Skip to content

Commit

Permalink
Adding new api-version to Microsoft.Security Alerts resource (#4902)
Browse files Browse the repository at this point in the history
* Copy preview/2015-06-01-preview to stable/2019-01-01 (as we want to edit "alerts" endpoint, which exists only in the 2015-06-01 version)

* Fix alerts examples of version 2015-06-01-preview

* Remove anything that is not "alerts" related from version 2019-01-01

* Set all changes for "alerts" type of the new version "2019-01-01"

* Add the stable version to the readme file

* Rollback readme change
  • Loading branch information
orparnes authored and jianghaolu committed Feb 1, 2019
1 parent 84d025e commit 93f46f5
Show file tree
Hide file tree
Showing 16 changed files with 1,482 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2017,6 +2017,30 @@
"reportedSeverity": {
"readOnly": true,
"type": "string",
"enum": [
"Silent",
"Information",
"Low",
"High"
],
"x-ms-enum": {
"name": "reportedSeverity",
"modelAsString": true,
"values": [
{
"value": "Silent"
},
{
"value": "Information"
},
{
"value": "Low"
},
{
"value": "High"
}
]
},
"description": "Estimated severity of this alert"
},
"compromisedEntity": {
Expand All @@ -2042,6 +2066,11 @@
"type": "boolean",
"description": "Whether this alert can be investigated with Azure Security Center"
},
"isIncident": {
"readOnly": true,
"type": "boolean",
"description": "Whether this alert is for incident type or not (otherwise - single alert)"
},
"entities": {
"type": "array",
"description": "objects that are related to this alerts",
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{
"parameters": {
"api-version": "2019-01-01",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"resourceGroupName": "myRg1",
"ascLocation": "westeurope",
"alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"vendorName": "Microsoft",
"alertDisplayName": "Threat Intelligence Alert",
"alertName": "ThreatIntelligence",
"detectedTimeUtc": "2018-05-01T19:50:47.083633Z",
"description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it",
"remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM",
"actionTaken": "Detected",
"reportedSeverity": "High",
"compromisedEntity": "vm1",
"associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"instanceId": "f144ee95-a3e5-42da-a279-967d115809aa",
"extendedProperties": {
"user Name": "administrator",
"domain Name": "Contoso",
"attacker IP": "192.0.2.1",
"resourceType": "Virtual Machine"
},
"state": "Dismissed",
"reportedTimeUtc": "2018-05-02T05:36:12.2089889Z",
"confidenceScore": 0.8,
"confidenceReasons": [{
"type": "User",
"reason": "Some user reason"
}, {
"type": "Process",
"reason": "Some proccess reason"
}, {
"type": "Computer",
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
"countryCode": "gb",
"state": "wokingham",
"city": "sonning",
"longitude": -0.909,
"latitude": 51.468,
"asn": 6584
},
"threatIntelligence": [{
"providerName": "Team Cymru",
"threatType": "C2",
"threatName": "rarog",
"confidence": 0.8,
"reportLink": "http://www.microsoft.com",
"threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed."
}],
"type": "ip"
}]
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
{
"parameters": {
"api-version": "2019-01-01",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"ascLocation": "westeurope",
"alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"vendorName": "Microsoft",
"alertDisplayName": "Threat Intelligence Alert",
"alertName": "ThreatIntelligence",
"detectedTimeUtc": "2018-05-01T19:50:47.083633Z",
"description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it",
"remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM",
"actionTaken": "Detected",
"reportedSeverity": "High",
"compromisedEntity": "vm1",
"associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"instanceId": "f144ee95-a3e5-42da-a279-967d115809aa",
"extendedProperties": {
"user Name": "administrator",
"domain Name": "Contoso",
"attacker IP": "192.0.2.1",
"resourceType": "Virtual Machine"
},
"state": "Dismissed",
"reportedTimeUtc": "2018-05-02T05:36:12.2089889Z",
"confidenceScore": 0.8,
"confidenceReasons": [{
"type": "User",
"reason": "Some user reason"
}, {
"type": "Process",
"reason": "Some proccess reason"
}, {
"type": "Computer",
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
"countryCode": "gb",
"state": "wokingham",
"city": "sonning",
"longitude": -0.909,
"latitude": 51.468,
"asn": 6584
},
"threatIntelligence": [{
"providerName": "Team Cymru",
"threatType": "C2",
"threatName": "rarog",
"confidence": 0.8,
"reportLink": "http://www.microsoft.com",
"threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed."
}],
"type": "ip"
}]
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
{
"parameters": {
"api-version": "2019-01-01",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"resourceGroupName": "myRg1",
"ascLocation": "westeurope"
},
"responses": {
"200": {
"body": {
"value": [{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"vendorName": "Microsoft",
"alertDisplayName": "Threat Intelligence Alert",
"alertName": "ThreatIntelligence",
"detectedTimeUtc": "2018-05-01T19:50:47.083633Z",
"description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it",
"remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM",
"actionTaken": "Detected",
"reportedSeverity": "High",
"compromisedEntity": "vm1",
"associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"instanceId": "f144ee95-a3e5-42da-a279-967d115809aa",
"extendedProperties": {
"user Name": "administrator",
"domain Name": "Contoso",
"attacker IP": "192.0.2.1",
"resourceType": "Virtual Machine"
},
"state": "Dismissed",
"reportedTimeUtc": "2018-05-02T05:36:12.2089889Z",
"confidenceScore": 0.8,
"confidenceReasons": [{
"type": "User",
"reason": "Some user reason"
}, {
"type": "Process",
"reason": "Some proccess reason"
}, {
"type": "Computer",
"reason": "Some computer reason"
}],
"canBeInvestigated": true,
"isIncident": false,
"entities": [{
"address": "192.0.2.1",
"location": {
"countryCode": "gb",
"state": "wokingham",
"city": "sonning",
"longitude": -0.909,
"latitude": 51.468,
"asn": 6584
},
"threatIntelligence": [{
"providerName": "Team Cymru",
"threatType": "C2",
"threatName": "rarog",
"confidence": 0.8,
"reportLink": "http://www.microsoft.com",
"threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed."
}],
"type": "ip"
}]
}
}]
}
}
}
}
Loading

0 comments on commit 93f46f5

Please sign in to comment.