Azure
/
azure-resource-manager-schemas
зеркало из https://github.com/Azure/azure-resource-manager-schemas.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
azure-resource-manager-schemas/schemas/2022-10-01-preview/Microsoft.SecurityInsights....

3732 строки
107 KiB
JSON
Исходник Постоянная ссылка Ответственный История

{
"id": "https://schema.management.azure.com/schemas/2022-10-01-preview/Microsoft.SecurityInsights.json#",
"title": "Microsoft.SecurityInsights",
"description": "Microsoft SecurityInsights Resource Types",
"$schema": "http://json-schema.org/draft-04/schema#",
"extension_resourceDefinitions": {
"alertRules": {
"description": "Microsoft.SecurityInsights/alertRules",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Alert rule ID",
"type": "string"
},
"resources": {
"items": {
"oneOf": [
{
"$ref": "#/definitions/alertRules_actions_childResource"
}
]
},
"type": "array"
},
"type": {
"enum": [
"Microsoft.SecurityInsights/alertRules"
],
"type": "string"
}
},
"required": [
"name",
"apiVersion",
"type"
],
"type": "object"
},
"alertRules_actions": {
"description": "Microsoft.SecurityInsights/alertRules/actions",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Action ID",
"type": "string"
},
"properties": {
"description": "Action properties for put request",
"oneOf": [
{
"$ref": "#/definitions/ActionRequestProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/alertRules/actions"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"automationRules": {
"description": "Microsoft.SecurityInsights/automationRules",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Automation rule ID",
"type": "string"
},
"properties": {
"description": "Automation rule properties",
"oneOf": [
{
"$ref": "#/definitions/AutomationRuleProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/automationRules"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"bookmarks": {
"description": "Microsoft.SecurityInsights/bookmarks",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Bookmark ID",
"type": "string"
},
"properties": {
"description": "Bookmark properties",
"oneOf": [
{
"$ref": "#/definitions/BookmarkProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"resources": {
"items": {
"oneOf": [
{
"$ref": "#/definitions/bookmarks_relations_childResource"
}
]
},
"type": "array"
},
"type": {
"enum": [
"Microsoft.SecurityInsights/bookmarks"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"bookmarks_relations": {
"description": "Microsoft.SecurityInsights/bookmarks/relations",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Relation Name",
"type": "string"
},
"properties": {
"description": "Relation properties",
"oneOf": [
{
"$ref": "#/definitions/RelationProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/bookmarks/relations"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"dataConnectors": {
"description": "Microsoft.SecurityInsights/dataConnectors",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Connector ID",
"type": "string"
},
"type": {
"enum": [
"Microsoft.SecurityInsights/dataConnectors"
],
"type": "string"
}
},
"required": [
"name",
"apiVersion",
"type"
],
"type": "object"
},
"entityQueries": {
"description": "Microsoft.SecurityInsights/entityQueries",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "entity query ID",
"type": "string"
},
"type": {
"enum": [
"Microsoft.SecurityInsights/entityQueries"
],
"type": "string"
}
},
"required": [
"name",
"apiVersion",
"type"
],
"type": "object"
},
"fileImports": {
"description": "Microsoft.SecurityInsights/fileImports",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"name": {
"description": "File import ID",
"type": "string"
},
"properties": {
"description": "File import properties",
"oneOf": [
{
"$ref": "#/definitions/FileImportProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/fileImports"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"incidents": {
"description": "Microsoft.SecurityInsights/incidents",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Incident ID",
"type": "string"
},
"properties": {
"description": "Incident properties",
"oneOf": [
{
"$ref": "#/definitions/IncidentProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"resources": {
"items": {
"oneOf": [
{
"$ref": "#/definitions/incidents_comments_childResource"
},
{
"$ref": "#/definitions/incidents_relations_childResource"
}
]
},
"type": "array"
},
"type": {
"enum": [
"Microsoft.SecurityInsights/incidents"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"incidents_comments": {
"description": "Microsoft.SecurityInsights/incidents/comments",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Incident comment ID",
"type": "string"
},
"properties": {
"description": "Incident comment properties",
"oneOf": [
{
"$ref": "#/definitions/IncidentCommentProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/incidents/comments"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"incidents_relations": {
"description": "Microsoft.SecurityInsights/incidents/relations",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Relation Name",
"type": "string"
},
"properties": {
"description": "Relation properties",
"oneOf": [
{
"$ref": "#/definitions/RelationProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/incidents/relations"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"metadata": {
"description": "Microsoft.SecurityInsights/metadata",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "The Metadata name.",
"type": "string"
},
"properties": {
"description": "Metadata properties",
"oneOf": [
{
"$ref": "#/definitions/MetadataProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/metadata"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"onboardingStates": {
"description": "Microsoft.SecurityInsights/onboardingStates",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "The Sentinel onboarding state name. Supports - default",
"type": "string"
},
"properties": {
"description": "The Sentinel onboarding state object",
"oneOf": [
{
"$ref": "#/definitions/SentinelOnboardingStateProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/onboardingStates"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"securityMLAnalyticsSettings": {
"description": "Microsoft.SecurityInsights/securityMLAnalyticsSettings",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Security ML Analytics Settings resource name",
"type": "string"
},
"type": {
"enum": [
"Microsoft.SecurityInsights/securityMLAnalyticsSettings"
],
"type": "string"
}
},
"required": [
"name",
"apiVersion",
"type"
],
"type": "object"
},
"settings": {
"description": "Microsoft.SecurityInsights/settings",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba",
"type": "string"
},
"type": {
"enum": [
"Microsoft.SecurityInsights/settings"
],
"type": "string"
}
},
"required": [
"name",
"apiVersion",
"type"
],
"type": "object"
},
"sourcecontrols": {
"description": "Microsoft.SecurityInsights/sourcecontrols",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Source control Id",
"type": "string"
},
"properties": {
"description": "source control properties",
"oneOf": [
{
"$ref": "#/definitions/SourceControlProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/sourcecontrols"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"threatIntelligence_indicators": {
"description": "Microsoft.SecurityInsights/threatIntelligence/indicators",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"kind": {
"description": "The kind of the entity.",
"oneOf": [
{
"enum": [
"indicator"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"name": {
"description": "Threat intelligence indicator name field.",
"type": "string"
},
"properties": {
"description": "Threat Intelligence Entity properties",
"oneOf": [
{
"$ref": "#/definitions/ThreatIntelligenceIndicatorProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/threatIntelligence/indicators"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"watchlists": {
"description": "Microsoft.SecurityInsights/watchlists",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Watchlist Alias",
"type": "string"
},
"properties": {
"description": "Watchlist properties",
"oneOf": [
{
"$ref": "#/definitions/WatchlistProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"resources": {
"items": {
"oneOf": [
{
"$ref": "#/definitions/watchlists_watchlistItems_childResource"
}
]
},
"type": "array"
},
"type": {
"enum": [
"Microsoft.SecurityInsights/watchlists"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"watchlists_watchlistItems": {
"description": "Microsoft.SecurityInsights/watchlists/watchlistItems",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Watchlist Item Id (GUID)",
"type": "string"
},
"properties": {
"description": "Watchlist Item properties",
"oneOf": [
{
"$ref": "#/definitions/WatchlistItemProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"Microsoft.SecurityInsights/watchlists/watchlistItems"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
}
},
"definitions": {
"ActionRequestProperties": {
"description": "Action property bag.",
"properties": {
"logicAppResourceId": {
"description": "Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.",
"type": "string"
},
"triggerUri": {
"description": "Logic App Callback URL for this specific workflow.",
"type": "string"
}
},
"required": [
"triggerUri",
"logicAppResourceId"
],
"type": "object"
},
"AutomationRuleAction": {
"description": "Describes an automation rule action.",
"oneOf": [
{
"description": "Describes an automation rule action to modify an object's properties",
"properties": {
"actionConfiguration": {
"oneOf": [
{
"$ref": "#/definitions/IncidentPropertiesAction"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"actionType": {
"enum": [
"ModifyProperties"
],
"type": "string"
}
},
"required": [
"actionType"
],
"type": "object"
},
{
"description": "Describes an automation rule action to run a playbook",
"properties": {
"actionConfiguration": {
"oneOf": [
{
"$ref": "#/definitions/PlaybookActionProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"actionType": {
"enum": [
"RunPlaybook"
],
"type": "string"
}
},
"required": [
"actionType"
],
"type": "object"
}
],
"properties": {
"order": {
"oneOf": [
{
"type": "integer"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"required": [
"order"
],
"type": "object"
},
"AutomationRuleBooleanCondition": {
"properties": {
"innerConditions": {
"description": "Array of AutomationRuleCondition",
"oneOf": [
{
"items": {
"type": "object"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"operator": {
"oneOf": [
{
"enum": [
"And",
"Or"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"AutomationRuleCondition": {
"description": "Describes an automation rule condition.",
"oneOf": [
{
"description": "Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions",
"properties": {
"conditionProperties": {
"oneOf": [
{
"$ref": "#/definitions/AutomationRuleBooleanCondition"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"conditionType": {
"enum": [
"Boolean"
],
"type": "string"
}
},
"required": [
"conditionType"
],
"type": "object"
},
{
"description": "Describes an automation rule condition that evaluates a property's value",
"properties": {
"conditionProperties": {
"oneOf": [
{
"$ref": "#/definitions/AutomationRulePropertyValuesCondition"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"conditionType": {
"enum": [
"Property"
],
"type": "string"
}
},
"required": [
"conditionType"
],
"type": "object"
},
{
"description": "Describes an automation rule condition that evaluates an array property's value",
"properties": {
"conditionProperties": {
"oneOf": [
{
"$ref": "#/definitions/AutomationRulePropertyArrayValuesCondition"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"conditionType": {
"enum": [
"PropertyArray"
],
"type": "string"
}
},
"required": [
"conditionType"
],
"type": "object"
},
{
"description": "Describes an automation rule condition that evaluates an array property's value change",
"properties": {
"conditionProperties": {
"oneOf": [
{
"$ref": "#/definitions/AutomationRulePropertyArrayChangedValuesCondition"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"conditionType": {
"enum": [
"PropertyArrayChanged"
],
"type": "string"
}
},
"required": [
"conditionType"
],
"type": "object"
},
{
"description": "Describes an automation rule condition that evaluates a property's value change",
"properties": {
"conditionProperties": {
"oneOf": [
{
"$ref": "#/definitions/AutomationRulePropertyValuesChangedCondition"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"conditionType": {
"enum": [
"PropertyChanged"
],
"type": "string"
}
},
"required": [
"conditionType"
],
"type": "object"
}
],
"properties": {},
"type": "object"
},
"AutomationRuleProperties": {
"description": "Automation rule properties",
"properties": {
"actions": {
"description": "The actions to execute when the automation rule is triggered.",
"oneOf": [
{
"items": {
"$ref": "#/definitions/AutomationRuleAction"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"displayName": {
"description": "The display name of the automation rule.",
"maxLength": 500,
"type": "string"
},
"order": {
"description": "The order of execution of the automation rule.",
"oneOf": [
{
"maximum": 1000,
"minimum": 1,
"type": "integer"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"triggeringLogic": {
"description": "Describes automation rule triggering logic.",
"oneOf": [
{
"$ref": "#/definitions/AutomationRuleTriggeringLogic"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"required": [
"displayName",
"order",
"triggeringLogic",
"actions"
],
"type": "object"
},
"AutomationRulePropertyArrayChangedValuesCondition": {
"properties": {
"arrayType": {
"oneOf": [
{
"enum": [
"Alerts",
"Labels",
"Tactics",
"Comments"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"changeType": {
"oneOf": [
{
"enum": [
"Added"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"AutomationRulePropertyArrayValuesCondition": {
"properties": {
"arrayConditionType": {
"oneOf": [
{
"enum": [
"AnyItem"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"arrayType": {
"oneOf": [
{
"enum": [
"CustomDetails",
"CustomDetailValues"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"itemConditions": {
"description": "Array of AutomationRuleCondition",
"oneOf": [
{
"items": {
"type": "object"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"AutomationRulePropertyValuesChangedCondition": {
"properties": {
"changeType": {
"oneOf": [
{
"enum": [
"ChangedFrom",
"ChangedTo"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"operator": {
"oneOf": [
{
"enum": [
"Equals",
"NotEquals",
"Contains",
"NotContains",
"StartsWith",
"NotStartsWith",
"EndsWith",
"NotEndsWith"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"propertyName": {
"oneOf": [
{
"enum": [
"IncidentSeverity",
"IncidentStatus",
"IncidentOwner"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"propertyValues": {
"description": "Array of AutomationRulePropertyValuesChangedConditionPropertyValuesItem",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"AutomationRulePropertyValuesCondition": {
"properties": {
"operator": {
"oneOf": [
{
"enum": [
"Equals",
"NotEquals",
"Contains",
"NotContains",
"StartsWith",
"NotStartsWith",
"EndsWith",
"NotEndsWith"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"propertyName": {
"description": "The property to evaluate in an automation rule property condition.",
"oneOf": [
{
"enum": [
"IncidentTitle",
"IncidentDescription",
"IncidentSeverity",
"IncidentStatus",
"IncidentRelatedAnalyticRuleIds",
"IncidentTactics",
"IncidentLabel",
"IncidentProviderName",
"IncidentUpdatedBySource",
"IncidentCustomDetailsKey",
"IncidentCustomDetailsValue",
"AccountAadTenantId",
"AccountAadUserId",
"AccountName",
"AccountNTDomain",
"AccountPUID",
"AccountSid",
"AccountObjectGuid",
"AccountUPNSuffix",
"AlertProductNames",
"AlertAnalyticRuleIds",
"AzureResourceResourceId",
"AzureResourceSubscriptionId",
"CloudApplicationAppId",
"CloudApplicationAppName",
"DNSDomainName",
"FileDirectory",
"FileName",
"FileHashValue",
"HostAzureID",
"HostName",
"HostNetBiosName",
"HostNTDomain",
"HostOSVersion",
"IoTDeviceId",
"IoTDeviceName",
"IoTDeviceType",
"IoTDeviceVendor",
"IoTDeviceModel",
"IoTDeviceOperatingSystem",
"IPAddress",
"MailboxDisplayName",
"MailboxPrimaryAddress",
"MailboxUPN",
"MailMessageDeliveryAction",
"MailMessageDeliveryLocation",
"MailMessageRecipient",
"MailMessageSenderIP",
"MailMessageSubject",
"MailMessageP1Sender",
"MailMessageP2Sender",
"MalwareCategory",
"MalwareName",
"ProcessCommandLine",
"ProcessId",
"RegistryKey",
"RegistryValueData",
"Url"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"propertyValues": {
"description": "Array of AutomationRulePropertyValuesConditionPropertyValuesItem",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"AutomationRuleTriggeringLogic": {
"description": "Describes automation rule triggering logic.",
"properties": {
"conditions": {
"description": "The conditions to evaluate to determine if the automation rule should be triggered on a given object.",
"oneOf": [
{
"items": {
"$ref": "#/definitions/AutomationRuleCondition"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"expirationTimeUtc": {
"description": "Determines when the automation rule should automatically expire and be disabled.",
"format": "date-time",
"type": "string"
},
"isEnabled": {
"description": "Determines whether the automation rule is enabled or disabled.",
"oneOf": [
{
"type": "boolean"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"triggersOn": {
"oneOf": [
{
"enum": [
"Incidents",
"Alerts"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"triggersWhen": {
"oneOf": [
{
"enum": [
"Created",
"Updated"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"required": [
"isEnabled",
"triggersOn",
"triggersWhen"
],
"type": "object"
},
"AzureDevOpsResourceInfo": {
"description": "Resources created in Azure DevOps repository.",
"properties": {
"pipelineId": {
"description": "Id of the pipeline created for the source-control.",
"type": "string"
},
"serviceConnectionId": {
"description": "Id of the service-connection created for the source-control.",
"type": "string"
}
},
"type": "object"
},
"BookmarkEntityMappings": {
"description": "Describes the entity mappings of a single entity",
"properties": {
"entityType": {
"description": "The entity type",
"type": "string"
},
"fieldMappings": {
"description": "Array of fields mapping for that entity type",
"oneOf": [
{
"items": {
"$ref": "#/definitions/EntityFieldMapping"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"BookmarkProperties": {
"description": "Describes bookmark properties",
"properties": {
"created": {
"description": "The time the bookmark was created",
"format": "date-time",
"type": "string"
},
"createdBy": {
"description": "Describes a user that created the bookmark",
"oneOf": [
{
"$ref": "#/definitions/UserInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"displayName": {
"description": "The display name of the bookmark",
"type": "string"
},
"entityMappings": {
"description": "Describes the entity mappings of the bookmark",
"oneOf": [
{
"items": {
"$ref": "#/definitions/BookmarkEntityMappings"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"eventTime": {
"description": "The bookmark event time",
"format": "date-time",
"type": "string"
},
"incidentInfo": {
"description": "Describes an incident that relates to bookmark",
"oneOf": [
{
"$ref": "#/definitions/IncidentInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"labels": {
"description": "List of labels relevant to this bookmark",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"notes": {
"description": "The notes of the bookmark",
"type": "string"
},
"query": {
"description": "The query of the bookmark.",
"type": "string"
},
"queryEndTime": {
"description": "The end time for the query",
"format": "date-time",
"type": "string"
},
"queryResult": {
"description": "The query result of the bookmark.",
"type": "string"
},
"queryStartTime": {
"description": "The start time for the query",
"format": "date-time",
"type": "string"
},
"tactics": {
"description": "A list of relevant mitre attacks",
"oneOf": [
{
"items": {
"enum": [
"Reconnaissance",
"ResourceDevelopment",
"InitialAccess",
"Execution",
"Persistence",
"PrivilegeEscalation",
"DefenseEvasion",
"CredentialAccess",
"Discovery",
"LateralMovement",
"Collection",
"Exfiltration",
"CommandAndControl",
"Impact",
"PreAttack",
"ImpairProcessControl",
"InhibitResponseFunction"
],
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"techniques": {
"description": "A list of relevant mitre techniques",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"updated": {
"description": "The last time the bookmark was updated",
"format": "date-time",
"type": "string"
},
"updatedBy": {
"description": "Describes a user that updated the bookmark",
"oneOf": [
{
"$ref": "#/definitions/UserInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"required": [
"displayName",
"query"
],
"type": "object"
},
"ContentPathMap": {
"description": "The mapping of content type to a repo path.",
"properties": {
"contentType": {
"description": "Content type.",
"oneOf": [
{
"enum": [
"AnalyticRule",
"Workbook"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"path": {
"description": "The path to the content.",
"type": "string"
}
},
"type": "object"
},
"Deployment": {
"description": "Description about a deployment.",
"properties": {
"deploymentId": {
"description": "Deployment identifier.",
"type": "string"
},
"deploymentLogsUrl": {
"description": "Url to access repository action logs.",
"type": "string"
},
"deploymentResult": {
"description": "The outcome of the deployment.",
"oneOf": [
{
"enum": [
"Success",
"Canceled",
"Failed"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"deploymentState": {
"description": "Current status of the deployment.",
"oneOf": [
{
"enum": [
"In_Progress",
"Completed",
"Queued",
"Canceling"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"deploymentTime": {
"description": "The time when the deployment finished.",
"format": "date-time",
"type": "string"
}
},
"type": "object"
},
"DeploymentInfo": {
"description": "Information regarding a deployment.",
"properties": {
"deployment": {
"description": "Deployment information.",
"oneOf": [
{
"$ref": "#/definitions/Deployment"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"deploymentFetchStatus": {
"description": "Status while fetching the last deployment.",
"oneOf": [
{
"enum": [
"Success",
"Unauthorized",
"NotFound"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"message": {
"description": "Additional details about the deployment that can be shown to the user.",
"type": "string"
}
},
"type": "object"
},
"EntityFieldMapping": {
"description": "Map identifiers of a single entity",
"properties": {
"identifier": {
"description": "Alert V3 identifier",
"type": "string"
},
"value": {
"description": "The value of the identifier",
"type": "string"
}
},
"type": "object"
},
"FileImportProperties": {
"description": "Describes the FileImport's properties",
"properties": {
"contentType": {
"description": "The content type of this file.",
"oneOf": [
{
"enum": [
"BasicIndicator",
"StixIndicator",
"Unspecified"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"importFile": {
"description": "Represents the imported file.",
"oneOf": [
{
"$ref": "#/definitions/FileMetadata"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"ingestionMode": {
"description": "Describes how to ingest the records in the file.",
"oneOf": [
{
"enum": [
"IngestOnlyIfAllAreValid",
"IngestAnyValidRecords",
"Unspecified"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"source": {
"description": "The source for the data in the file.",
"type": "string"
}
},
"required": [
"ingestionMode",
"contentType",
"importFile",
"source"
],
"type": "object"
},
"FileMetadata": {
"description": "Represents a file.",
"properties": {
"fileFormat": {
"description": "The format of the file",
"oneOf": [
{
"enum": [
"CSV",
"JSON",
"Unspecified"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"fileName": {
"description": "The name of the file.",
"type": "string"
},
"fileSize": {
"description": "The size of the file.",
"oneOf": [
{
"type": "integer"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"GitHubResourceInfo": {
"description": "Resources created in GitHub repository.",
"properties": {
"appInstallationId": {
"description": "GitHub application installation id.",
"type": "string"
}
},
"type": "object"
},
"IncidentCommentProperties": {
"description": "Incident comment property bag.",
"properties": {
"message": {
"description": "The comment message",
"type": "string"
}
},
"required": [
"message"
],
"type": "object"
},
"IncidentInfo": {
"description": "Describes related incident information for the bookmark",
"properties": {
"incidentId": {
"description": "Incident Id",
"type": "string"
},
"relationName": {
"description": "Relation Name",
"type": "string"
},
"severity": {
"description": "The severity of the incident",
"oneOf": [
{
"enum": [
"High",
"Medium",
"Low",
"Informational"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"title": {
"description": "The title of the incident",
"type": "string"
}
},
"type": "object"
},
"IncidentLabel": {
"description": "Represents an incident label",
"properties": {
"labelName": {
"description": "The name of the label",
"type": "string"
}
},
"required": [
"labelName"
],
"type": "object"
},
"IncidentOwnerInfo": {
"description": "Information on the user an incident is assigned to",
"properties": {
"assignedTo": {
"description": "The name of the user the incident is assigned to.",
"type": "string"
},
"email": {
"description": "The email of the user the incident is assigned to.",
"type": "string"
},
"objectId": {
"description": "The object id of the user the incident is assigned to.",
"oneOf": [
{
"pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$",
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"ownerType": {
"description": "The type of the owner the incident is assigned to.",
"oneOf": [
{
"enum": [
"Unknown",
"User",
"Group"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"userPrincipalName": {
"description": "The user principal name of the user the incident is assigned to.",
"type": "string"
}
},
"type": "object"
},
"IncidentProperties": {
"description": "Describes incident properties",
"properties": {
"classification": {
"description": "The reason the incident was closed",
"oneOf": [
{
"enum": [
"Undetermined",
"TruePositive",
"BenignPositive",
"FalsePositive"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"classificationComment": {
"description": "Describes the reason the incident was closed",
"type": "string"
},
"classificationReason": {
"description": "The classification reason the incident was closed with",
"oneOf": [
{
"enum": [
"SuspiciousActivity",
"SuspiciousButExpected",
"IncorrectAlertLogic",
"InaccurateData"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"description": {
"description": "The description of the incident",
"type": "string"
},
"firstActivityTimeUtc": {
"description": "The time of the first activity in the incident",
"format": "date-time",
"type": "string"
},
"labels": {
"description": "List of labels relevant to this incident",
"oneOf": [
{
"items": {
"$ref": "#/definitions/IncidentLabel"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"lastActivityTimeUtc": {
"description": "The time of the last activity in the incident",
"format": "date-time",
"type": "string"
},
"owner": {
"description": "Describes a user that the incident is assigned to",
"oneOf": [
{
"$ref": "#/definitions/IncidentOwnerInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"providerIncidentId": {
"description": "The incident ID assigned by the incident provider",
"type": "string"
},
"providerName": {
"description": "The name of the source provider that generated the incident",
"type": "string"
},
"severity": {
"description": "The severity of the incident",
"oneOf": [
{
"enum": [
"High",
"Medium",
"Low",
"Informational"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"status": {
"description": "The status of the incident",
"oneOf": [
{
"enum": [
"New",
"Active",
"Closed"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"teamInformation": {
"description": "Describes a team for the incident",
"oneOf": [
{
"$ref": "#/definitions/TeamInformation"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"title": {
"description": "The title of the incident",
"type": "string"
}
},
"required": [
"severity",
"status",
"title"
],
"type": "object"
},
"IncidentPropertiesAction": {
"properties": {
"classification": {
"description": "The reason the incident was closed",
"oneOf": [
{
"enum": [
"Undetermined",
"TruePositive",
"BenignPositive",
"FalsePositive"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"classificationComment": {
"description": "Describes the reason the incident was closed.",
"type": "string"
},
"classificationReason": {
"description": "The classification reason the incident was closed with",
"oneOf": [
{
"enum": [
"SuspiciousActivity",
"SuspiciousButExpected",
"IncorrectAlertLogic",
"InaccurateData"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"labels": {
"description": "List of labels to add to the incident.",
"oneOf": [
{
"items": {
"$ref": "#/definitions/IncidentLabel"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"owner": {
"description": "Information on the user an incident is assigned to",
"oneOf": [
{
"$ref": "#/definitions/IncidentOwnerInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"severity": {
"description": "The severity of the incident",
"oneOf": [
{
"enum": [
"High",
"Medium",
"Low",
"Informational"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"status": {
"description": "The status of the incident",
"oneOf": [
{
"enum": [
"New",
"Active",
"Closed"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"MetadataAuthor": {
"description": "Publisher or creator of the content item.",
"properties": {
"email": {
"description": "Email of author contact",
"type": "string"
},
"link": {
"description": "Link for author/vendor page",
"type": "string"
},
"name": {
"description": "Name of the author. Company or person.",
"type": "string"
}
},
"type": "object"
},
"MetadataCategories": {
"description": "ies for the solution content item",
"properties": {
"domains": {
"description": "domain for the solution content item",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"verticals": {
"description": "Industry verticals for the solution content item",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"MetadataDependencies": {
"description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies.",
"properties": {
"contentId": {
"description": "Id of the content item we depend on",
"type": "string"
},
"criteria": {
"description": "This is the list of dependencies we must fulfill, according to the AND/OR operator",
"oneOf": [
{
"items": {
"type": "object"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"kind": {
"description": "Type of the content item we depend on",
"oneOf": [
{
"enum": [
"DataConnector",
"DataType",
"Workbook",
"WorkbookTemplate",
"Playbook",
"PlaybookTemplate",
"AnalyticsRuleTemplate",
"AnalyticsRule",
"HuntingQuery",
"InvestigationQuery",
"Parser",
"Watchlist",
"WatchlistTemplate",
"Solution",
"AzureFunction",
"LogicAppsCustomConnector",
"AutomationRule"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"name": {
"description": "Name of the content item",
"type": "string"
},
"operator": {
"description": "Operator used for list of dependencies in criteria array.",
"oneOf": [
{
"enum": [
"AND",
"OR"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"version": {
"description": "Version of the the content item we depend on. Can be blank, * or missing to indicate any version fulfills the dependency. If version does not match our defined numeric format then an exact match is required.",
"type": "string"
}
},
"type": "object"
},
"MetadataProperties": {
"description": "Metadata property bag.",
"properties": {
"author": {
"description": "The creator of the content item.",
"oneOf": [
{
"$ref": "#/definitions/MetadataAuthor"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"categories": {
"description": "Categories for the solution content item",
"oneOf": [
{
"$ref": "#/definitions/MetadataCategories"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"contentId": {
"description": "Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name",
"type": "string"
},
"contentSchemaVersion": {
"description": "Schema version of the content. Can be used to distinguish between different flow based on the schema version",
"type": "string"
},
"customVersion": {
"description": "The custom version of the content. A optional free text",
"type": "string"
},
"dependencies": {
"description": "Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats.",
"oneOf": [
{
"$ref": "#/definitions/MetadataDependencies"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"firstPublishDate": {
"description": "first publish date solution content item",
"type": "string"
},
"icon": {
"description": "the icon identifier. this id can later be fetched from the solution template",
"type": "string"
},
"kind": {
"description": "The kind of content the metadata is for.",
"oneOf": [
{
"enum": [
"DataConnector",
"DataType",
"Workbook",
"WorkbookTemplate",
"Playbook",
"PlaybookTemplate",
"AnalyticsRuleTemplate",
"AnalyticsRule",
"HuntingQuery",
"InvestigationQuery",
"Parser",
"Watchlist",
"WatchlistTemplate",
"Solution",
"AzureFunction",
"LogicAppsCustomConnector",
"AutomationRule"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"lastPublishDate": {
"description": "last publish date for the solution content item",
"type": "string"
},
"parentId": {
"description": "Full parent resource ID of the content item the metadata is for. This is the full resource ID including the scope (subscription and resource group)",
"type": "string"
},
"previewImages": {
"description": "preview image file names. These will be taken from the solution artifacts",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"previewImagesDark": {
"description": "preview image file names. These will be taken from the solution artifacts. used for dark theme support",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"providers": {
"description": "Providers for the solution content item",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"source": {
"description": "Source of the content. This is where/how it was created.",
"oneOf": [
{
"$ref": "#/definitions/MetadataSource"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"support": {
"description": "Support information for the metadata - type, name, contact information",
"oneOf": [
{
"$ref": "#/definitions/MetadataSupport"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"threatAnalysisTactics": {
"description": "the tactics the resource covers",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"threatAnalysisTechniques": {
"description": "the techniques the resource covers, these have to be aligned with the tactics being used",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"version": {
"description": "Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM template best practices. Can also be any string, but then we cannot guarantee any version checks",
"type": "string"
}
},
"required": [
"parentId",
"kind"
],
"type": "object"
},
"MetadataSource": {
"description": "The original source of the content item, where it comes from.",
"properties": {
"kind": {
"description": "Source type of the content",
"oneOf": [
{
"enum": [
"LocalWorkspace",
"Community",
"Solution",
"SourceRepository"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"name": {
"description": "Name of the content source. The repo name, solution name, LA workspace name etc.",
"type": "string"
},
"sourceId": {
"description": "ID of the content source. The solution ID, workspace ID, etc",
"type": "string"
}
},
"required": [
"kind"
],
"type": "object"
},
"MetadataSupport": {
"description": "Support information for the content item.",
"properties": {
"email": {
"description": "Email of support contact",
"type": "string"
},
"link": {
"description": "Link for support help, like to support page to open a ticket etc.",
"type": "string"
},
"name": {
"description": "Name of the support contact. Company or person.",
"type": "string"
},
"tier": {
"description": "Type of support for content item",
"oneOf": [
{
"enum": [
"Microsoft",
"Partner",
"Community"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"required": [
"tier"
],
"type": "object"
},
"PlaybookActionProperties": {
"properties": {
"logicAppResourceId": {
"description": "The resource id of the playbook resource.",
"type": "string"
},
"tenantId": {
"description": "The tenant id of the playbook resource.",
"oneOf": [
{
"pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$",
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"RelationProperties": {
"description": "Relation property bag.",
"properties": {
"relatedResourceId": {
"description": "The resource ID of the related resource",
"type": "string"
}
},
"required": [
"relatedResourceId"
],
"type": "object"
},
"Repository": {
"description": "metadata of a repository.",
"properties": {
"branch": {
"description": "Branch name of repository.",
"type": "string"
},
"deploymentLogsUrl": {
"description": "Url to access repository action logs.",
"type": "string"
},
"displayUrl": {
"description": "Display url of repository.",
"type": "string"
},
"pathMapping": {
"description": "Dictionary of source control content type and path mapping.",
"oneOf": [
{
"items": {
"$ref": "#/definitions/ContentPathMap"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"url": {
"description": "Url of repository.",
"type": "string"
}
},
"type": "object"
},
"RepositoryResourceInfo": {
"description": "Resources created in user's repository for the source-control.",
"properties": {
"azureDevOpsResourceInfo": {
"description": "Resources created in Azure DevOps for this source-control.",
"oneOf": [
{
"$ref": "#/definitions/AzureDevOpsResourceInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"gitHubResourceInfo": {
"description": "Resources created in GitHub for this source-control.",
"oneOf": [
{
"$ref": "#/definitions/GitHubResourceInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"webhook": {
"description": "The webhook object created for the source-control.",
"oneOf": [
{
"$ref": "#/definitions/Webhook"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"SentinelOnboardingStateProperties": {
"description": "The Sentinel onboarding state properties",
"properties": {
"customerManagedKey": {
"description": "Flag that indicates the status of the CMK setting",
"oneOf": [
{
"type": "boolean"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"SourceControlProperties": {
"description": "Describes source control properties",
"properties": {
"contentTypes": {
"description": "Array of source control content types.",
"oneOf": [
{
"items": {
"enum": [
"AnalyticRule",
"Workbook"
],
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"description": {
"description": "A description of the source control",
"type": "string"
},
"displayName": {
"description": "The display name of the source control",
"type": "string"
},
"id": {
"description": "The id (a Guid) of the source control",
"type": "string"
},
"lastDeploymentInfo": {
"description": "Information regarding the latest deployment for the source control.",
"oneOf": [
{
"$ref": "#/definitions/DeploymentInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"repoType": {
"description": "The repository type of the source control",
"oneOf": [
{
"enum": [
"Github",
"DevOps"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"repository": {
"description": "Repository metadata.",
"oneOf": [
{
"$ref": "#/definitions/Repository"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"repositoryResourceInfo": {
"description": "Information regarding the resources created in user's repository.",
"oneOf": [
{
"$ref": "#/definitions/RepositoryResourceInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"version": {
"description": "The version number associated with the source control",
"oneOf": [
{
"enum": [
"V1",
"V2"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"required": [
"displayName",
"repoType",
"contentTypes",
"repository"
],
"type": "object"
},
"TeamInformation": {
"description": "Describes team information",
"properties": {},
"type": "object"
},
"ThreatIntelligenceExternalReference": {
"description": "Describes external reference",
"properties": {
"description": {
"description": "External reference description",
"type": "string"
},
"externalId": {
"description": "External reference ID",
"type": "string"
},
"hashes": {
"description": "External reference hashes",
"oneOf": [
{
"additionalProperties": {
"type": "string"
},
"properties": {},
"type": "object"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"sourceName": {
"description": "External reference source name",
"type": "string"
},
"url": {
"description": "External reference URL",
"type": "string"
}
},
"type": "object"
},
"ThreatIntelligenceGranularMarkingModel": {
"description": "Describes threat granular marking model entity",
"properties": {
"language": {
"description": "Language granular marking model",
"type": "string"
},
"markingRef": {
"description": "marking reference granular marking model",
"oneOf": [
{
"type": "integer"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"selectors": {
"description": "granular marking model selectors",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"ThreatIntelligenceIndicatorProperties": {
"description": "Describes threat intelligence entity properties",
"properties": {
"confidence": {
"description": "Confidence of threat intelligence entity",
"oneOf": [
{
"type": "integer"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"created": {
"description": "Created by",
"type": "string"
},
"createdByRef": {
"description": "Created by reference of threat intelligence entity",
"type": "string"
},
"defanged": {
"description": "Is threat intelligence entity defanged",
"oneOf": [
{
"type": "boolean"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"description": {
"description": "Description of a threat intelligence entity",
"type": "string"
},
"displayName": {
"description": "Display name of a threat intelligence entity",
"type": "string"
},
"extensions": {
"description": "Extensions map",
"oneOf": [
{
"additionalProperties": {},
"properties": {},
"type": "object"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"externalId": {
"description": "External ID of threat intelligence entity",
"type": "string"
},
"externalLastUpdatedTimeUtc": {
"description": "External last updated time in UTC",
"type": "string"
},
"externalReferences": {
"description": "External References",
"oneOf": [
{
"items": {
"$ref": "#/definitions/ThreatIntelligenceExternalReference"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"granularMarkings": {
"description": "Granular Markings",
"oneOf": [
{
"items": {
"$ref": "#/definitions/ThreatIntelligenceGranularMarkingModel"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"indicatorTypes": {
"description": "Indicator types of threat intelligence entities",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"killChainPhases": {
"description": "Kill chain phases",
"oneOf": [
{
"items": {
"$ref": "#/definitions/ThreatIntelligenceKillChainPhase"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"labels": {
"description": "Labels of threat intelligence entity",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"language": {
"description": "Language of threat intelligence entity",
"type": "string"
},
"lastUpdatedTimeUtc": {
"description": "Last updated time in UTC",
"type": "string"
},
"modified": {
"description": "Modified by",
"type": "string"
},
"objectMarkingRefs": {
"description": "Threat intelligence entity object marking references",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"parsedPattern": {
"description": "Parsed patterns",
"oneOf": [
{
"items": {
"$ref": "#/definitions/ThreatIntelligenceParsedPattern"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"pattern": {
"description": "Pattern of a threat intelligence entity",
"type": "string"
},
"patternType": {
"description": "Pattern type of a threat intelligence entity",
"type": "string"
},
"patternVersion": {
"description": "Pattern version of a threat intelligence entity",
"type": "string"
},
"revoked": {
"description": "Is threat intelligence entity revoked",
"oneOf": [
{
"type": "boolean"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"source": {
"description": "Source of a threat intelligence entity",
"type": "string"
},
"threatIntelligenceTags": {
"description": "List of tags",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"threatTypes": {
"description": "Threat types",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"validFrom": {
"description": "Valid from",
"type": "string"
},
"validUntil": {
"description": "Valid until",
"type": "string"
}
},
"type": "object"
},
"ThreatIntelligenceKillChainPhase": {
"description": "Describes threat kill chain phase entity",
"properties": {
"killChainName": {
"description": "Kill chainName name",
"type": "string"
},
"phaseName": {
"description": "Phase name",
"type": "string"
}
},
"type": "object"
},
"ThreatIntelligenceParsedPattern": {
"description": "Describes parsed pattern entity",
"properties": {
"patternTypeKey": {
"description": "Pattern type key",
"type": "string"
},
"patternTypeValues": {
"description": "Pattern type keys",
"oneOf": [
{
"items": {
"$ref": "#/definitions/ThreatIntelligenceParsedPatternTypeValue"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"ThreatIntelligenceParsedPatternTypeValue": {
"description": "Describes threat kill chain phase entity",
"properties": {
"value": {
"description": "Value of parsed pattern",
"type": "string"
},
"valueType": {
"description": "Type of the value",
"type": "string"
}
},
"type": "object"
},
"UserInfo": {
"description": "User information that made some action",
"properties": {
"objectId": {
"description": "The object id of the user.",
"oneOf": [
{
"pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$",
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
}
},
"type": "object"
},
"WatchlistItemProperties": {
"description": "Describes watchlist item properties",
"properties": {
"created": {
"description": "The time the watchlist item was created",
"format": "date-time",
"type": "string"
},
"createdBy": {
"description": "Describes a user that created the watchlist item",
"oneOf": [
{
"$ref": "#/definitions/UserInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"entityMapping": {
"description": "key-value pairs for a watchlist item entity mapping",
"oneOf": [
{
"additionalProperties": {},
"properties": {},
"type": "object"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"isDeleted": {
"description": "A flag that indicates if the watchlist item is deleted or not",
"oneOf": [
{
"type": "boolean"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"itemsKeyValue": {
"description": "key-value pairs for a watchlist item",
"oneOf": [
{
"additionalProperties": {},
"properties": {},
"type": "object"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"tenantId": {
"description": "The tenantId to which the watchlist item belongs to",
"type": "string"
},
"updated": {
"description": "The last time the watchlist item was updated",
"format": "date-time",
"type": "string"
},
"updatedBy": {
"description": "Describes a user that updated the watchlist item",
"oneOf": [
{
"$ref": "#/definitions/UserInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"watchlistItemId": {
"description": "The id (a Guid) of the watchlist item",
"type": "string"
},
"watchlistItemType": {
"description": "The type of the watchlist item",
"type": "string"
}
},
"required": [
"itemsKeyValue"
],
"type": "object"
},
"WatchlistProperties": {
"description": "Describes watchlist properties",
"properties": {
"contentType": {
"description": "The content type of the raw content. Example : text/csv or text/tsv ",
"type": "string"
},
"created": {
"description": "The time the watchlist was created",
"format": "date-time",
"type": "string"
},
"createdBy": {
"description": "Describes a user that created the watchlist",
"oneOf": [
{
"$ref": "#/definitions/UserInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"defaultDuration": {
"description": "The default duration of a watchlist (in ISO 8601 duration format)",
"type": "string"
},
"description": {
"description": "A description of the watchlist",
"type": "string"
},
"displayName": {
"description": "The display name of the watchlist",
"type": "string"
},
"isDeleted": {
"description": "A flag that indicates if the watchlist is deleted or not",
"oneOf": [
{
"type": "boolean"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"itemsSearchKey": {
"description": "The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.",
"type": "string"
},
"labels": {
"description": "List of labels relevant to this watchlist",
"oneOf": [
{
"items": {
"type": "string"
},
"type": "array"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"numberOfLinesToSkip": {
"description": "The number of lines in a csv/tsv content to skip before the header",
"oneOf": [
{
"type": "integer"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"provider": {
"description": "The provider of the watchlist",
"type": "string"
},
"rawContent": {
"description": "The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint",
"type": "string"
},
"source": {
"description": "The filename of the watchlist, called 'source'",
"type": "string"
},
"sourceType": {
"description": "The sourceType of the watchlist",
"oneOf": [
{
"enum": [
"Local file",
"Remote storage"
],
"type": "string"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"tenantId": {
"description": "The tenantId where the watchlist belongs to",
"type": "string"
},
"updated": {
"description": "The last time the watchlist was updated",
"format": "date-time",
"type": "string"
},
"updatedBy": {
"description": "Describes a user that updated the watchlist",
"oneOf": [
{
"$ref": "#/definitions/UserInfo"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"uploadStatus": {
"description": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted",
"type": "string"
},
"watchlistAlias": {
"description": "The alias of the watchlist",
"type": "string"
},
"watchlistId": {
"description": "The id (a Guid) of the watchlist",
"type": "string"
},
"watchlistType": {
"description": "The type of the watchlist",
"type": "string"
}
},
"required": [
"displayName",
"provider",
"itemsSearchKey"
],
"type": "object"
},
"Webhook": {
"description": "Detail about the webhook object.",
"properties": {
"rotateWebhookSecret": {
"description": "A flag to instruct the backend service to rotate webhook secret.",
"oneOf": [
{
"type": "boolean"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"webhookId": {
"description": "Unique identifier for the webhook.",
"type": "string"
},
"webhookSecretUpdateTime": {
"description": "Time when the webhook secret was updated.",
"type": "string"
},
"webhookUrl": {
"description": "URL that gets invoked by the webhook.",
"type": "string"
}
},
"type": "object"
},
"alertRules_actions_childResource": {
"description": "Microsoft.SecurityInsights/alertRules/actions",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Action ID",
"type": "string"
},
"properties": {
"description": "Action properties for put request",
"oneOf": [
{
"$ref": "#/definitions/ActionRequestProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"actions"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"bookmarks_relations_childResource": {
"description": "Microsoft.SecurityInsights/bookmarks/relations",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Relation Name",
"type": "string"
},
"properties": {
"description": "Relation properties",
"oneOf": [
{
"$ref": "#/definitions/RelationProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"relations"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"incidents_comments_childResource": {
"description": "Microsoft.SecurityInsights/incidents/comments",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Incident comment ID",
"type": "string"
},
"properties": {
"description": "Incident comment properties",
"oneOf": [
{
"$ref": "#/definitions/IncidentCommentProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"comments"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"incidents_relations_childResource": {
"description": "Microsoft.SecurityInsights/incidents/relations",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Relation Name",
"type": "string"
},
"properties": {
"description": "Relation properties",
"oneOf": [
{
"$ref": "#/definitions/RelationProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"relations"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
},
"watchlists_watchlistItems_childResource": {
"description": "Microsoft.SecurityInsights/watchlists/watchlistItems",
"properties": {
"apiVersion": {
"enum": [
"2022-10-01-preview"
],
"type": "string"
},
"etag": {
"description": "Etag of the azure resource",
"type": "string"
},
"name": {
"description": "Watchlist Item Id (GUID)",
"type": "string"
},
"properties": {
"description": "Watchlist Item properties",
"oneOf": [
{
"$ref": "#/definitions/WatchlistItemProperties"
},
{
"$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression"
}
]
},
"type": {
"enum": [
"watchlistItems"
],
"type": "string"
}
},
"required": [
"name",
"properties",
"apiVersion",
"type"
],
"type": "object"
}
}
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку