threatIntelligence/indicators" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/threatIntelligence/indicators" + }, + "watchlists": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist alias" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist properties" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/watchlists_watchlistItems_childResource" + } + ] + } + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/watchlists" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists" + }, + "watchlists_watchlistItems": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist item id (GUID)" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistItemProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist item properties" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.SecurityInsights/watchlists/watchlistItems" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists/watchlistItems" + } + }, + "definitions": { + "AADDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AzureActiveDirectory" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AADDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "AAD (Azure Active Directory) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents AAD (Azure Active Directory) data connector." + }, + "AADDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "description": "AAD (Azure Active Directory) data connector properties." + }, + "AATPDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AzureAdvancedThreatProtection" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AATPDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "AATP (Azure Advanced Threat Protection) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents AATP (Azure Advanced Threat Protection) data connector." + }, + "AATPDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "description": "AATP (Azure Advanced Threat Protection) data connector properties." + }, + "ActionRequestProperties": { + "type": "object", + "properties": { + "logicAppResourceId": { + "type": "string", + "description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}." + }, + "triggerUri": { + "type": "string", + "description": "Logic App Callback URL for this specific workflow." + } + }, + "required": [ + "logicAppResourceId", + "triggerUri" + ], + "description": "Action property bag." + }, + "AlertDetailsOverride": { + "type": "object", + "properties": { + "alertDescriptionFormat": { + "type": "string", + "description": "the format containing columns name(s) to override the alert description" + }, + "alertDisplayNameFormat": { + "type": "string", + "description": "the format containing columns name(s) to override the alert name" + }, + "alertSeverityColumnName": { + "type": "string", + "description": "the column name to take the alert severity from" + }, + "alertTacticsColumnName": { + "type": "string", + "description": "the column name to take the alert tactics from" + } + }, + "description": "Settings for how to dynamically override alert static details" + }, + "alertRules_actions_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Action ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ActionRequestProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Action property bag." + }, + "type": { + "type": "string", + "enum": [ + "actions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/alertRules/actions" + }, + "AlertsDataTypeOfDataConnector": { + "type": "object", + "properties": { + "alerts": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + } + }, + "description": "Alerts data type for data connectors." + }, + "ASCDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AzureSecurityCenter" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ASCDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "ASC (Azure Security Center) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents ASC (Azure Security Center) data connector." + }, + "ASCDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "subscriptionId": { + "type": "string", + "description": "The subscription id to connect to, and get the data from." + } + }, + "description": "ASC (Azure Security Center) data connector properties." + }, + "AutomationRuleAction": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/AutomationRuleModifyPropertiesAction" + }, + { + "$ref": "#/definitions/AutomationRuleRunPlaybookAction" + } + ], + "properties": { + "order": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + }, + "required": [ + "order" + ], + "description": "Describes an automation rule action" + }, + "AutomationRuleCondition": { + "type": "object", + "oneOf": [ + { + "$ref": "#/definitions/PropertyConditionProperties" + } + ], + "properties": {}, + "description": "Describes an automation rule condition" + }, + "AutomationRuleModifyPropertiesAction": { + "type": "object", + "properties": { + "actionConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentPropertiesAction" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "actionType": { + "type": "string", + "enum": [ + "ModifyProperties" + ] + } + }, + "required": [ + "actionType" + ], + "description": "Describes an automation rule action to modify an object's properties." + }, + "AutomationRuleProperties": { + "type": "object", + "properties": { + "actions": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AutomationRuleAction" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The actions to execute when the automation rule is triggered" + }, + "displayName": { + "type": "string", + "maxLength": 500, + "description": "The display name of the automation rule" + }, + "order": { + "oneOf": [ + { + "type": "integer", + "minimum": 1, + "maximum": 1000 + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The order of execution of the automation rule" + }, + "triggeringLogic": { + "oneOf": [ + { + "$ref": "#/definitions/AutomationRuleTriggeringLogic" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes automation rule triggering logic" + } + }, + "required": [ + "actions", + "displayName", + "order", + "triggeringLogic" + ], + "description": "Automation rule properties" + }, + "AutomationRulePropertyValuesCondition": { + "type": "object", + "properties": { + "operator": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Equals", + "NotEquals", + "Contains", + "NotContains", + "StartsWith", + "NotStartsWith", + "EndsWith", + "NotEndsWith" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "propertyName": { + "oneOf": [ + { + "type": "string", + "enum": [ + "IncidentTitle", + "IncidentDescription", + "IncidentSeverity", + "IncidentStatus", + "IncidentRelatedAnalyticRuleIds", + "IncidentTactics", + "IncidentLabel", + "IncidentProviderName", + "AccountAadTenantId", + "AccountAadUserId", + "AccountName", + "AccountNTDomain", + "AccountPUID", + "AccountSid", + "AccountObjectGuid", + "AccountUPNSuffix", + "AlertProductNames", + "AzureResourceResourceId", + "AzureResourceSubscriptionId", + "CloudApplicationAppId", + "CloudApplicationAppName", + "DNSDomainName", + "FileDirectory", + "FileName", + "FileHashValue", + "HostAzureID", + "HostName", + "HostNetBiosName", + "HostNTDomain", + "HostOSVersion", + "IoTDeviceId", + "IoTDeviceName", + "IoTDeviceType", + "IoTDeviceVendor", + "IoTDeviceModel", + "IoTDeviceOperatingSystem", + "IPAddress", + "MailboxDisplayName", + "MailboxPrimaryAddress", + "MailboxUPN", + "MailMessageDeliveryAction", + "MailMessageDeliveryLocation", + "MailMessageRecipient", + "MailMessageSenderIP", + "MailMessageSubject", + "MailMessageP1Sender", + "MailMessageP2Sender", + "MalwareCategory", + "MalwareName", + "ProcessCommandLine", + "ProcessId", + "RegistryKey", + "RegistryValueData", + "Url" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "propertyValues": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + } + }, + "AutomationRuleRunPlaybookAction": { + "type": "object", + "properties": { + "actionConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/PlaybookActionProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "actionType": { + "type": "string", + "enum": [ + "RunPlaybook" + ] + } + }, + "required": [ + "actionType" + ], + "description": "Describes an automation rule action to run a playbook" + }, + "AutomationRuleTriggeringLogic": { + "type": "object", + "properties": { + "conditions": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AutomationRuleCondition" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object" + }, + "expirationTimeUtc": { + "type": "string", + "format": "date-time", + "description": "Determines when the automation rule should automatically expire and be disabled." + }, + "isEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the automation rule is enabled or disabled" + }, + "triggersOn": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Incidents" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "triggersWhen": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Created" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + }, + "required": [ + "isEnabled", + "triggersOn", + "triggersWhen" + ], + "description": "Describes automation rule triggering logic" + }, + "AwsCloudTrailDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "AmazonWebServicesCloudTrail" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AwsCloudTrailDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Amazon Web Services CloudTrail data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents Amazon Web Services CloudTrail data connector." + }, + "AwsCloudTrailDataConnectorDataTypes": { + "type": "object", + "properties": { + "logs": { + "oneOf": [ + { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypesLogs" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Logs data type." + } + }, + "description": "The available data types for Amazon Web Services CloudTrail data connector." + }, + "AwsCloudTrailDataConnectorDataTypesLogs": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "Logs data type." + }, + "AwsCloudTrailDataConnectorProperties": { + "type": "object", + "properties": { + "awsRoleArn": { + "type": "string", + "description": "The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account." + }, + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AwsCloudTrailDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for Amazon Web Services CloudTrail data connector." + } + }, + "description": "Amazon Web Services CloudTrail data connector properties." + }, + "BookmarkProperties": { + "type": "object", + "properties": { + "created": { + "type": "string", + "format": "date-time", + "description": "The time the bookmark was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "displayName": { + "type": "string", + "description": "The display name of the bookmark" + }, + "eventTime": { + "type": "string", + "format": "date-time", + "description": "The bookmark event time" + }, + "incidentInfo": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes related incident information for the bookmark" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this bookmark" + }, + "notes": { + "type": "string", + "description": "The notes of the bookmark" + }, + "query": { + "type": "string", + "description": "The query of the bookmark." + }, + "queryEndTime": { + "type": "string", + "format": "date-time", + "description": "The end time for the query" + }, + "queryResult": { + "type": "string", + "description": "The query result of the bookmark." + }, + "queryStartTime": { + "type": "string", + "format": "date-time", + "description": "The start time for the query" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the bookmark was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + } + }, + "required": [ + "displayName", + "query" + ], + "description": "Describes bookmark properties" + }, + "DataConnectorDataTypeCommon": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "Common field for data type in data connectors." + }, + "EntityMapping": { + "type": "object", + "properties": { + "entityType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "fieldMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/FieldMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "array of field mappings for the given entity mapping" + } + }, + "description": "Single entity mapping for the alert rule" + }, + "EventGroupingSettings": { + "type": "object", + "properties": { + "aggregationKind": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SingleAlert", + "AlertPerResult" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + }, + "description": "Event grouping settings property bag." + }, + "FieldMapping": { + "type": "object", + "properties": { + "columnName": { + "type": "string", + "description": "the column name to be mapped to the identifier" + }, + "identifier": { + "type": "string", + "description": "the V3 identifier of the entity" + } + }, + "description": "A single field mapping of the mapped entity" + }, + "FusionAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Fusion" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/FusionAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Fusion alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents Fusion alert rule." + }, + "FusionAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + } + }, + "required": [ + "alertRuleTemplateName", + "enabled" + ], + "description": "Fusion alert rule base property bag." + }, + "GroupingConfiguration": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping enabled" + }, + "groupByAlertDetails": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "DisplayName", + "Severity" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of alert details to group by (when matchingMethod is Selected)" + }, + "groupByCustomDetails": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used." + }, + "groupByEntities": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "Account", + "Host", + "IP", + "Malware", + "File", + "Process", + "CloudApplication", + "DNS", + "AzureResource", + "FileHash", + "RegistryKey", + "RegistryValue", + "SecurityGroup", + "URL", + "Mailbox", + "MailCluster", + "MailMessage", + "SubmissionMail" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used." + }, + "lookbackDuration": { + "type": "string", + "format": "duration", + "description": "Limit the group to alerts created within the lookback duration (in ISO 8601 duration format)" + }, + "matchingMethod": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AllEntities", + "AnyAlert", + "Selected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty." + }, + "reopenClosedIncident": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Re-open closed matching incidents" + } + }, + "required": [ + "enabled", + "lookbackDuration", + "matchingMethod", + "reopenClosedIncident" + ], + "description": "Grouping configuration property bag." + }, + "IncidentCommentProperties": { + "type": "object", + "properties": { + "message": { + "type": "string", + "description": "The comment message" + } + }, + "required": [ + "message" + ], + "description": "Incident comment property bag." + }, + "IncidentConfiguration": { + "type": "object", + "properties": { + "createIncident": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Create incidents from alerts triggered by this analytics rule" + }, + "groupingConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/GroupingConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Grouping configuration property bag." + } + }, + "required": [ + "createIncident" + ], + "description": "Incident Configuration property bag." + }, + "IncidentInfo": { + "type": "object", + "properties": { + "incidentId": { + "type": "string", + "description": "Incident Id" + }, + "relationName": { + "type": "string", + "description": "Relation Name" + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity of the incident." + }, + "title": { + "type": "string", + "description": "The title of the incident" + } + }, + "description": "Describes related incident information for the bookmark" + }, + "IncidentLabel": { + "type": "object", + "properties": { + "labelName": { + "type": "string", + "description": "The name of the label" + }, + "labelType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "User", + "AutoAssigned" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + }, + "required": [ + "labelName" + ], + "description": "Represents an incident label" + }, + "IncidentOwnerInfo": { + "type": "object", + "properties": { + "assignedTo": { + "type": "string", + "description": "The name of the user the incident is assigned to." + }, + "email": { + "type": "string", + "description": "The email of the user the incident is assigned to." + }, + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user the incident is assigned to." + }, + "userPrincipalName": { + "type": "string", + "description": "The user principal name of the user the incident is assigned to." + } + }, + "description": "Information on the user an incident is assigned to" + }, + "IncidentOwnerInfoModel": { + "type": "object", + "properties": { + "assignedTo": { + "type": "string", + "description": "The name of the user the incident is assigned to." + }, + "email": { + "type": "string", + "description": "The email of the user the incident is assigned to." + }, + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user the incident is assigned to." + }, + "ownerType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Unknown", + "User", + "Group" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The type of the owner the incident is assigned to." + }, + "userPrincipalName": { + "type": "string", + "description": "The user principal name of the user the incident is assigned to." + } + }, + "description": "Information on the user an incident is assigned to" + }, + "IncidentProperties": { + "type": "object", + "properties": { + "classification": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The reason the incident was closed." + }, + "classificationComment": { + "type": "string", + "description": "Describes the reason the incident was closed" + }, + "classificationReason": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The classification reason the incident was closed with." + }, + "description": { + "type": "string", + "description": "The description of the incident" + }, + "firstActivityTimeUtc": { + "type": "string", + "format": "date-time", + "description": "The time of the first activity in the incident" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IncidentLabel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this incident" + }, + "lastActivityTimeUtc": { + "type": "string", + "format": "date-time", + "description": "The time of the last activity in the incident" + }, + "owner": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentOwnerInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Information on the user an incident is assigned to" + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity of the incident." + }, + "status": { + "oneOf": [ + { + "type": "string", + "enum": [ + "New", + "Active", + "Closed" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The status of the incident." + }, + "title": { + "type": "string", + "description": "The title of the incident" + } + }, + "required": [ + "severity", + "status", + "title" + ], + "description": "Describes incident properties" + }, + "IncidentPropertiesAction": { + "type": "object", + "properties": { + "classification": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Undetermined", + "TruePositive", + "BenignPositive", + "FalsePositive" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "classificationComment": { + "type": "string", + "description": "Describes the reason the incident was closed" + }, + "classificationReason": { + "oneOf": [ + { + "type": "string", + "enum": [ + "SuspiciousActivity", + "SuspiciousButExpected", + "IncorrectAlertLogic", + "InaccurateData" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IncidentLabel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels to add to the incident" + }, + "owner": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentOwnerInfoModel" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Information on the user an incident is assigned to" + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "status": { + "oneOf": [ + { + "type": "string", + "enum": [ + "New", + "Active", + "Closed" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + } + } + }, + "incidents_comments_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Incident comment ID" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentCommentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident comment property bag." + }, + "type": { + "type": "string", + "enum": [ + "comments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/comments" + }, + "incidents_relations_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "Relation Name" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RelationProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Relation property bag." + }, + "type": { + "type": "string", + "enum": [ + "relations" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/incidents/relations" + }, + "MCASDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftCloudAppSecurity" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MCASDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MCAS (Microsoft Cloud App Security) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents MCAS (Microsoft Cloud App Security) data connector." + }, + "MCASDataConnectorDataTypes": { + "type": "object", + "properties": { + "alerts": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + }, + "discoveryLogs": { + "oneOf": [ + { + "$ref": "#/definitions/DataConnectorDataTypeCommon" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Common field for data type in data connectors." + } + }, + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector." + }, + "MCASDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/MCASDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for MCAS (Microsoft Cloud App Security) data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "description": "MCAS (Microsoft Cloud App Security) data connector properties." + }, + "MDATPDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftDefenderAdvancedThreatProtection" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MDATPDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector." + }, + "MDATPDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/AlertsDataTypeOfDataConnector" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Alerts data type for data connectors." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "description": "MDATP (Microsoft Defender Advanced Threat Protection) data connector properties." + }, + "MicrosoftSecurityIncidentCreationAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "MicrosoftSecurityIncidentCreation" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/MicrosoftSecurityIncidentCreationAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents MicrosoftSecurityIncidentCreation rule." + }, + "MicrosoftSecurityIncidentCreationAlertRuleProperties": { + "type": "object", + "properties": { + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "displayNamesExcludeFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' displayNames on which the cases will not be generated" + }, + "displayNamesFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' displayNames on which the cases will be generated" + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "productFilter": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Microsoft Cloud App Security", + "Azure Security Center", + "Azure Advanced Threat Protection", + "Azure Active Directory Identity Protection", + "Azure Security Center for IoT" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The alerts' productName on which the cases will be generated." + }, + "severitiesFilter": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "the alerts' severities on which the cases will be generated" + } + }, + "required": [ + "displayName", + "enabled", + "productFilter" + ], + "description": "MicrosoftSecurityIncidentCreation rule property bag." + }, + "OfficeDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Office365" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Office data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents office data connector." + }, + "OfficeDataConnectorDataTypes": { + "type": "object", + "properties": { + "exchange": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypesExchange" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Exchange data type connection." + }, + "sharePoint": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypesSharePoint" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SharePoint data type connection." + }, + "teams": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypesTeams" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Teams data type connection." + } + }, + "description": "The available data types for office data connector." + }, + "OfficeDataConnectorDataTypesExchange": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "Exchange data type connection." + }, + "OfficeDataConnectorDataTypesSharePoint": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "SharePoint data type connection." + }, + "OfficeDataConnectorDataTypesTeams": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "Teams data type connection." + }, + "OfficeDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/OfficeDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for office data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + } + }, + "description": "Office data connector properties." + }, + "PlaybookActionProperties": { + "type": "object", + "properties": { + "logicAppResourceId": { + "type": "string", + "description": "The resource id of the playbook resource" + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tenant id of the playbook resource" + } + }, + "required": [ + "logicAppResourceId" + ] + }, + "PropertyConditionProperties": { + "type": "object", + "properties": { + "conditionProperties": { + "oneOf": [ + { + "$ref": "#/definitions/AutomationRulePropertyValuesCondition" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "conditionType": { + "type": "string", + "enum": [ + "Property" + ] + } + }, + "required": [ + "conditionType" + ], + "description": "Describes an automation rule condition that evaluates a property's value" + }, + "RelationProperties": { + "type": "object", + "properties": { + "relatedResourceId": { + "type": "string", + "description": "The resource ID of the related resource" + } + }, + "required": [ + "relatedResourceId" + ], + "description": "Relation property bag." + }, + "ScheduledAlertRule": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "Scheduled" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ScheduledAlertRuleProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Scheduled alert rule base property bag." + } + }, + "required": [ + "kind" + ], + "description": "Represents scheduled alert rule." + }, + "ScheduledAlertRuleProperties": { + "type": "object", + "properties": { + "alertDetailsOverride": { + "oneOf": [ + { + "$ref": "#/definitions/AlertDetailsOverride" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Settings for how to dynamically override alert static details" + }, + "alertRuleTemplateName": { + "type": "string", + "description": "The Name of the alert rule template used to create this rule." + }, + "customDetails": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Dictionary of string key-value pairs of columns to be attached to the alert" + }, + "description": { + "type": "string", + "description": "The description of the alert rule." + }, + "displayName": { + "type": "string", + "description": "The display name for alerts created by this alert rule." + }, + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether this alert rule is enabled or disabled." + }, + "entityMappings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/EntityMapping" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of entity mappings of the alert rule" + }, + "eventGroupingSettings": { + "oneOf": [ + { + "$ref": "#/definitions/EventGroupingSettings" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Event grouping settings property bag." + }, + "incidentConfiguration": { + "oneOf": [ + { + "$ref": "#/definitions/IncidentConfiguration" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Incident Configuration property bag." + }, + "query": { + "type": "string", + "description": "The query that creates alerts for this rule." + }, + "queryFrequency": { + "type": "string", + "format": "duration", + "description": "The frequency (in ISO 8601 duration format) for this alert rule to run." + }, + "queryPeriod": { + "type": "string", + "format": "duration", + "description": "The period (in ISO 8601 duration format) that this alert rule looks at." + }, + "severity": { + "oneOf": [ + { + "type": "string", + "enum": [ + "High", + "Medium", + "Low", + "Informational" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The severity for alerts created by this alert rule." + }, + "suppressionDuration": { + "type": "string", + "format": "duration", + "description": "The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered." + }, + "suppressionEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the suppression for this alert rule is enabled or disabled." + }, + "tactics": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "InitialAccess", + "Execution", + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion", + "CredentialAccess", + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration", + "CommandAndControl", + "Impact", + "PreAttack" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tactics of the alert rule" + }, + "triggerOperator": { + "oneOf": [ + { + "type": "string", + "enum": [ + "GreaterThan", + "LessThan", + "Equal", + "NotEqual" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The operation against the threshold that triggers alert rule." + }, + "triggerThreshold": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The threshold triggers this alert rule." + } + }, + "required": [ + "displayName", + "enabled", + "suppressionDuration", + "suppressionEnabled" + ], + "description": "Scheduled alert rule base property bag." + }, + "SentinelOnboardingStateProperties": { + "type": "object", + "properties": { + "customerManagedKey": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag that indicates the status of the CMK setting" + } + }, + "description": "The Sentinel onboarding state properties" + }, + "ThreatIntelligenceExternalReference": { + "type": "object", + "properties": { + "description": { + "type": "string", + "description": "External reference description" + }, + "externalId": { + "type": "string", + "description": "External reference ID" + }, + "hashes": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "External reference hashes" + }, + "sourceName": { + "type": "string", + "description": "External reference source name" + }, + "url": { + "type": "string", + "description": "External reference URL" + } + }, + "description": "Describes external reference" + }, + "ThreatIntelligenceGranularMarkingModel": { + "type": "object", + "properties": { + "language": { + "type": "string", + "description": "Language granular marking model" + }, + "markingRef": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "marking reference granular marking model" + }, + "selectors": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "granular marking model selectors" + } + }, + "description": "Describes threat granular marking model entity" + }, + "ThreatIntelligenceIndicatorProperties": { + "type": "object", + "properties": { + "confidence": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Confidence of threat intelligence entity" + }, + "created": { + "type": "string", + "description": "Created by" + }, + "createdByRef": { + "type": "string", + "description": "Created by reference of threat intelligence entity" + }, + "defanged": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Is threat intelligence entity defanged" + }, + "description": { + "type": "string", + "description": "Description of a threat intelligence entity" + }, + "displayName": { + "type": "string", + "description": "Display name of a threat intelligence entity" + }, + "extensions": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "object", + "properties": {} + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Extensions map" + }, + "externalId": { + "type": "string", + "description": "External ID of threat intelligence entity" + }, + "externalLastUpdatedTimeUtc": { + "type": "string", + "description": "External last updated time in UTC" + }, + "externalReferences": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceExternalReference" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "External References" + }, + "granularMarkings": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Granular Markings" + }, + "indicatorTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Indicator types of threat intelligence entities" + }, + "killChainPhases": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceKillChainPhase" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Kill chain phases" + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Labels of threat intelligence entity" + }, + "language": { + "type": "string", + "description": "Language of threat intelligence entity" + }, + "lastUpdatedTimeUtc": { + "type": "string", + "description": "Last updated time in UTC" + }, + "modified": { + "type": "string", + "description": "Modified by" + }, + "objectMarkingRefs": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat intelligence entity object marking references" + }, + "parsedPattern": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceParsedPattern" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Parsed patterns" + }, + "pattern": { + "type": "string", + "description": "Pattern of a threat intelligence entity" + }, + "patternType": { + "type": "string", + "description": "Pattern type of a threat intelligence entity" + }, + "patternVersion": { + "type": "string", + "description": "Pattern version of a threat intelligence entity" + }, + "revoked": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Is threat intelligence entity revoked" + }, + "source": { + "type": "string", + "description": "Source of a threat intelligence entity" + }, + "threatIntelligenceTags": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of tags" + }, + "threatTypes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Threat types" + }, + "validFrom": { + "type": "string", + "description": "Valid from" + }, + "validUntil": { + "type": "string", + "description": "Valid until" + } + }, + "description": "Describes threat intelligence entity properties" + }, + "ThreatIntelligenceKillChainPhase": { + "type": "object", + "properties": { + "killChainName": { + "type": "string", + "description": "Kill chainName name" + }, + "phaseName": { + "type": "string", + "description": "Phase name" + } + }, + "description": "Describes threat kill chain phase entity" + }, + "ThreatIntelligenceParsedPattern": { + "type": "object", + "properties": { + "patternTypeKey": { + "type": "string", + "description": "Pattern type key" + }, + "patternTypeValues": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Pattern type keys" + } + }, + "description": "Describes parsed pattern entity" + }, + "ThreatIntelligenceParsedPatternTypeValue": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "Value of parsed pattern" + }, + "valueType": { + "type": "string", + "description": "Type of the value" + } + }, + "description": "Describes threat kill chain phase entity" + }, + "TIDataConnector": { + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "ThreatIntelligence" + ] + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/TIDataConnectorProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "TI (Threat Intelligence) data connector properties." + } + }, + "required": [ + "kind" + ], + "description": "Represents threat intelligence data connector." + }, + "TIDataConnectorDataTypes": { + "type": "object", + "properties": { + "indicators": { + "oneOf": [ + { + "$ref": "#/definitions/TIDataConnectorDataTypesIndicators" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Data type for indicators connection." + } + }, + "description": "The available data types for TI (Threat Intelligence) data connector." + }, + "TIDataConnectorDataTypesIndicators": { + "type": "object", + "properties": { + "state": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Enabled", + "Disabled" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describe whether this data type connection is enabled or not." + } + }, + "description": "Data type for indicators connection." + }, + "TIDataConnectorProperties": { + "type": "object", + "properties": { + "dataTypes": { + "oneOf": [ + { + "$ref": "#/definitions/TIDataConnectorDataTypes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The available data types for TI (Threat Intelligence) data connector." + }, + "tenantId": { + "type": "string", + "description": "The tenant id to connect to, and get the data from." + }, + "tipLookbackPeriod": { + "type": "string", + "format": "date-time", + "description": "The lookback period for the feed to be imported." + } + }, + "description": "TI (Threat Intelligence) data connector properties." + }, + "UserInfo": { + "type": "object", + "properties": { + "objectId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The object id of the user." + } + }, + "description": "User information that made some action" + }, + "WatchlistItemProperties": { + "type": "object", + "properties": { + "created": { + "type": "string", + "format": "date-time", + "description": "The time the watchlist item was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "entityMapping": { + "type": "object", + "properties": {}, + "description": "key-value pairs for a watchlist item entity mapping" + }, + "isDeleted": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag that indicates if the watchlist item is deleted or not" + }, + "itemsKeyValue": { + "type": "object", + "properties": {}, + "description": "key-value pairs for a watchlist item" + }, + "tenantId": { + "type": "string", + "description": "The tenantId to which the watchlist item belongs to" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the watchlist item was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "watchlistItemId": { + "type": "string", + "description": "The id (a Guid) of the watchlist item" + }, + "watchlistItemType": { + "type": "string", + "description": "The type of the watchlist item" + } + }, + "required": [ + "itemsKeyValue" + ], + "description": "Describes watchlist item properties" + }, + "WatchlistProperties": { + "type": "object", + "properties": { + "contentType": { + "type": "string", + "description": "The content type of the raw content. For now, only text/csv is valid" + }, + "created": { + "type": "string", + "format": "date-time", + "description": "The time the watchlist was created" + }, + "createdBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "defaultDuration": { + "type": "string", + "format": "duration", + "description": "The default duration of a watchlist (in ISO 8601 duration format)" + }, + "description": { + "type": "string", + "description": "A description of the watchlist" + }, + "displayName": { + "type": "string", + "description": "The display name of the watchlist" + }, + "isDeleted": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A flag that indicates if the watchlist is deleted or not" + }, + "itemsSearchKey": { + "type": "string", + "description": "The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address." + }, + "labels": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "List of labels relevant to this watchlist" + }, + "numberOfLinesToSkip": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The number of lines in a csv content to skip before the header" + }, + "provider": { + "type": "string", + "description": "The provider of the watchlist" + }, + "rawContent": { + "type": "string", + "description": "The raw content that represents to watchlist items to create. Example : This line will be skipped\nheader1,header2\nvalue1,value2" + }, + "source": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Local file", + "Remote storage" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The source of the watchlist." + }, + "tenantId": { + "type": "string", + "description": "The tenantId where the watchlist belongs to" + }, + "updated": { + "type": "string", + "format": "date-time", + "description": "The last time the watchlist was updated" + }, + "updatedBy": { + "oneOf": [ + { + "$ref": "#/definitions/UserInfo" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "User information that made some action" + }, + "uploadStatus": { + "type": "string", + "description": "The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted" + }, + "watchlistAlias": { + "type": "string", + "description": "The alias of the watchlist" + }, + "watchlistId": { + "type": "string", + "description": "The id (a Guid) of the watchlist" + }, + "watchlistType": { + "type": "string", + "description": "The type of the watchlist" + } + }, + "required": [ + "displayName", + "itemsSearchKey", + "provider", + "source" + ], + "description": "Describes watchlist properties" + }, + "watchlists_watchlistItems_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2021-10-01" + ] + }, + "etag": { + "type": "string", + "description": "Etag of the azure resource" + }, + "name": { + "type": "string", + "description": "The watchlist item id (GUID)" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/WatchlistItemProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Describes watchlist item properties" + }, + "type": { + "type": "string", + "enum": [ + "watchlistItems" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.SecurityInsights/watchlists/watchlistItems" + } + } +} \ No newline at end of file