From 723ddb3f63308036fdfd280a8c870ea26fa47283 Mon Sep 17 00:00:00 2001 From: Hassan Chawiche Date: Wed, 5 Aug 2020 10:49:17 -0700 Subject: [PATCH 1/2] Sentinel Watchlist : Added CRUD Operations --- custom-words.txt | 6 +- .../2019-01-01-preview/SecurityInsights.json | 416 ++++++++++++++++++ .../examples/watchlists/CreateWatchlist.json | 102 +++++ .../examples/watchlists/DeleteWatchlist.json | 14 + .../watchlists/GetWatchlistByAlias.json | 47 ++ .../examples/watchlists/GetWatchlists.json | 50 +++ 6 files changed, 634 insertions(+), 1 deletion(-) create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/CreateWatchlist.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/DeleteWatchlist.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/GetWatchlistByAlias.json create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/GetWatchlists.json diff --git a/custom-words.txt b/custom-words.txt index 17191cef1340..970dcaaec4c6 100644 --- a/custom-words.txt +++ b/custom-words.txt @@ -1852,4 +1852,8 @@ azureADMetrics sparkr ambari dotnetspark -FDID \ No newline at end of file +FDID +watchlists +Watchlists +watchlist +Watchlist \ No newline at end of file diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index 23bcd534e567..d5d24bd85d36 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -3320,6 +3320,203 @@ } } } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists": { + "get": { + "x-ms-examples": { + "Get all watchlists.": { + "$ref": "./examples/watchlists/GetWatchlists.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Gets all watchlists.", + "operationId": "Watchlists_List", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}": { + "get": { + "x-ms-examples": { + "Get a watchlist.": { + "$ref": "./examples/watchlists/GetWatchlistByAlias.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Gets a watchlist.", + "operationId": "Watchlists_Get", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "delete": { + "x-ms-examples": { + "Delete a watchlist.": { + "$ref": "./examples/watchlists/DeleteWatchlist.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Delete a watchlist.", + "operationId": "Watchlists_Delete", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + } + ], + "responses": { + "200": { + "description": "OK" + }, + "204": { + "description": "No Content" + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + }, + "put": { + "x-ms-examples": { + "Creates a watchlist.": { + "$ref": "./examples/watchlists/CreateWatchlist.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Creates a watchlist", + "operationId": "Watchlists_Create", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/ResourceGroupName" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + }, + { + "$ref": "#/parameters/WatchlistAlias" + }, + { + "$ref": "#/parameters/Watchlist" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/Watchlist" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + } + } } }, "definitions": { @@ -8357,6 +8554,207 @@ "relationName" ], "type": "object" + }, + "WatchlistList": { + "description": "List all the watchlists.", + "properties": { + "nextLink": { + "description": "URL to fetch the next set of watchlists.", + "readOnly": true, + "type": "string" + }, + "value": { + "description": "Array of watchlist.", + "items": { + "$ref": "#/definitions/Watchlist" + }, + "type": "array" + } + }, + "required": [ + "value" + ] + }, + "Watchlist": { + "allOf": [ + { + "$ref": "#/definitions/ResourceWithEtag" + } + ], + "description": "Represents a Watchlist in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/WatchlistProperties", + "description": "Watchlist properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "WatchlistProperties": { + "description": "Describes watchlist properties", + "properties": { + "createdTimeUtc": { + "description": "The time the watchlist was created", + "format": "date-time", + "type": "string" + }, + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist", + "type": "object" + }, + "displayName": { + "description": "The display name of the watchlist", + "type": "string" + }, + "watchlistType": { + "description": "The type of the watchlist", + "type": "string" + }, + "source": { + "description": "The source of the watchlist", + "enum": [ + "Local file", + "Remote storage" + ], + "type": "string", + "x-ms-enum": { + "modelAsString": true, + "name": "source" + } + }, + "provider": { + "description": "The provider of the watchlist", + "type": "string" + }, + "description": { + "description": "A description of the watchlist", + "type": "string" + }, + "tenantId": { + "description": "The tenantId where the watchlist belongs to.", + "type": "string" + }, + "workspaceId": { + "description": "The workspaceId where the watchlist belongs to.", + "type": "string" + }, + "labels": { + "description": "List of labels relevant to this watchlist", + "items": { + "$ref": "#/definitions/Label" + }, + "type": "array" + }, + "notes": { + "description": "The notes of the watchlist", + "type": "string" + }, + "lastUpdatedTimeUtc": { + "description": "The last time the watchlist was updated", + "format": "date-time", + "type": "string" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist", + "type": "object" + }, + "defaultDuration": { + "description": "The default duration of a watchlist (in ISO 8601 duration format)", + "format": "duration", + "type": "string" + }, + "watchlistItems": { + "description": "List of watchlist items.", + "items": { + "$ref": "#/definitions/WatchlistItem" + }, + "type": "array" + } + }, + "required": [ + "displayName", + "source", + "provider" + ], + "type": "object" + }, + "WatchlistItem": { + "allOf": [ + { + "$ref": "#/definitions/Resource" + } + ], + "description": "Represents a Watchlist Item in Azure Security Insights.", + "properties": { + "properties": { + "$ref": "#/definitions/WatchlistItemProperties", + "description": "Watchlist item properties", + "x-ms-client-flatten": true + } + }, + "type": "object" + }, + "WatchlistItemProperties": { + "description": "Describes watchlist item properties", + "properties": { + "createdBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that created the watchlist", + "type": "object" + }, + "updatedBy": { + "$ref": "#/definitions/UserInfo", + "description": "Describes a user that updated the watchlist", + "type": "object" + }, + "watchlistItemName": { + "description": "Name of the watchlist item", + "type": "string" + }, + "watchlistItemPair": { + "description": "A key-value pair for a watchlist item", + "type": "object" + }, + "entityMapping": { + "description": "A key-value pair for a watchlist item entity mapping", + "type": "object" + }, + "tenantId": { + "description": "The tenantId to which this watchlist item belongs to", + "type": "string" + }, + "createdTimeUtc": { + "description": "The time the watchlist item was created", + "format": "date-time", + "type": "string" + }, + "lastUpdatedTimeUtc": { + "description": "The last time the watchlist item was updated", + "format": "date-time", + "type": "string" + }, + "timeToLiveUtc": { + "description": "The time to live for the watchlist item", + "format": "date-time", + "type": "string" + }, + "watchlistItemType": { + "description": "The type of the watchlist item", + "type": "string" + }, + "watchlistId": { + "description": "The watchlist id of the parent of this watchlist item", + "type": "string" + } + }, + "required": [ + "watchlistId", + "watchlistItemPair" + ], + "type": "object" } }, "parameters": { @@ -8699,6 +9097,24 @@ "required": true, "type": "string", "x-ms-parameter-location": "method" + }, + "WatchlistAlias": { + "description": "Watchlist Alias", + "in": "path", + "name": "watchlistAlias", + "required": true, + "type": "string", + "x-ms-parameter-location": "method" + }, + "Watchlist": { + "description": "The watchlist", + "in": "body", + "name": "watchlist", + "required": true, + "schema": { + "$ref": "#/definitions/Watchlist" + }, + "x-ms-parameter-location": "method" } } } diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/CreateWatchlist.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/CreateWatchlist.json new file mode 100644 index 000000000000..07cf84ce8165 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/CreateWatchlist.json @@ -0,0 +1,102 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalInsights", + "watchlistAlias": "highValueAsset", + "watchlist": { + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70" + }, + "lastUpdatedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "displayName": "High Value Assets Watchlist", + "watchlistType": "watchlist", + "source": "Local file", + "provider": "Azure Sentinel", + "description": "Watchlist Description", + "notes": "A note for the watchlist", + "labels": [ + "Tag1", + "Tag2" + ], + "defaultDuration": "P1D2H3M4S" + } + } + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "type": "Microsoft.SecurityInsights/Watchlists", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "lastUpdatedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "displayName": "High Value Assets Watchlist", + "watchlistType": "watchlist", + "source": "Local file", + "provider": "Azure Sentinel", + "description": "Watchlist Description", + "notes": "A note for the watchlist", + "labels": [ + "Tag1", + "Tag2" + ], + "defaultDuration": "P1D2H3M4S" + } + } + }, + "201": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "type": "Microsoft.SecurityInsights/Watchlists", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "lastUpdatedTimeUtc": "2019-01-01T13:15:30Z", + "createdTimeUtc": "2019-01-01T13:15:30Z", + "displayName": "High Value Assets Watchlist", + "watchlistType": "watchlist", + "source": "Local file", + "provider": "Azure Sentinel", + "description": "Watchlist Description", + "notes": "A note for the watchlist", + "labels": [ + "Tag1", + "Tag2" + ], + "defaultDuration": "P1D2H3M4S" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/DeleteWatchlist.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/DeleteWatchlist.json new file mode 100644 index 000000000000..f466add6d9f0 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/DeleteWatchlist.json @@ -0,0 +1,14 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "watchlistAlias": "highValueAsset" + }, + "responses": { + "200": {}, + "204": {} + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/GetWatchlistByAlias.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/GetWatchlistByAlias.json new file mode 100644 index 000000000000..7e8db045c713 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/GetWatchlistByAlias.json @@ -0,0 +1,47 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights", + "watchlistAlias": "highValueAsset" + }, + "responses": { + "200": { + "body": { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "type": "Microsoft.SecurityInsights/Watchlists", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "createdTimeUtc": "2019-01-01T13:15:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "displayName": "High Value Assets Watchlist", + "watchlistType": "watchlist", + "source": "Local file", + "provider": "Azure Sentinel", + "description": "A description", + "tenantId": "9ad7a5a8-490c-4f6e-b906-be97a89fa92a", + "workspaceId": "8a6c62fc-325f-48b2-a330-7863bf73eb45", + "labels": [ + "Tag1", + "Tag2" + ], + "notes": "A note for the watchlist", + "lastUpdatedTimeUtc": "2019-01-01T13:15:30Z", + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "defaultDuration": "P1D2H3M4S" + } + } + } + } +} diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/GetWatchlists.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/GetWatchlists.json new file mode 100644 index 000000000000..35fe3af660a4 --- /dev/null +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/watchlists/GetWatchlists.json @@ -0,0 +1,50 @@ +{ + "parameters": { + "api-version": "2019-01-01-preview", + "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0", + "resourceGroupName": "myRg", + "workspaceName": "myWorkspace", + "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights" + }, + "responses": { + "200": { + "body": { + "value": [ + { + "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/watchlists/highValueAsset", + "name": "highValueAsset", + "type": "Microsoft.SecurityInsights/Watchlists", + "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"", + "properties": { + "createdTimeUtc": "2019-01-01T13:15:30Z", + "createdBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "displayName": "High Value Assets Watchlist", + "watchlistType": "watchlist", + "source": "Local file", + "provider": "Azure Sentinel", + "description": "A description", + "tenantId": "9ad7a5a8-490c-4f6e-b906-be97a89fa92a", + "workspaceId": "8a6c62fc-325f-48b2-a330-7863bf73eb45", + "labels": [ + "Tag1", + "Tag2" + ], + "notes": "A note for the watchlist", + "lastUpdatedTimeUtc": "2019-01-01T13:15:30Z", + "updatedBy": { + "objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70", + "email": "john@contoso.com", + "name": "john doe" + }, + "defaultDuration": "P1D2H3M4S" + } + } + ] + } + } + } +} From 8a0657cd6b2b08ae646c009e56b3e84b6bcd9622 Mon Sep 17 00:00:00 2001 From: Hassan Chawiche Date: Thu, 6 Aug 2020 09:22:20 -0700 Subject: [PATCH 2/2] Sentinel Watchlist : Added CRUD Operations --- .../2019-01-01-preview/SecurityInsights.json | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json index d5d24bd85d36..3b4e9d3159fd 100644 --- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json +++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json @@ -3369,6 +3369,51 @@ } } }, + "/subscriptions/{subscriptionId}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists": { + "get": { + "x-ms-examples": { + "Get all watchlists.": { + "$ref": "./examples/watchlists/GetWatchlists.json" + } + }, + "tags": [ + "Watchlists" + ], + "description": "Gets all watchlists in a subscription.", + "operationId": "Watchlists_ListBySubscription", + "parameters": [ + { + "$ref": "#/parameters/ApiVersion" + }, + { + "$ref": "#/parameters/SubscriptionId" + }, + { + "$ref": "#/parameters/OperationalInsightsResourceProvider" + }, + { + "$ref": "#/parameters/WorkspaceName" + } + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/WatchlistList" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "#/definitions/CloudError" + } + } + }, + "x-ms-pageable": { + "nextLinkName": "nextLink" + } + } + }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}": { "get": { "x-ms-examples": {