{"openapi":"3.0.0","info":{"description":"API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider","title":"Security Insights","version":"2020-01-01","x-apisguru-categories":["cloud"],"x-logo":{"url":"https://assets.onestore.ms/cdnfiles/onestorerolling-1606-01000/shell/v3/images/logo/microsoft.png"},"x-origin":[{"format":"swagger","url":"https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json","version":"2.0"}],"x-preferred":true,"x-providerName":"azure.com","x-serviceName":"securityinsights-SecurityInsights","x-tags":["Azure","Microsoft"]},"security":[{"azure_auth":["user_impersonation"]}],"paths":{"/providers/Microsoft.SecurityInsights/operations":{"get":{"description":"Lists all operations available Azure Security Insights Resource Provider.","operationId":"Operations_List","parameters":[{"$ref":"#/components/parameters/ApiVersion"}],"responses":{"200":{"description":"OK. Successfully retrieved operations list.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OperationsList"}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"x-ms-pageable":{"nextLinkName":"nextLink"}}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules":{"get":{"description":"Gets all alert rules.","operationId":"AlertRules_List","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertRulesList"},"examples":{"Get all alert rules.":{"$ref":"#/components/examples/Get_all_alert_rules."}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Alert Rules"],"x-ms-pageable":{"nextLinkName":"nextLink"}}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}":{"delete":{"description":"Delete the alert rule.","operationId":"AlertRules_Delete","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"},{"$ref":"#/components/parameters/RuleId"}],"responses":{"200":{"description":"OK"},"204":{"description":"No Content"},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Alert Rules"]},"get":{"description":"Gets the alert rule.","operationId":"AlertRules_Get","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"},{"$ref":"#/components/parameters/RuleId"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertRule"},"examples":{"Get a Fusion alert rule.":{"$ref":"#/components/examples/Get_a_Fusion_alert_rule."},"Get a MicrosoftSecurityIncidentCreation rule.":{"$ref":"#/components/examples/Get_a_MicrosoftSecurityIncidentCreation_rule."},"Get a Scheduled alert rule.":{"$ref":"#/components/examples/Get_a_Scheduled_alert_rule."}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Alert Rules"]},"put":{"description":"Creates or updates the alert rule.","operationId":"AlertRules_CreateOrUpdate","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"},{"$ref":"#/components/parameters/RuleId"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertRule"}}},"description":"The alert rule","required":true,"x-ms-parameter-location":"method"},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertRule"},"examples":{"Creates or updates a Fusion alert rule.":{"$ref":"#/components/examples/Creates_or_updates_a_Fusion_alert_rule."},"Creates or updates a MicrosoftSecurityIncidentCreation rule.":{"$ref":"#/components/examples/Creates_or_updates_a_MicrosoftSecurityIncidentCreation_rule."},"Creates or updates a Scheduled alert rule.":{"$ref":"#/components/examples/Creates_or_updates_a_Scheduled_alert_rule."}}}}},"201":{"description":"Created","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertRule"},"examples":{"Creates or updates a Fusion alert rule.":{"$ref":"#/components/examples/Creates_or_updates_a_Fusion_alert_rule."},"Creates or updates a MicrosoftSecurityIncidentCreation rule.":{"$ref":"#/components/examples/Creates_or_updates_a_MicrosoftSecurityIncidentCreation_rule."},"Creates or updates a Scheduled alert rule.":{"$ref":"#/components/examples/Creates_or_updates_a_Scheduled_alert_rule."}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Alert Rules"]}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions":{"get":{"description":"Gets all actions of alert rule.","operationId":"Actions_ListByAlertRule","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"},{"$ref":"#/components/parameters/RuleId"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ActionsList"},"examples":{"Get all actions of alert rule.":{"$ref":"#/components/examples/Get_all_actions_of_alert_rule."}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Actions"],"x-ms-pageable":{"nextLinkName":"nextLink"}}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}":{"delete":{"description":"Delete the action of alert rule.","operationId":"AlertRules_DeleteAction","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"},{"$ref":"#/components/parameters/RuleId"},{"$ref":"#/components/parameters/ActionId"}],"responses":{"200":{"description":"OK"},"204":{"description":"No Content"},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Actions"]},"get":{"description":"Gets the action of alert rule.","operationId":"AlertRules_GetAction","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"},{"$ref":"#/components/parameters/RuleId"},{"$ref":"#/components/parameters/ActionId"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ActionResponse"},"examples":{"Get an action of alert rule.":{"$ref":"#/components/examples/Get_an_action_of_alert_rule."}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Actions"]},"put":{"description":"Creates or updates the action of alert rule.","operationId":"AlertRules_CreateOrUpdateAction","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"},{"$ref":"#/components/parameters/RuleId"},{"$ref":"#/components/parameters/ActionId"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ActionRequest"}}},"description":"The action","required":true,"x-ms-parameter-location":"method"},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ActionResponse"},"examples":{"Creates or updates an action of alert rule.":{"$ref":"#/components/examples/Creates_or_updates_an_action_of_alert_rule."}}}}},"201":{"description":"Created","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ActionResponse"},"examples":{"Creates or updates an action of alert rule.":{"$ref":"#/components/examples/Creates_or_updates_an_action_of_alert_rule."}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Actions"]}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors":{"get":{"description":"Gets all data connectors.","operationId":"DataConnectors_List","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DataConnectorList"},"examples":{"Get all data connectors.":{"$ref":"#/components/examples/Get_all_data_connectors."}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Data Connectors"],"x-ms-pageable":{"nextLinkName":"nextLink"}}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}":{"delete":{"description":"Delete the data connector.","operationId":"DataConnectors_Delete","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"},{"$ref":"#/components/parameters/DataConnectorId"}],"responses":{"200":{"description":"OK"},"204":{"description":"No Content"},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Data Connectors"]},"get":{"description":"Gets a data connector.","operationId":"DataConnectors_Get","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"},{"$ref":"#/components/parameters/DataConnectorId"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DataConnector"},"examples":{"Get a ASC data connector.":{"$ref":"#/components/examples/Get_a_ASC_data_connector."},"Get a MCAS data connector.":{"$ref":"#/components/examples/Get_a_MCAS_data_connector."},"Get a MDATP data connector":{"$ref":"#/components/examples/Get_a_MDATP_data_connector"},"Get a TI data connector.":{"$ref":"#/components/examples/Get_a_TI_data_connector."},"Get an AAD data connector.":{"$ref":"#/components/examples/Get_an_AAD_data_connector."},"Get an AATP data connector.":{"$ref":"#/components/examples/Get_an_AATP_data_connector."},"Get an AwsCloudTrail data connector.":{"$ref":"#/components/examples/Get_an_AwsCloudTrail_data_connector."},"Get an Office365 data connector.":{"$ref":"#/components/examples/Get_an_Office365_data_connector."}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Data Connectors"]},"put":{"description":"Creates or updates the data connector.","operationId":"DataConnectors_CreateOrUpdate","parameters":[{"$ref":"#/components/parameters/ApiVersion"},{"$ref":"#/components/parameters/SubscriptionId"},{"$ref":"#/components/parameters/ResourceGroupName"},{"$ref":"#/components/parameters/WorkspaceName"},{"$ref":"#/components/parameters/DataConnectorId"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DataConnector"}}},"description":"The data connector","required":true,"x-ms-parameter-location":"method"},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DataConnector"},"examples":{"Creates or updates an Office365 data connector.":{"$ref":"#/components/examples/Creates_or_updates_an_Office365_data_connector."}}}}},"201":{"description":"Created","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DataConnector"},"examples":{"Creates or updates an Office365 data connector.":{"$ref":"#/components/examples/Creates_or_updates_an_Office365_data_connector."}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CloudError"}}}}},"tags":["Data Connectors"]}}},"servers":[{"url":"https://management.azure.com"}],"components":{"examples":{"Get_all_alert_rules.":{"value":{"value":[{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5","kind":"Scheduled","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","properties":{"description":"","displayName":"Rule2","enabled":true,"lastModifiedUtc":"2019-01-01T13:15:30Z","query":"ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden","queryFrequency":"PT1H","queryPeriod":"P2DT1H30M","severity":"High","suppressionDuration":"PT1H","suppressionEnabled":false,"tactics":["Persistence","LateralMovement"],"triggerOperator":"GreaterThan","triggerThreshold":0},"type":"Microsoft.SecurityInsights/alertRules"},{"etag":"\"260097e0-0000-0d00-0000-5d6fa88f0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample","kind":"MicrosoftSecurityIncidentCreation","name":"microsoftSecurityIncidentCreationRuleExample","properties":{"displayName":"testing displayname","enabled":true,"lastModifiedUtc":"2019-09-04T12:05:35.7296311Z","productFilter":"Microsoft Cloud App Security"},"type":"Microsoft.SecurityInsights/alertRules"},{"etag":"\"25005c11-0000-0d00-0000-5d6cc0e20000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule","kind":"Fusion","name":"myFirstFusionRule","properties":{"alertRuleTemplateName":"f71aba3d-28fb-450b-b192-4e76a83015c8","description":"In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion","displayName":"Advanced Multi-Stage Attack Detection","enabled":false,"lastModifiedUtc":"2019-09-02T07:12:34.9065092Z","severity":"High","tactics":["Persistence","LateralMovement","Exfiltration","CommandAndControl"]},"type":"Microsoft.SecurityInsights/alertRules"}]}},"Get_a_Fusion_alert_rule.":{"value":{"etag":"\"260090e2-0000-0d00-0000-5d6fb8670000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule","kind":"Fusion","name":"myFirstFusionRule","properties":{"alertRuleTemplateName":"f71aba3d-28fb-450b-b192-4e76a83015c8","description":"In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion","displayName":"Advanced Multi-Stage Attack Detection","enabled":true,"lastModifiedUtc":"2019-09-04T13:13:11.5340061Z","severity":"High","tactics":["Persistence","LateralMovement","Exfiltration","CommandAndControl"]},"type":"Microsoft.SecurityInsights/alertRules"}},"Get_a_MicrosoftSecurityIncidentCreation_rule.":{"value":{"etag":"\"260097e0-0000-0d00-0000-5d6fa88f0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample","kind":"MicrosoftSecurityIncidentCreation","name":"microsoftSecurityIncidentCreationRuleExample","properties":{"displayName":"testing displayname","enabled":true,"lastModifiedUtc":"2019-09-04T12:05:35.7296311Z","productFilter":"Microsoft Cloud App Security"},"type":"Microsoft.SecurityInsights/alertRules"}},"Get_a_Scheduled_alert_rule.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5","kind":"Scheduled","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","properties":{"description":"","displayName":"Rule2","enabled":true,"lastModifiedUtc":"2019-01-01T13:15:30Z","query":"ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden","queryFrequency":"PT1H","queryPeriod":"P2DT1H30M","severity":"High","suppressionDuration":"PT1H","suppressionEnabled":false,"tactics":["Persistence","LateralMovement"],"triggerOperator":"GreaterThan","triggerThreshold":0},"type":"Microsoft.SecurityInsights/alertRules"}},"Creates_or_updates_a_Fusion_alert_rule.":{"value":{"etag":"\"260090e2-0000-0d00-0000-5d6fb8670000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule","kind":"Fusion","name":"myFirstFusionRule","properties":{"alertRuleTemplateName":"f71aba3d-28fb-450b-b192-4e76a83015c8","description":"In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion","displayName":"Advanced Multi-Stage Attack Detection","enabled":true,"lastModifiedUtc":"2019-09-04T13:13:11.5340061Z","severity":"High","tactics":["Persistence","LateralMovement","Exfiltration","CommandAndControl"]},"type":"Microsoft.SecurityInsights/alertRules"}},"Creates_or_updates_a_MicrosoftSecurityIncidentCreation_rule.":{"value":{"etag":"\"260097e0-0000-0d00-0000-5d6fa88f0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample","kind":"MicrosoftSecurityIncidentCreation","name":"microsoftSecurityIncidentCreationRuleExample","properties":{"displayName":"testing displayname","enabled":true,"lastModifiedUtc":"2019-09-04T12:05:35.7296311Z","productFilter":"Microsoft Cloud App Security"},"type":"Microsoft.SecurityInsights/alertRules"}},"Creates_or_updates_a_Scheduled_alert_rule.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5","kind":"Scheduled","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","properties":{"description":"","displayName":"Rule2","enabled":true,"lastModifiedUtc":"2019-01-01T13:15:30Z","query":"ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden","queryFrequency":"PT1H","queryPeriod":"P2DT1H30M","severity":"High","suppressionDuration":"PT1H","suppressionEnabled":false,"tactics":["Persistence","LateralMovement"],"triggerOperator":"GreaterThan","triggerThreshold":0},"type":"Microsoft.SecurityInsights/alertRules"}},"Get_all_actions_of_alert_rule.":{"value":{"value":[{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e","name":"912bec42-cb66-4c03-ac63-1761b6898c3e","properties":{"logicAppResourceId":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts","workflowId":"cd3765391efd48549fd7681ded1d48d7"},"type":"Microsoft.SecurityInsights/alertRules/actions"}]}},"Get_an_action_of_alert_rule.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e","name":"912bec42-cb66-4c03-ac63-1761b6898c3e","properties":{"logicAppResourceId":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts","workflowId":"cd3765391efd48549fd7681ded1d48d7"},"type":"Microsoft.SecurityInsights/alertRules/actions"}},"Creates_or_updates_an_action_of_alert_rule.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e","name":"912bec42-cb66-4c03-ac63-1761b6898c3e","properties":{"logicAppResourceId":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts","workflowId":"cd3765391efd48549fd7681ded1d48d7"},"type":"Microsoft.SecurityInsights/alertRules/actions"}},"Get_all_data_connectors.":{"value":{"value":[{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12","kind":"AzureSecurityCenter","name":"763f9fa1-c2d3-4fa2-93e9-bccd4899aa12","properties":{"dataTypes":{"alerts":{"state":"Enabled"}},"subscriptionId":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"type":"Microsoft.SecurityInsights/dataConnectors"},{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04","kind":"ThreatIntelligence","name":"c345bf40-8509-4ed2-b947-50cb773aaf04","properties":{"dataTypes":{"indicators":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"},{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d","kind":"AzureActiveDirectory","name":"f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d","properties":{"dataTypes":{"alerts":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"},{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5","kind":"Office365","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","properties":{"dataTypes":{"exchange":{"state":"Enabled"},"sharePoint":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"},{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42","kind":"MicrosoftCloudAppSecurity","name":"b96d014d-b5c2-4a01-9aba-a8058f629d42","properties":{"dataTypes":{"alerts":{"state":"Enabled"},"discoveryLogs":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"},{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44","kind":"AzureAdvancedThreatProtection","name":"07e42cb3-e658-4e90-801c-efa0f29d3d44","properties":{"dataTypes":{"alerts":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"},{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04","kind":"AmazonWebServicesCloudTrail","name":"c345bf40-8509-4ed2-b947-50cb773aaf04","properties":{"awsRoleArn":"myAwsRoleArn","dataTypes":{"logs":{"state":"Enabled"}}},"type":"Microsoft.SecurityInsights/dataConnectors"},{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b","kind":"MicrosoftDefenderAdvancedThreatProtection","name":"06b3ccb8-1384-4bcc-aec7-852f6d57161b","properties":{"dataTypes":{"alerts":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"}]}},"Get_a_ASC_data_connector.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12","kind":"AzureSecurityCenter","name":"763f9fa1-c2d3-4fa2-93e9-bccd4899aa12","properties":{"dataTypes":{"alerts":{"state":"Enabled"}},"subscriptionId":"c0688291-89d7-4bed-87a2-a7b1bff43f4c"},"type":"Microsoft.SecurityInsights/dataConnectors"}},"Get_a_MCAS_data_connector.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42","kind":"MicrosoftCloudAppSecurity","name":"b96d014d-b5c2-4a01-9aba-a8058f629d42","properties":{"dataTypes":{"alerts":{"state":"Enabled"},"discoveryLogs":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"}},"Get_a_MDATP_data_connector":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b","kind":"MicrosoftDefenderAdvancedThreatProtection","name":"06b3ccb8-1384-4bcc-aec7-852f6d57161b","properties":{"dataTypes":{"alerts":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"}},"Get_a_TI_data_connector.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04","kind":"ThreatIntelligence","name":"c345bf40-8509-4ed2-b947-50cb773aaf04","properties":{"dataTypes":{"indicators":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"}},"Get_an_AAD_data_connector.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d","kind":"AzureActiveDirectory","name":"f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d","properties":{"dataTypes":{"alerts":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"}},"Get_an_AATP_data_connector.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44","kind":"AzureAdvancedThreatProtection","name":"07e42cb3-e658-4e90-801c-efa0f29d3d44","properties":{"dataTypes":{"alerts":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"}},"Get_an_AwsCloudTrail_data_connector.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04","kind":"AmazonWebServicesCloudTrail","name":"c345bf40-8509-4ed2-b947-50cb773aaf04","properties":{"awsRoleArn":"myAwsRoleArn","dataTypes":{"logs":{"state":"Enabled"}}},"type":"Microsoft.SecurityInsights/dataConnectors"}},"Get_an_Office365_data_connector.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5","kind":"Office365","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","properties":{"dataTypes":{"exchange":{"state":"Enabled"},"sharePoint":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"}},"Creates_or_updates_an_Office365_data_connector.":{"value":{"etag":"\"0300bf09-0000-0000-0000-5c37296e0000\"","id":"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5","kind":"Office365","name":"73e01a99-5cd7-4139-a149-9f2736ff2ab5","properties":{"dataTypes":{"exchange":{"state":"Enabled"},"sharePoint":{"state":"Enabled"}},"tenantId":"2070ecc9-b4d5-4ae4-adaa-936fa1954fa8"},"type":"Microsoft.SecurityInsights/dataConnectors"}}},"parameters":{"ActionId":{"description":"Action ID","in":"path","name":"actionId","required":true,"x-ms-parameter-location":"method","schema":{"type":"string"},"examples":{"Delete an action of alert rule.":{"value":"912bec42-cb66-4c03-ac63-1761b6898c3e"},"Get an action of alert rule.":{"value":"912bec42-cb66-4c03-ac63-1761b6898c3e"},"Creates or updates an action of alert rule.":{"value":"912bec42-cb66-4c03-ac63-1761b6898c3e"}}},"AggregationsName":{"description":"The aggregation name. Supports - Cases","in":"path","name":"aggregationsName","required":true,"x-ms-parameter-location":"method","schema":{"type":"string"}},"AlertRuleTemplateId":{"description":"Alert rule template ID","in":"path","name":"alertRuleTemplateId","required":true,"x-ms-parameter-location":"method","schema":{"type":"string"}},"ApiVersion":{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string","enum":["2020-01-01"]},"examples":{"Get all alert rules.":{"value":"2020-01-01"},"Delete an alert rule.":{"value":"2020-01-01"},"Get a Fusion alert rule.":{"value":"2020-01-01"},"Get a MicrosoftSecurityIncidentCreation rule.":{"value":"2020-01-01"},"Get a Scheduled alert rule.":{"value":"2020-01-01"},"Creates or updates a Fusion alert rule.":{"value":"2020-01-01"},"Creates or updates a MicrosoftSecurityIncidentCreation rule.":{"value":"2020-01-01"},"Creates or updates a Scheduled alert rule.":{"value":"2020-01-01"},"Get all actions of alert rule.":{"value":"2020-01-01"},"Delete an action of alert rule.":{"value":"2020-01-01"},"Get an action of alert rule.":{"value":"2020-01-01"},"Creates or updates an action of alert rule.":{"value":"2020-01-01"},"Get all data connectors.":{"value":"2020-01-01"},"Delete an Office365 data connector.":{"value":"2020-01-01"},"Get a ASC data connector.":{"value":"2020-01-01"},"Get a MCAS data connector.":{"value":"2020-01-01"},"Get a MDATP data connector":{"value":"2020-01-01"},"Get a TI data connector.":{"value":"2020-01-01"},"Get an AAD data connector.":{"value":"2020-01-01"},"Get an AATP data connector.":{"value":"2020-01-01"},"Get an AwsCloudTrail data connector.":{"value":"2020-01-01"},"Get an Office365 data connector.":{"value":"2020-01-01"},"Creates or updates an Office365 data connector.":{"value":"2020-01-01"}}},"ConsentId":{"description":"consent ID","in":"path","name":"consentId","required":true,"x-ms-parameter-location":"method","schema":{"type":"string"}},"DataConnectorId":{"description":"Connector ID","in":"path","name":"dataConnectorId","required":true,"x-ms-parameter-location":"method","schema":{"type":"string"},"examples":{"Delete an Office365 data connector.":{"value":"73e01a99-5cd7-4139-a149-9f2736ff2ab5"},"Get a ASC data connector.":{"value":"763f9fa1-c2d3-4fa2-93e9-bccd4899aa12"},"Get a MCAS data connector.":{"value":"b96d014d-b5c2-4a01-9aba-a8058f629d42"},"Get a MDATP data connector":{"value":"06b3ccb8-1384-4bcc-aec7-852f6d57161b"},"Get a TI data connector.":{"value":"c345bf40-8509-4ed2-b947-50cb773aaf04"},"Get an AAD data connector.":{"value":"f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d"},"Get an AATP data connector.":{"value":"07e42cb3-e658-4e90-801c-efa0f29d3d44"},"Get an AwsCloudTrail data connector.":{"value":"c345bf40-8509-4ed2-b947-50cb773aaf04"},"Get an Office365 data connector.":{"value":"73e01a99-5cd7-4139-a149-9f2736ff2ab5"},"Creates or updates an Office365 data connector.":{"value":"73e01a99-5cd7-4139-a149-9f2736ff2ab5"}}},"EntityId":{"description":"entity ID","in":"path","name":"entityId","required":true,"x-ms-parameter-location":"method","schema":{"type":"string"}},"EntityQueryId":{"description":"entity query ID","in":"path","name":"entityQueryId","required":true,"x-ms-parameter-location":"method","schema":{"type":"string"}},"ODataFilter":{"description":"Filters the results, based on a Boolean condition. Optional.","in":"query","name":"$filter","required":false,"x-ms-parameter-location":"method","schema":{"type":"string"}},"ODataOrderBy":{"description":"Sorts the results. Optional.","in":"query","name":"$orderby","required":false,"x-ms-parameter-location":"method","schema":{"type":"string"}},"ODataSkipToken":{"description":"Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.","in":"query","name":"$skipToken","required":false,"x-ms-parameter-location":"method","schema":{"type":"string"}},"ODataTop":{"description":"Returns only the first n results. Optional.","in":"query","name":"$top","required":false,"x-ms-parameter-location":"method","schema":{"type":"integer","format":"int32"}},"ResourceGroupName":{"description":"The name of the resource group within the user's subscription. The name is case insensitive.","in":"path","name":"resourceGroupName","required":true,"x-ms-parameter-location":"method","schema":{"type":"string","minLength":1,"maxLength":90,"pattern":"^[-\\w\\._\\(\\)]+$"},"examples":{"Get all alert rules.":{"value":"myRg"},"Delete an alert rule.":{"value":"myRg"},"Get a Fusion alert rule.":{"value":"myRg"},"Get a MicrosoftSecurityIncidentCreation rule.":{"value":"myRg"},"Get a Scheduled alert rule.":{"value":"myRg"},"Creates or updates a Fusion alert rule.":{"value":"myRg"},"Creates or updates a MicrosoftSecurityIncidentCreation rule.":{"value":"myRg"},"Creates or updates a Scheduled alert rule.":{"value":"myRg"},"Get all actions of alert rule.":{"value":"myRg"},"Delete an action of alert rule.":{"value":"myRg"},"Get an action of alert rule.":{"value":"myRg"},"Creates or updates an action of alert rule.":{"value":"myRg"},"Get all data connectors.":{"value":"myRg"},"Delete an Office365 data connector.":{"value":"myRg"},"Get a ASC data connector.":{"value":"myRg"},"Get a MCAS data connector.":{"value":"myRg"},"Get a MDATP data connector":{"value":"myRg"},"Get a TI data connector.":{"value":"myRg"},"Get an AAD data connector.":{"value":"myRg"},"Get an AATP data connector.":{"value":"myRg"},"Get an AwsCloudTrail data connector.":{"value":"myRg"},"Get an Office365 data connector.":{"value":"myRg"},"Creates or updates an Office365 data connector.":{"value":"myRg"}}},"RuleId":{"description":"Alert rule ID","in":"path","name":"ruleId","required":true,"x-ms-parameter-location":"method","schema":{"type":"string"},"examples":{"Delete an alert rule.":{"value":"73e01a99-5cd7-4139-a149-9f2736ff2ab5"},"Get a Fusion alert rule.":{"value":"myFirstFusionRule"},"Get a MicrosoftSecurityIncidentCreation rule.":{"value":"microsoftSecurityIncidentCreationRuleExample"},"Get a Scheduled alert rule.":{"value":"73e01a99-5cd7-4139-a149-9f2736ff2ab5"},"Creates or updates a Fusion alert rule.":{"value":"myFirstFusionRule"},"Creates or updates a MicrosoftSecurityIncidentCreation rule.":{"value":"microsoftSecurityIncidentCreationRuleExample"},"Creates or updates a Scheduled alert rule.":{"value":"73e01a99-5cd7-4139-a149-9f2736ff2ab5"},"Get all actions of alert rule.":{"value":"73e01a99-5cd7-4139-a149-9f2736ff2ab5"},"Delete an action of alert rule.":{"value":"73e01a99-5cd7-4139-a149-9f2736ff2ab5"},"Get an action of alert rule.":{"value":"73e01a99-5cd7-4139-a149-9f2736ff2ab5"},"Creates or updates an action of alert rule.":{"value":"73e01a99-5cd7-4139-a149-9f2736ff2ab5"}}},"SettingsName":{"description":"The setting name. Supports- Fusion, UEBA","in":"path","name":"settingsName","required":true,"x-ms-parameter-location":"method","schema":{"type":"string"}},"SubscriptionId":{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Get all alert rules.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Delete an alert rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get a Fusion alert rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get a MicrosoftSecurityIncidentCreation rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get a Scheduled alert rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Creates or updates a Fusion alert rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Creates or updates a MicrosoftSecurityIncidentCreation rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Creates or updates a Scheduled alert rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get all actions of alert rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Delete an action of alert rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get an action of alert rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Creates or updates an action of alert rule.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get all data connectors.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Delete an Office365 data connector.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get a ASC data connector.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get a MCAS data connector.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get a MDATP data connector":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get a TI data connector.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get an AAD data connector.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get an AATP data connector.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get an AwsCloudTrail data connector.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Get an Office365 data connector.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"},"Creates or updates an Office365 data connector.":{"value":"d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"}}},"WorkspaceName":{"description":"The name of the workspace.","in":"path","name":"workspaceName","required":true,"x-ms-parameter-location":"method","schema":{"type":"string","minLength":1,"maxLength":90},"examples":{"Get all alert rules.":{"value":"myWorkspace"},"Delete an alert rule.":{"value":"myWorkspace"},"Get a Fusion alert rule.":{"value":"myWorkspace"},"Get a MicrosoftSecurityIncidentCreation rule.":{"value":"myWorkspace"},"Get a Scheduled alert rule.":{"value":"myWorkspace"},"Creates or updates a Fusion alert rule.":{"value":"myWorkspace"},"Creates or updates a MicrosoftSecurityIncidentCreation rule.":{"value":"myWorkspace"},"Creates or updates a Scheduled alert rule.":{"value":"myWorkspace"},"Get all actions of alert rule.":{"value":"myWorkspace"},"Delete an action of alert rule.":{"value":"myWorkspace"},"Get an action of alert rule.":{"value":"myWorkspace"},"Creates or updates an action of alert rule.":{"value":"myWorkspace"},"Get all data connectors.":{"value":"myWorkspace"},"Delete an Office365 data connector.":{"value":"myWorkspace"},"Get a ASC data connector.":{"value":"myWorkspace"},"Get a MCAS data connector.":{"value":"myWorkspace"},"Get a MDATP data connector":{"value":"myWorkspace"},"Get a TI data connector.":{"value":"myWorkspace"},"Get an AAD data connector.":{"value":"myWorkspace"},"Get an AATP data connector.":{"value":"myWorkspace"},"Get an AwsCloudTrail data connector.":{"value":"myWorkspace"},"Get an Office365 data connector.":{"value":"myWorkspace"},"Creates or updates an Office365 data connector.":{"value":"myWorkspace"}}}},"securitySchemes":{"azure_auth":{"description":"Azure Active Directory OAuth2 Flow","type":"oauth2","flows":{"implicit":{"authorizationUrl":"https://login.microsoftonline.com/common/oauth2/authorize","scopes":{"user_impersonation":"impersonate your user account"}}}}},"schemas":{"AADDataConnector":{"allOf":[{"$ref":"#/components/schemas/DataConnector"}],"description":"Represents AAD (Azure Active Directory) data connector.","properties":{"properties":{"$ref":"#/components/schemas/AADDataConnectorProperties"}},"type":"object","x-ms-discriminator-value":"AzureActiveDirectory"},"AADDataConnectorProperties":{"allOf":[{"$ref":"#/components/schemas/DataConnectorTenantId"},{"$ref":"#/components/schemas/DataConnectorWithAlertsProperties"}],"description":"AAD (Azure Active Directory) data connector properties.","type":"object"},"AATPDataConnector":{"allOf":[{"$ref":"#/components/schemas/DataConnector"}],"description":"Represents AATP (Azure Advanced Threat Protection) data connector.","properties":{"properties":{"$ref":"#/components/schemas/AATPDataConnectorProperties"}},"type":"object","x-ms-discriminator-value":"AzureAdvancedThreatProtection"},"AATPDataConnectorProperties":{"allOf":[{"$ref":"#/components/schemas/DataConnectorTenantId"},{"$ref":"#/components/schemas/DataConnectorWithAlertsProperties"}],"description":"AATP (Azure Advanced Threat Protection) data connector properties.","type":"object"},"ASCDataConnector":{"allOf":[{"$ref":"#/components/schemas/DataConnector"}],"description":"Represents ASC (Azure Security Center) data connector.","properties":{"properties":{"$ref":"#/components/schemas/ASCDataConnectorProperties"}},"type":"object","x-ms-discriminator-value":"AzureSecurityCenter"},"ASCDataConnectorProperties":{"allOf":[{"$ref":"#/components/schemas/DataConnectorWithAlertsProperties"}],"description":"ASC (Azure Security Center) data connector properties.","properties":{"subscriptionId":{"description":"The subscription id to connect to, and get the data from.","type":"string"}},"type":"object"},"ActionPropertiesBase":{"description":"Action property bag base.","properties":{"logicAppResourceId":{"description":"Logic App Resource Id, providers/Microsoft.Logic/workflows/{WorkflowID}.","type":"string"}},"required":["logicAppResourceId"],"type":"object"},"ActionRequest":{"allOf":[{"$ref":"#/components/schemas/ResourceWithEtag"}],"description":"Action for alert rule.","properties":{"properties":{"$ref":"#/components/schemas/ActionRequestProperties"}},"type":"object"},"ActionRequestProperties":{"allOf":[{"$ref":"#/components/schemas/ActionPropertiesBase"}],"description":"Action property bag.","properties":{"triggerUri":{"description":"Logic App Callback URL for this specific workflow.","type":"string"}},"type":"object"},"ActionResponse":{"allOf":[{"$ref":"#/components/schemas/Resource"}],"description":"Action for alert rule.","properties":{"etag":{"description":"Etag of the action.","type":"string"},"properties":{"$ref":"#/components/schemas/ActionResponseProperties"}},"type":"object"},"ActionResponseProperties":{"allOf":[{"$ref":"#/components/schemas/ActionPropertiesBase"}],"description":"Action property bag.","properties":{"workflowId":{"description":"The name of the logic app's workflow.","type":"string"}},"type":"object"},"ActionsList":{"description":"List all the actions.","properties":{"nextLink":{"description":"URL to fetch the next set of actions.","readOnly":true,"type":"string"},"value":{"description":"Array of actions.","items":{"$ref":"#/components/schemas/ActionResponse"},"type":"array"}},"required":["value"]},"AlertRule":{"allOf":[{"$ref":"#/components/schemas/ResourceWithEtag"},{"$ref":"#/components/schemas/AlertRuleKind"}],"description":"Alert rule.","discriminator":{"propertyName":"kind"},"required":["kind"],"type":"object"},"AlertRuleKind":{"description":"Describes an Azure resource with kind.","properties":{"kind":{"description":"The kind of the alert rule","enum":["Scheduled","MicrosoftSecurityIncidentCreation","Fusion"],"type":"string","x-ms-enum":{"modelAsString":true,"name":"AlertRuleKind","values":[{"value":"Scheduled"},{"value":"MicrosoftSecurityIncidentCreation"},{"value":"Fusion"}]}}},"required":["kind"],"type":"object"},"AlertRuleTemplate":{"allOf":[{"$ref":"#/components/schemas/Resource"},{"$ref":"#/components/schemas/AlertRuleKind"}],"description":"Alert rule template.","discriminator":{"propertyName":"kind"},"required":["kind"],"type":"object"},"AlertRuleTemplateDataSource":{"description":"alert rule template data sources","properties":{"connectorId":{"description":"The connector id that provides the following data types","type":"string"},"dataTypes":{"description":"The data types used by the alert rule template","items":{"type":"string"},"type":"array"}},"type":"object"},"AlertRuleTemplatePropertiesBase":{"description":"Base alert rule template property bag.","properties":{"alertRulesCreatedByTemplateCount":{"description":"the number of alert rules that were created by this template","type":"integer"},"createdDateUTC":{"description":"The time that this alert rule template has been added.","format":"date-time","readOnly":true,"type":"string"},"description":{"description":"The description of the alert rule template.","type":"string"},"displayName":{"description":"The display name for alert rule template.","type":"string"},"requiredDataConnectors":{"description":"The required data connectors for this template","items":{"$ref":"#/components/schemas/AlertRuleTemplateDataSource"},"type":"array"},"status":{"description":"The alert rule template status.","enum":["Installed","Available","NotAvailable"],"type":"string","x-ms-enum":{"modelAsString":true,"name":"TemplateStatus","values":[{"description":"Alert rule template installed. and can not use more then once","value":"Installed"},{"description":"Alert rule template is available.","value":"Available"},{"description":"Alert rule template is not available","value":"NotAvailable"}]}}},"type":"object"},"AlertRuleTriggerOperator":{"description":"The operation against the threshold that triggers alert rule.","enum":["GreaterThan","LessThan","Equal","NotEqual"],"type":"string","x-ms-enum":{"modelAsString":false,"name":"TriggerOperator"}},"AlertRulesList":{"description":"List all the alert rules.","properties":{"nextLink":{"description":"URL to fetch the next set of alert rules.","readOnly":true,"type":"string"},"value":{"description":"Array of alert rules.","items":{"$ref":"#/components/schemas/AlertRule"},"type":"array"}},"required":["value"]},"AlertSeverity":{"description":"The severity of the alert","enum":["High","Medium","Low","Informational"],"type":"string","x-ms-enum":{"modelAsString":true,"name":"AlertSeverity","values":[{"description":"High severity","value":"High"},{"description":"Medium severity","value":"Medium"},{"description":"Low severity","value":"Low"},{"description":"Informational severity","value":"Informational"}]}},"AlertsDataTypeOfDataConnector":{"description":"Alerts data type for data connectors.","properties":{"alerts":{"allOf":[{"$ref":"#/components/schemas/DataConnectorDataTypeCommon"}],"description":"Alerts data type connection.","type":"object"}},"type":"object"},"AttackTactic":{"description":"The severity for alerts created by this alert rule.","enum":["InitialAccess","Execution","Persistence","PrivilegeEscalation","DefenseEvasion","CredentialAccess","Discovery","LateralMovement","Collection","Exfiltration","CommandAndControl","Impact"],"type":"string","x-ms-enum":{"modelAsString":true,"name":"AttackTactic"}},"AwsCloudTrailDataConnector":{"allOf":[{"$ref":"#/components/schemas/DataConnector"}],"description":"Represents Amazon Web Services CloudTrail data connector.","properties":{"properties":{"$ref":"#/components/schemas/AwsCloudTrailDataConnectorProperties"}},"type":"object","x-ms-discriminator-value":"AmazonWebServicesCloudTrail"},"AwsCloudTrailDataConnectorDataTypes":{"description":"The available data types for Amazon Web Services CloudTrail data connector.","properties":{"logs":{"allOf":[{"$ref":"#/components/schemas/DataConnectorDataTypeCommon"}],"description":"Logs data type.","type":"object"}},"type":"object"},"AwsCloudTrailDataConnectorProperties":{"description":"Amazon Web Services CloudTrail data connector properties.","properties":{"awsRoleArn":{"description":"The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.","type":"string"},"dataTypes":{"$ref":"#/components/schemas/AwsCloudTrailDataConnectorDataTypes"}},"type":"object"},"CloudError":{"description":"Error response structure.","properties":{"error":{"$ref":"#/components/schemas/CloudErrorBody"}},"type":"object","x-ms-external":true},"CloudErrorBody":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true},"DataConnector":{"allOf":[{"$ref":"#/components/schemas/ResourceWithEtag"},{"$ref":"#/components/schemas/DataConnectorKind"}],"description":"Data connector.","discriminator":{"propertyName":"kind"},"required":["kind"],"type":"object"},"DataConnectorDataTypeCommon":{"description":"Common field for data type in data connectors.","properties":{"state":{"description":"Describe whether this data type connection is enabled or not.","enum":["Enabled","Disabled"],"type":"string","x-ms-enum":{"modelAsString":true,"name":"DataTypeState"}}},"type":"object"},"DataConnectorKind":{"description":"Describes an Azure resource with kind.","properties":{"kind":{"description":"The kind of the data connector","enum":["AzureActiveDirectory","AzureSecurityCenter","MicrosoftCloudAppSecurity","ThreatIntelligence","Office365","AmazonWebServicesCloudTrail","AzureAdvancedThreatProtection","MicrosoftDefenderAdvancedThreatProtection"],"type":"string","x-ms-enum":{"modelAsString":true,"name":"DataConnectorKind","values":[{"value":"AzureActiveDirectory"},{"value":"AzureSecurityCenter"},{"value":"MicrosoftCloudAppSecurity"},{"value":"ThreatIntelligence"},{"value":"Office365"},{"value":"AmazonWebServicesCloudTrail"},{"value":"AzureAdvancedThreatProtection"},{"value":"MicrosoftDefenderAdvancedThreatProtection"}]}}},"type":"object"},"DataConnectorList":{"description":"List all the data connectors.","properties":{"nextLink":{"description":"URL to fetch the next set of data connectors.","readOnly":true,"type":"string"},"value":{"description":"Array of data connectors.","items":{"$ref":"#/components/schemas/DataConnector"},"type":"array"}},"required":["value"]},"DataConnectorTenantId":{"description":"Properties data connector on tenant level.","properties":{"tenantId":{"description":"The tenant id to connect to, and get the data from.","type":"string"}},"type":"object"},"DataConnectorWithAlertsProperties":{"description":"Data connector properties.","properties":{"dataTypes":{"$ref":"#/components/schemas/AlertsDataTypeOfDataConnector"}},"type":"object"},"FusionAlertRule":{"allOf":[{"$ref":"#/components/schemas/AlertRule"}],"description":"Represents Fusion alert rule.","properties":{"properties":{"$ref":"#/components/schemas/FusionAlertRuleProperties"}},"type":"object","x-ms-discriminator-value":"Fusion"},"FusionAlertRuleProperties":{"description":"Fusion alert rule base property bag.","properties":{"alertRuleTemplateName":{"description":"The Name of the alert rule template used to create this rule.","type":"string"},"description":{"description":"The description of the alert rule.","readOnly":true,"type":"string"},"displayName":{"description":"The display name for alerts created by this alert rule.","readOnly":true,"type":"string"},"enabled":{"description":"Determines whether this alert rule is enabled or disabled.","type":"boolean"},"lastModifiedUtc":{"description":"The last time that this alert has been modified.","format":"date-time","readOnly":true,"type":"string"},"severity":{"$ref":"#/components/schemas/AlertSeverity"},"tactics":{"description":"The tactics of the alert rule","items":{"$ref":"#/components/schemas/AttackTactic"},"readOnly":true,"type":"array"}},"required":["alertRuleTemplateName","enabled"],"type":"object"},"FusionAlertRuleTemplate":{"allOf":[{"$ref":"#/components/schemas/AlertRuleTemplate"}],"description":"Represents Fusion alert rule template.","properties":{"properties":{"allOf":[{"$ref":"#/components/schemas/AlertRuleTemplatePropertiesBase"}],"description":"Fusion alert rule template properties","properties":{"severity":{"$ref":"#/components/schemas/AlertSeverity"},"tactics":{"description":"The tactics of the alert rule template","items":{"$ref":"#/components/schemas/AttackTactic"},"type":"array"}},"required":["displayName","description","status","severity","alertRulesCreatedByTemplateCount"],"x-ms-client-flatten":true}},"type":"object","x-ms-discriminator-value":"Fusion"},"IncidentInfo":{"description":"Describes related incident information for the bookmark","properties":{"incidentId":{"description":"Incident Id","type":"string"},"relationName":{"description":"Relation Name","type":"string"},"severity":{"description":"The severity of the incident","enum":["Critical","High","Medium","Low","Informational"],"type":"string","x-ms-enum":{"modelAsString":true,"name":"IncidentSeverity","values":[{"description":"Critical severity","value":"Critical"},{"description":"High severity","value":"High"},{"description":"Medium severity","value":"Medium"},{"description":"Low severity","value":"Low"},{"description":"Informational severity","value":"Informational"}]}},"title":{"description":"The title of the incident","type":"string"}},"required":["incidentId","severity","title","relationName"],"type":"object"},"Label":{"description":"Label that will be used to tag and filter on.","type":"string"},"MCASDataConnector":{"allOf":[{"$ref":"#/components/schemas/DataConnector"}],"description":"Represents MCAS (Microsoft Cloud App Security) data connector.","properties":{"properties":{"$ref":"#/components/schemas/MCASDataConnectorProperties"}},"type":"object","x-ms-discriminator-value":"MicrosoftCloudAppSecurity"},"MCASDataConnectorDataTypes":{"allOf":[{"$ref":"#/components/schemas/AlertsDataTypeOfDataConnector"}],"description":"The available data types for MCAS (Microsoft Cloud App Security) data connector.","properties":{"discoveryLogs":{"allOf":[{"$ref":"#/components/schemas/DataConnectorDataTypeCommon"}],"description":"Discovery log data type connection.","type":"object"}},"type":"object"},"MCASDataConnectorProperties":{"allOf":[{"$ref":"#/components/schemas/DataConnectorTenantId"}],"description":"MCAS (Microsoft Cloud App Security) data connector properties.","properties":{"dataTypes":{"$ref":"#/components/schemas/MCASDataConnectorDataTypes"}},"type":"object"},"MDATPDataConnector":{"allOf":[{"$ref":"#/components/schemas/DataConnector"}],"description":"Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.","properties":{"properties":{"$ref":"#/components/schemas/MDATPDataConnectorProperties"}},"type":"object","x-ms-discriminator-value":"MicrosoftDefenderAdvancedThreatProtection"},"MDATPDataConnectorProperties":{"allOf":[{"$ref":"#/components/schemas/DataConnectorTenantId"},{"$ref":"#/components/schemas/DataConnectorWithAlertsProperties"}],"description":"MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.","type":"object"},"MicrosoftSecurityIncidentCreationAlertRule":{"allOf":[{"$ref":"#/components/schemas/AlertRule"}],"description":"Represents MicrosoftSecurityIncidentCreation rule.","properties":{"properties":{"$ref":"#/components/schemas/MicrosoftSecurityIncidentCreationAlertRuleProperties"}},"type":"object","x-ms-discriminator-value":"MicrosoftSecurityIncidentCreation"},"MicrosoftSecurityIncidentCreationAlertRuleCommonProperties":{"description":"MicrosoftSecurityIncidentCreation rule common property bag.","properties":{"displayNamesFilter":{"description":"the alerts' displayNames on which the cases will be generated","items":{"type":"string"},"type":"array"},"productFilter":{"description":"The alerts' productName on which the cases will be generated","enum":["Microsoft Cloud App Security","Azure Security Center","Azure Advanced Threat Protection","Azure Active Directory Identity Protection","Azure Security Center for IoT"],"type":"string","x-ms-enum":{"modelAsString":true,"name":"MicrosoftSecurityProductName"}},"severitiesFilter":{"description":"the alerts' severities on which the cases will be generated","items":{"$ref":"#/components/schemas/AlertSeverity"},"type":"array"}},"required":["productFilter"],"type":"object"},"MicrosoftSecurityIncidentCreationAlertRuleProperties":{"allOf":[{"$ref":"#/components/schemas/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties"}],"description":"MicrosoftSecurityIncidentCreation rule property bag.","properties":{"alertRuleTemplateName":{"description":"The Name of the alert rule template used to create this rule.","type":"string"},"description":{"description":"The description of the alert rule.","type":"string"},"displayName":{"description":"The display name for alerts created by this alert rule.","type":"string"},"enabled":{"description":"Determines whether this alert rule is enabled or disabled.","type":"boolean"},"lastModifiedUtc":{"description":"The last time that this alert has been modified.","format":"date-time","readOnly":true,"type":"string"}},"required":["displayName","enabled","productFilter"],"type":"object"},"MicrosoftSecurityIncidentCreationAlertRuleTemplate":{"allOf":[{"$ref":"#/components/schemas/AlertRuleTemplate"}],"description":"Represents MicrosoftSecurityIncidentCreation rule template.","properties":{"properties":{"allOf":[{"$ref":"#/components/schemas/AlertRuleTemplatePropertiesBase"},{"$ref":"#/components/schemas/MicrosoftSecurityIncidentCreationAlertRuleCommonProperties"}],"description":"MicrosoftSecurityIncidentCreation rule template properties","required":["displayName","description","createdDateUTC","status","alertRulesCreatedByTemplateCount","productFilter"],"x-ms-client-flatten":true}},"type":"object","x-ms-discriminator-value":"MicrosoftSecurityIncidentCreation"},"OfficeConsent":{"allOf":[{"$ref":"#/components/schemas/Resource"}],"description":"Consent for Office365 tenant that already made.","properties":{"properties":{"$ref":"#/components/schemas/OfficeConsentProperties"}},"type":"object"},"OfficeConsentList":{"description":"List of all the office365 consents.","properties":{"nextLink":{"description":"URL to fetch the next set of office consents.","readOnly":true,"type":"string"},"value":{"description":"Array of the consents.","items":{"$ref":"#/components/schemas/OfficeConsent"},"type":"array"}},"required":["value"]},"OfficeConsentProperties":{"description":"Consent property bag.","properties":{"tenantId":{"description":"The tenantId of the Office365 with the consent.","type":"string"},"tenantName":{"description":"The tenant name of the Office365 with the consent.","readOnly":true,"type":"string"}},"type":"object"},"OfficeDataConnector":{"allOf":[{"$ref":"#/components/schemas/DataConnector"}],"description":"Represents office data connector.","properties":{"properties":{"$ref":"#/components/schemas/OfficeDataConnectorProperties"}},"type":"object","x-ms-discriminator-value":"Office365"},"OfficeDataConnectorDataTypes":{"description":"The available data types for office data connector.","properties":{"exchange":{"allOf":[{"$ref":"#/components/schemas/DataConnectorDataTypeCommon"}],"description":"Exchange data type connection.","type":"object"},"sharePoint":{"allOf":[{"$ref":"#/components/schemas/DataConnectorDataTypeCommon"}],"description":"SharePoint data type connection.","type":"object"}},"type":"object"},"OfficeDataConnectorProperties":{"allOf":[{"$ref":"#/components/schemas/DataConnectorTenantId"}],"description":"Office data connector properties.","properties":{"dataTypes":{"$ref":"#/components/schemas/OfficeDataConnectorDataTypes"}},"type":"object"},"Operation":{"description":"Operation provided by provider","properties":{"display":{"description":"Properties of the operation","properties":{"description":{"description":"Description of the operation","type":"string"},"operation":{"description":"Operation name","type":"string"},"provider":{"description":"Provider name","type":"string"},"resource":{"description":"Resource name","type":"string"}},"type":"object"},"name":{"description":"Name of the operation","type":"string"}}},"OperationsList":{"description":"Lists the operations available in the SecurityInsights RP.","properties":{"nextLink":{"description":"URL to fetch the next set of operations.","type":"string"},"value":{"description":"Array of operations","items":{"$ref":"#/components/schemas/Operation"},"type":"array"}},"required":["value"]},"Resource":{"description":"An azure resource object","properties":{"id":{"description":"Azure resource Id","readOnly":true,"type":"string"},"name":{"description":"Azure resource name","readOnly":true,"type":"string"},"type":{"description":"Azure resource type","readOnly":true,"type":"string"}},"x-ms-azure-resource":true},"ResourceWithEtag":{"description":"An azure resource object with an Etag property","properties":{"etag":{"description":"Etag of the azure resource","type":"string"},"id":{"description":"Azure resource Id","readOnly":true,"type":"string"},"name":{"description":"Azure resource name","readOnly":true,"type":"string"},"type":{"description":"Azure resource type","readOnly":true,"type":"string"}},"x-ms-azure-resource":true},"ScheduledAlertRule":{"allOf":[{"$ref":"#/components/schemas/AlertRule"}],"description":"Represents scheduled alert rule.","properties":{"properties":{"$ref":"#/components/schemas/ScheduledAlertRuleProperties"}},"type":"object","x-ms-discriminator-value":"Scheduled"},"ScheduledAlertRuleCommonProperties":{"description":"Schedule alert rule template property bag.","properties":{"query":{"description":"The query that creates alerts for this rule.","type":"string"},"queryFrequency":{"description":"The frequency (in ISO 8601 duration format) for this alert rule to run.","format":"duration","type":"string"},"queryPeriod":{"description":"The period (in ISO 8601 duration format) that this alert rule looks at.","format":"duration","type":"string"},"severity":{"$ref":"#/components/schemas/AlertSeverity"},"triggerOperator":{"$ref":"#/components/schemas/AlertRuleTriggerOperator"},"triggerThreshold":{"description":"The threshold triggers this alert rule.","type":"integer"}},"type":"object"},"ScheduledAlertRuleProperties":{"allOf":[{"$ref":"#/components/schemas/ScheduledAlertRuleCommonProperties"}],"description":"Scheduled alert rule base property bag.","properties":{"alertRuleTemplateName":{"description":"The Name of the alert rule template used to create this rule.","type":"string"},"description":{"description":"The description of the alert rule.","type":"string"},"displayName":{"description":"The display name for alerts created by this alert rule.","type":"string"},"enabled":{"description":"Determines whether this alert rule is enabled or disabled.","type":"boolean"},"lastModifiedUtc":{"description":"The last time that this alert rule has been modified.","format":"date-time","readOnly":true,"type":"string"},"suppressionDuration":{"description":"The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered.","format":"duration","type":"string"},"suppressionEnabled":{"description":"Determines whether the suppression for this alert rule is enabled or disabled.","type":"boolean"},"tactics":{"description":"The tactics of the alert rule","items":{"$ref":"#/components/schemas/AttackTactic"},"type":"array"}},"required":["displayName","enabled","severity","query","queryFrequency","queryPeriod","triggerOperator","triggerThreshold","suppressionEnabled","suppressionDuration"],"type":"object"},"ScheduledAlertRuleTemplate":{"allOf":[{"$ref":"#/components/schemas/AlertRuleTemplate"}],"description":"Represents scheduled alert rule template.","properties":{"properties":{"allOf":[{"$ref":"#/components/schemas/AlertRuleTemplatePropertiesBase"},{"$ref":"#/components/schemas/ScheduledAlertRuleCommonProperties"}],"description":"Scheduled alert rule template properties","properties":{"tactics":{"description":"The tactics of the alert rule template","items":{"$ref":"#/components/schemas/AttackTactic"},"type":"array"}},"required":["displayName","description","status","alertRulesCreatedByTemplateCount","severity","query","queryFrequency","queryPeriod","triggerOperator","triggerThreshold"],"x-ms-client-flatten":true}},"type":"object","x-ms-discriminator-value":"Scheduled"},"Settings":{"allOf":[{"$ref":"#/components/schemas/ResourceWithEtag"},{"$ref":"#/components/schemas/SettingsKind"}],"description":"The Setting.","discriminator":{"propertyName":"kind"},"required":["kind"],"type":"object"},"SettingsKind":{"description":"Describes an Azure resource with kind.","properties":{"kind":{"description":"The kind of the setting","enum":["UebaSettings","ToggleSettings"],"type":"string","x-ms-enum":{"modelAsString":true,"name":"SettingKind"}}},"type":"object"},"TIDataConnector":{"allOf":[{"$ref":"#/components/schemas/DataConnector"}],"description":"Represents threat intelligence data connector.","properties":{"properties":{"$ref":"#/components/schemas/TIDataConnectorProperties"}},"type":"object","x-ms-discriminator-value":"ThreatIntelligence"},"TIDataConnectorDataTypes":{"description":"The available data types for TI (Threat Intelligence) data connector.","properties":{"indicators":{"allOf":[{"$ref":"#/components/schemas/DataConnectorDataTypeCommon"}],"description":"Data type for indicators connection.","type":"object"}},"type":"object"},"TIDataConnectorProperties":{"allOf":[{"$ref":"#/components/schemas/DataConnectorTenantId"}],"description":"TI (Threat Intelligence) data connector properties.","properties":{"dataTypes":{"$ref":"#/components/schemas/TIDataConnectorDataTypes"}},"type":"object"},"ThreatIntelligence":{"description":"ThreatIntelligence property bag.","properties":{"confidence":{"description":"Confidence (must be between 0 and 1)","format":"double","readOnly":true,"type":"number"},"providerName":{"description":"Name of the provider from whom this Threat Intelligence information was received","readOnly":true,"type":"string"},"reportLink":{"description":"Report link","readOnly":true,"type":"string"},"threatDescription":{"description":"Threat description (free text)","readOnly":true,"type":"string"},"threatName":{"description":"Threat name (e.g. \"Jedobot malware\")","readOnly":true,"type":"string"},"threatType":{"description":"Threat type (e.g. \"Botnet\")","readOnly":true,"type":"string"}},"type":"object"},"ToggleSettings":{"allOf":[{"$ref":"#/components/schemas/Settings"}],"description":"Settings with single toggle.","properties":{"properties":{"$ref":"#/components/schemas/ToggleSettingsProperties"}},"type":"object","x-ms-discriminator-value":"ToggleSettings"},"ToggleSettingsProperties":{"description":"toggle property bag.","properties":{"isEnabled":{"description":"Determines whether the setting is enable or disabled.","type":"boolean"}},"type":"object"},"UebaSettings":{"allOf":[{"$ref":"#/components/schemas/Settings"}],"description":"Represents settings for User and Entity Behavior Analytics enablement.","properties":{"properties":{"$ref":"#/components/schemas/UebaSettingsProperties"}},"type":"object","x-ms-discriminator-value":"UebaSettings"},"UebaSettingsProperties":{"description":"User and Entity Behavior Analytics settings property bag.","properties":{"atpLicenseStatus":{"description":"Determines whether the tenant has ATP (Advanced Threat Protection) license.","enum":["Enabled","Disabled"],"readOnly":true,"type":"string","x-ms-enum":{"modelAsString":true,"name":"LicenseStatus"}},"isEnabled":{"description":"Determines whether User and Entity Behavior Analytics is enabled for this workspace.","type":"boolean"},"statusInMcas":{"description":"Determines whether User and Entity Behavior Analytics is enabled from MCAS (Microsoft Cloud App Security).","enum":["Enabled","Disabled"],"readOnly":true,"type":"string","x-ms-enum":{"modelAsString":true,"name":"StatusInMcas"}}},"type":"object"},"UserInfo":{"description":"User information that made some action","properties":{"email":{"description":"The email of the user.","readOnly":true,"type":"string"},"name":{"description":"The name of the user.","readOnly":true,"type":"string"},"objectId":{"description":"The object id of the user.","format":"uuid","type":"string","nullable":true}},"required":["objectId"],"type":"object"}}}}