From 9fabaf0061bd9f04895d04542bd89bacbc406893 Mon Sep 17 00:00:00 2001 From: SDKAuto Date: Tue, 17 Aug 2021 13:05:38 +0000 Subject: [PATCH] CodeGen from PR 15657 in Azure/azure-rest-api-specs Merge f50c643b5f0a961c489a76e5e11b9380c3a12253 into f207d70f06834898e161fe36c9d4dfc34bc3b4d3 --- .../azext_sentinel/azext_metadata.json | 3 +- .../generated/_client_factory.py | 46 +- .../azext_sentinel/generated/_help.py | 1026 ++- .../azext_sentinel/generated/_params.py | 678 +- .../azext_sentinel/generated/action.py | 377 +- .../azext_sentinel/generated/commands.py | 178 +- .../azext_sentinel/generated/custom.py | 1211 ++- .../azext_sentinel/tests/__init__.py | 8 +- .../tests/latest/example_steps.py | 687 ++ .../tests/latest/test_sentinel_scenario.py | 139 +- .../latest/test_sentinel_scenario_coverage.md | 2 - .../securityinsight/_configuration.py | 2 +- .../securityinsight/_security_insights.py | 84 +- .../securityinsight/aio/_configuration.py | 2 +- .../securityinsight/aio/_security_insights.py | 84 +- .../aio/operations/__init__.py | 40 +- ...k_operations.py => _actions_operations.py} | 164 +- ...py => _alert_rule_templates_operations.py} | 18 +- ...erations.py => _alert_rules_operations.py} | 112 +- ...ns.py => _incident_comments_operations.py} | 98 +- ...s.py => _incident_relations_operations.py} | 134 +- ...operations.py => _incidents_operations.py} | 245 +- ...operation_operations.py => _operations.py} | 6 +- ...telligence_indicator_metrics_operations.py | 105 + ...hreat_intelligence_indicator_operations.py | 575 ++ ...eat_intelligence_indicators_operations.py} | 55 +- .../operations/_watchlist_items_operations.py | 354 + .../aio/operations/_watchlists_operations.py | 340 + .../securityinsight/models/__init__.py | 359 +- .../securityinsight/models/_models.py | 6707 +++++++++++++--- .../securityinsight/models/_models_py3.py | 7074 ++++++++++++++--- .../models/_security_insights_enums.py | 205 +- .../securityinsight/operations/__init__.py | 40 +- ...k_operations.py => _actions_operations.py} | 164 +- ...py => _alert_rule_templates_operations.py} | 18 +- ...erations.py => _alert_rules_operations.py} | 113 +- ...ns.py => _incident_comments_operations.py} | 99 +- ...s.py => _incident_relations_operations.py} | 134 +- ...operations.py => _incidents_operations.py} | 245 +- ...operation_operations.py => _operations.py} | 6 +- ...telligence_indicator_metrics_operations.py | 110 + ...hreat_intelligence_indicator_operations.py | 586 ++ ...eat_intelligence_indicators_operations.py} | 55 +- .../operations/_watchlist_items_operations.py | 362 + .../operations/_watchlists_operations.py | 348 + src/securityinsight/gen.zip | Bin 18866 -> 0 bytes src/securityinsight/report.md | 999 ++- src/securityinsight/setup.py | 4 +- 48 files changed, 19345 insertions(+), 5056 deletions(-) create mode 100644 src/securityinsight/azext_sentinel/tests/latest/example_steps.py delete mode 100644 src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario_coverage.md rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/{_bookmark_operations.py => _actions_operations.py} (73%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/{_alert_rule_template_operations.py => _alert_rule_templates_operations.py} (95%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/{_data_connector_operations.py => _alert_rules_operations.py} (81%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/{_incident_comment_operations.py => _incident_comments_operations.py} (77%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/{_incident_operations.py => _incident_relations_operations.py} (74%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/{_alert_rule_operations.py => _incidents_operations.py} (73%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/{_operation_operations.py => _operations.py} (97%) create mode 100644 src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicator_metrics_operations.py create mode 100644 src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicator_operations.py rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/{_action_operations.py => _threat_intelligence_indicators_operations.py} (64%) create mode 100644 src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_watchlist_items_operations.py create mode 100644 src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_watchlists_operations.py rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/{_bookmark_operations.py => _actions_operations.py} (72%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/{_alert_rule_template_operations.py => _alert_rule_templates_operations.py} (95%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/{_data_connector_operations.py => _alert_rules_operations.py} (80%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/{_incident_comment_operations.py => _incident_comments_operations.py} (77%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/{_incident_operations.py => _incident_relations_operations.py} (73%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/{_alert_rule_operations.py => _incidents_operations.py} (73%) rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/{_operation_operations.py => _operations.py} (97%) create mode 100644 src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicator_metrics_operations.py create mode 100644 src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicator_operations.py rename src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/{_action_operations.py => _threat_intelligence_indicators_operations.py} (64%) create mode 100644 src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_watchlist_items_operations.py create mode 100644 src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_watchlists_operations.py delete mode 100644 src/securityinsight/gen.zip diff --git a/src/securityinsight/azext_sentinel/azext_metadata.json b/src/securityinsight/azext_sentinel/azext_metadata.json index 7b33e2426b0..cfc30c747c7 100644 --- a/src/securityinsight/azext_sentinel/azext_metadata.json +++ b/src/securityinsight/azext_sentinel/azext_metadata.json @@ -1,3 +1,4 @@ { - "azext.minCliCoreVersion": "2.11.0" + "azext.isExperimental": true, + "azext.minCliCoreVersion": "2.15.0" } \ No newline at end of file diff --git a/src/securityinsight/azext_sentinel/generated/_client_factory.py b/src/securityinsight/azext_sentinel/generated/_client_factory.py index 6868ae4601c..ce1a17f36a0 100644 --- a/src/securityinsight/azext_sentinel/generated/_client_factory.py +++ b/src/securityinsight/azext_sentinel/generated/_client_factory.py @@ -11,34 +11,50 @@ def cf_sentinel_cl(cli_ctx, *_): from azure.cli.core.commands.client_factory import get_mgmt_service_client - from ..vendored_sdks.securityinsight import SecurityInsights + from azext_sentinel.vendored_sdks.securityinsight import SecurityInsights return get_mgmt_service_client(cli_ctx, SecurityInsights) -def cf_alert_rule(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).alert_rule +def cf_incident(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).incidents -def cf_action(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).action +def cf_incident_comment(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).incident_comments -def cf_alert_rule_template(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).alert_rule_template +def cf_incident_relation(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).incident_relations -def cf_bookmark(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).bookmark +def cf_threat_intelligence_indicator(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).threat_intelligence_indicator -def cf_data_connector(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).data_connector +def cf_threat_intelligence_indicator(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).threat_intelligence_indicators -def cf_incident(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).incident +def cf_threat_intelligence_indicator_metric(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).threat_intelligence_indicator_metrics -def cf_incident_comment(cli_ctx, *_): - return cf_sentinel_cl(cli_ctx).incident_comment +def cf_watchlist(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).watchlists + + +def cf_watchlist_item(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).watchlist_items + + +def cf_alert_rule(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).alert_rules + + +def cf_action(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).actions + + +def cf_alert_rule_template(cli_ctx, *_): + return cf_sentinel_cl(cli_ctx).alert_rule_templates diff --git a/src/securityinsight/azext_sentinel/generated/_help.py b/src/securityinsight/azext_sentinel/generated/_help.py index 9a401f619f3..d8e03be0e07 100644 --- a/src/securityinsight/azext_sentinel/generated/_help.py +++ b/src/securityinsight/azext_sentinel/generated/_help.py @@ -12,9 +12,557 @@ from knack.help_files import helps +helps['sentinel incident'] = """ + type: group + short-summary: Manage incident with sentinel +""" + +helps['sentinel incident list'] = """ + type: command + short-summary: "Gets all incidents." + examples: + - name: Get all incidents. + text: |- + az sentinel incident list --orderby "properties/createdTimeUtc desc" --top 1 --resource-group "myRg" \ +--workspace-name "myWorkspace" +""" + +helps['sentinel incident show'] = """ + type: command + short-summary: "Gets a given incident." + examples: + - name: Get an incident. + text: |- + az sentinel incident show --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ +--workspace-name "myWorkspace" +""" + +helps['sentinel incident create'] = """ + type: command + short-summary: "Create an incident." + parameters: + - name: --labels + short-summary: "List of labels relevant to this incident" + long-summary: | + Usage: --labels label-name=XX + + label-name: Required. The name of the label + + Multiple actions can be specified by using more than one --labels argument. + - name: --owner + short-summary: "Describes a user that the incident is assigned to" + long-summary: | + Usage: --owner email=XX assigned-to=XX object-id=XX user-principal-name=XX + + email: The email of the user the incident is assigned to. + assigned-to: The name of the user the incident is assigned to. + object-id: The object id of the user the incident is assigned to. + user-principal-name: The user principal name of the user the incident is assigned to. + examples: + - name: Creates or updates an incident. + text: |- + az sentinel incident create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --description "This is \ +a demo incident" --classification "FalsePositive" --classification-comment "Not a malicious activity" \ +--classification-reason "IncorrectAlertLogic" --first-activity-time-utc "2019-01-01T13:00:30Z" \ +--last-activity-time-utc "2019-01-01T13:05:30Z" --owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" --severity \ +"High" --status "Closed" --title "My incident" --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group \ +"myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident update'] = """ + type: command + short-summary: "Update an incident." + parameters: + - name: --labels + short-summary: "List of labels relevant to this incident" + long-summary: | + Usage: --labels label-name=XX + + label-name: Required. The name of the label + + Multiple actions can be specified by using more than one --labels argument. + - name: --owner + short-summary: "Describes a user that the incident is assigned to" + long-summary: | + Usage: --owner email=XX assigned-to=XX object-id=XX user-principal-name=XX + + email: The email of the user the incident is assigned to. + assigned-to: The name of the user the incident is assigned to. + object-id: The object id of the user the incident is assigned to. + user-principal-name: The user principal name of the user the incident is assigned to. +""" + +helps['sentinel incident delete'] = """ + type: command + short-summary: "Deletes a given incident." + examples: + - name: Delete an incident. + text: |- + az sentinel incident delete --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group \ +"myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident list-of-alert'] = """ + type: command + short-summary: "Gets all alerts for an incident." + examples: + - name: Get all incident alerts. + text: |- + az sentinel incident list-of-alert --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" \ +--resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident list-of-bookmark'] = """ + type: command + short-summary: "Gets all bookmarks for an incident." + examples: + - name: Get all incident bookmarks. + text: |- + az sentinel incident list-of-bookmark --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" \ +--resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident list-of-entity'] = """ + type: command + short-summary: "Gets all entities for an incident." + examples: + - name: Gets all incident related entities + text: |- + az sentinel incident list-of-entity --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" \ +--resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident-comment'] = """ + type: group + short-summary: Manage incident comment with sentinel +""" + +helps['sentinel incident-comment list'] = """ + type: command + short-summary: "Gets all comments for a given incident." + examples: + - name: Get all incident comments. + text: |- + az sentinel incident-comment list --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group \ +"myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident-comment show'] = """ + type: command + short-summary: "Gets a comment for a given incident." + examples: + - name: Get an incident comment. + text: |- + az sentinel incident-comment show --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" \ +--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident-comment create'] = """ + type: command + short-summary: "Creates or updates a comment for a given incident." + examples: + - name: Creates or updates an incident comment. + text: |- + az sentinel incident-comment create --message "Some message" --incident-comment-id \ +"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ +--workspace-name "myWorkspace" +""" + +helps['sentinel incident-comment delete'] = """ + type: command + short-summary: "Deletes a comment for a given incident." + examples: + - name: Delete the incident comment. + text: |- + az sentinel incident-comment delete --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" \ +--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident-relation'] = """ + type: group + short-summary: Manage incident relation with sentinel +""" + +helps['sentinel incident-relation list'] = """ + type: command + short-summary: "Gets all relations for a given incident." + examples: + - name: Get all incident relations. + text: |- + az sentinel incident-relation list --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" \ +--resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident-relation create'] = """ + type: command + short-summary: "Creates or updates a relation for a given incident." + examples: + - name: Creates or updates an incident relation. + text: |- + az sentinel incident-relation create --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" \ +--related-resource-id "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Oper\ +ationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535\ +096" --relation-name "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident-relation delete'] = """ + type: command + short-summary: "Deletes a relation for a given incident." + examples: + - name: Delete the incident relation. + text: |- + az sentinel incident-relation delete --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" \ +--relation-name "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel incident-relation show-relation'] = """ + type: command + short-summary: "Gets a relation for a given incident." + examples: + - name: Get an incident relation. + text: |- + az sentinel incident-relation show-relation --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" \ +--relation-name "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel threat-intelligence-indicator'] = """ + type: group + short-summary: Manage threat intelligence indicator with sentinel +""" + +helps['sentinel threat-intelligence-indicator show'] = """ + type: command + short-summary: "View a threat intelligence indicator by name." + examples: + - name: View a threat intelligence indicator by name + text: |- + az sentinel threat-intelligence-indicator show --name "e16ef847-962e-d7b6-9c8b-a33e4bd30e47" \ +--operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name \ +"myWorkspace" +""" + +helps['sentinel threat-intelligence-indicator create'] = """ + type: command + short-summary: "Update a threat Intelligence indicator." + parameters: + - name: --kill-chain-phases + short-summary: "Kill chain phases" + long-summary: | + Usage: --kill-chain-phases kill-chain-name=XX phase-name=XX + + kill-chain-name: Kill chainName name + phase-name: Phase name + + Multiple actions can be specified by using more than one --kill-chain-phases argument. + - name: --parsed-pattern + short-summary: "Parsed patterns" + long-summary: | + Usage: --parsed-pattern pattern-type-key=XX pattern-type-values=XX + + pattern-type-key: Pattern type key + pattern-type-values: Pattern type keys + + Multiple actions can be specified by using more than one --parsed-pattern argument. + - name: --granular-markings + short-summary: "Granular Markings" + long-summary: | + Usage: --granular-markings language=XX marking-ref=XX selectors=XX + + language: Language granular marking model + marking-ref: marking reference granular marking model + selectors: granular marking model selectors + + Multiple actions can be specified by using more than one --granular-markings argument. + examples: + - name: Update a threat Intelligence indicator + text: |- + az sentinel threat-intelligence-indicator create --name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" \ +--description "debugging indicators" --confidence 78 --created-by-ref "contoso@contoso.com" --display-name "new \ +schema" --external-references "[]" --modified "" --pattern "[url:value = \'https://www.contoso.com\']" --pattern-type \ +"url" --revoked false --source "Azure Sentinel" --threat-intelligence-tags "new schema" --threat-types "compromised" \ +--valid-from "2020-04-15T17:44:00.114052Z" --valid-until "" --operational-insights-resource-provider \ +"Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel threat-intelligence-indicator delete'] = """ + type: command + short-summary: "Delete a threat intelligence indicator." + examples: + - name: Delete a threat intelligence indicator + text: |- + az sentinel threat-intelligence-indicator delete --name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" \ +--operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name \ +"myWorkspace" +""" + +helps['sentinel threat-intelligence-indicator append-tag'] = """ + type: command + short-summary: "Append tags to a threat intelligence indicator." + examples: + - name: Append tags to a threat intelligence indicator + text: |- + az sentinel threat-intelligence-indicator append-tag --name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" \ +--threat-intelligence-tags "tag1" "tag2" --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel threat-intelligence-indicator create-indicator'] = """ + type: command + short-summary: "Create a new threat intelligence indicator." + parameters: + - name: --kill-chain-phases + short-summary: "Kill chain phases" + long-summary: | + Usage: --kill-chain-phases kill-chain-name=XX phase-name=XX + + kill-chain-name: Kill chainName name + phase-name: Phase name + + Multiple actions can be specified by using more than one --kill-chain-phases argument. + - name: --parsed-pattern + short-summary: "Parsed patterns" + long-summary: | + Usage: --parsed-pattern pattern-type-key=XX pattern-type-values=XX + + pattern-type-key: Pattern type key + pattern-type-values: Pattern type keys + + Multiple actions can be specified by using more than one --parsed-pattern argument. + - name: --granular-markings + short-summary: "Granular Markings" + long-summary: | + Usage: --granular-markings language=XX marking-ref=XX selectors=XX + + language: Language granular marking model + marking-ref: marking reference granular marking model + selectors: granular marking model selectors + + Multiple actions can be specified by using more than one --granular-markings argument. + examples: + - name: Create a new Threat Intelligence + text: |- + az sentinel threat-intelligence-indicator create-indicator --description "debugging indicators" \ +--confidence 78 --created-by-ref "contoso@contoso.com" --display-name "new schema" --external-references "[]" \ +--modified "" --pattern "[url:value = \'https://www.contoso.com\']" --pattern-type "url" --revoked false --source \ +"Azure Sentinel" --threat-intelligence-tags "new schema" --threat-types "compromised" --valid-from \ +"2020-04-15T17:44:00.114052Z" --valid-until "" --operational-insights-resource-provider "Microsoft.OperationalInsights"\ + --resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel threat-intelligence-indicator query-indicator'] = """ + type: command + short-summary: "Query threat intelligence indicators as per filtering criteria." + parameters: + - name: --sort-by + short-summary: "Columns to sort by and sorting order" + long-summary: | + Usage: --sort-by item-key=XX sort-order=XX + + item-key: Column name + sort-order: Sorting order (ascending/descending/unsorted). + + Multiple actions can be specified by using more than one --sort-by argument. + examples: + - name: Query threat intelligence indicators as per filtering criteria + text: |- + az sentinel threat-intelligence-indicator query-indicator --max-confidence 80 --max-valid-until \ +"2020-04-25T17:44:00.114052Z" --min-confidence 25 --min-valid-until "2020-04-05T17:44:00.114052Z" --page-size 100 \ +--sort-by item-key="lastUpdatedTimeUtc" sort-order="descending" --sources "Azure Sentinel" \ +--operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name \ +"myWorkspace" +""" + +helps['sentinel threat-intelligence-indicator replace-tag'] = """ + type: command + short-summary: "Replace tags added to a threat intelligence indicator." + parameters: + - name: --kill-chain-phases + short-summary: "Kill chain phases" + long-summary: | + Usage: --kill-chain-phases kill-chain-name=XX phase-name=XX + + kill-chain-name: Kill chainName name + phase-name: Phase name + + Multiple actions can be specified by using more than one --kill-chain-phases argument. + - name: --parsed-pattern + short-summary: "Parsed patterns" + long-summary: | + Usage: --parsed-pattern pattern-type-key=XX pattern-type-values=XX + + pattern-type-key: Pattern type key + pattern-type-values: Pattern type keys + + Multiple actions can be specified by using more than one --parsed-pattern argument. + - name: --granular-markings + short-summary: "Granular Markings" + long-summary: | + Usage: --granular-markings language=XX marking-ref=XX selectors=XX + + language: Language granular marking model + marking-ref: marking reference granular marking model + selectors: granular marking model selectors + + Multiple actions can be specified by using more than one --granular-markings argument. + examples: + - name: Replace tags to a Threat Intelligence + text: |- + az sentinel threat-intelligence-indicator replace-tag --name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" \ +--etag "\\"0000262c-0000-0800-0000-5e9767060000\\"" --threat-intelligence-tags "patching tags" \ +--operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name \ +"myWorkspace" +""" + +helps['sentinel threat-intelligence-indicator'] = """ + type: group + short-summary: Manage threat intelligence indicator with sentinel +""" + +helps['sentinel threat-intelligence-indicator list'] = """ + type: command + short-summary: "Get all threat intelligence indicators." + examples: + - name: Get all threat intelligence indicators + text: |- + az sentinel threat-intelligence-indicator list --operational-insights-resource-provider \ +"Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel threat-intelligence-indicator-metric'] = """ + type: group + short-summary: Manage threat intelligence indicator metric with sentinel +""" + +helps['sentinel threat-intelligence-indicator-metric list'] = """ + type: command + short-summary: "Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source)." + examples: + - name: Get threat intelligence indicators metrics. + text: |- + az sentinel threat-intelligence-indicator-metric list --operational-insights-resource-provider \ +"Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel watchlist'] = """ + type: group + short-summary: Manage watchlist with sentinel +""" + +helps['sentinel watchlist list'] = """ + type: command + short-summary: "Get all watchlists, without watchlist items." + examples: + - name: Get all watchlists. + text: |- + az sentinel watchlist list --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --workspace-name "myWorkspace" +""" + +helps['sentinel watchlist show'] = """ + type: command + short-summary: "Get a watchlist, without its watchlist items." + examples: + - name: Get a watchlist. + text: |- + az sentinel watchlist show --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --watchlist-alias "highValueAsset" --workspace-name "myWorkspace" +""" + +helps['sentinel watchlist create'] = """ + type: command + short-summary: "Create a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To \ +create a Watchlist and its Items, we should call this endpoint with rawContent and contentType properties." + examples: + - name: Create or update a watchlist and bulk creates watchlist items. + text: |- + az sentinel watchlist create --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --description "Watchlist from CSV content" \ +--properties-content-type "text/csv" --display-name "High Value Assets Watchlist" --items-search-key "header1" \ +--number-of-lines-to-skip 1 --provider "Microsoft" --raw-content "This line will be skipped\\nheader1,header2\\nvalue1,\ +value2" --source "Local file" --watchlist-alias "highValueAsset" --workspace-name "myWorkspace" + - name: Create or update a watchlist. + text: |- + az sentinel watchlist create --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --description "Watchlist from CSV content" \ +--display-name "High Value Assets Watchlist" --items-search-key "header1" --provider "Microsoft" --source "Local file" \ +--watchlist-alias "highValueAsset" --workspace-name "myWorkspace" +""" + +helps['sentinel watchlist update'] = """ + type: command + short-summary: "Update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To \ +Update a Watchlist and its Items, we should call this endpoint with rawContent and contentType properties." +""" + +helps['sentinel watchlist delete'] = """ + type: command + short-summary: "Delete a watchlist." + examples: + - name: Delete a watchlist. + text: |- + az sentinel watchlist delete --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --watchlist-alias "highValueAsset" --workspace-name "myWorkspace" +""" + +helps['sentinel watchlist-item'] = """ + type: group + short-summary: Manage watchlist item with sentinel +""" + +helps['sentinel watchlist-item list'] = """ + type: command + short-summary: "Get all watchlist Items." + examples: + - name: Get all watchlist Items. + text: |- + az sentinel watchlist-item list --operational-insights-resource-provider "Microsoft.OperationalInsights"\ + --resource-group "myRg" --watchlist-alias "highValueAsset" --workspace-name "myWorkspace" +""" + +helps['sentinel watchlist-item show'] = """ + type: command + short-summary: "Get a watchlist item." + examples: + - name: Get a watchlist item. + text: |- + az sentinel watchlist-item show --operational-insights-resource-provider "Microsoft.OperationalInsights"\ + --resource-group "myRg" --watchlist-alias "highValueAsset" --watchlist-item-id "3f8901fe-63d9-4875-9ad5-9fb3b8105797" \ +--workspace-name "myWorkspace" +""" + +helps['sentinel watchlist-item create'] = """ + type: command + short-summary: "Create a watchlist item." + examples: + - name: Create or update a watchlist item. + text: |- + az sentinel watchlist-item create --operational-insights-resource-provider \ +"Microsoft.OperationalInsights" --resource-group "myRg" --watchlist-alias "highValueAsset" --etag \ +"0300bf09-0000-0000-0000-5c37296e0000" --items-key-value "{\\"Business tier\\":\\"10.0.2.0/24\\",\\"Data \ +tier\\":\\"10.0.2.0/24\\",\\"Gateway subnet\\":\\"10.0.255.224/27\\",\\"Private DMZ in\\":\\"10.0.0.0/27\\",\\"Public \ +DMZ out\\":\\"10.0.0.96/27\\",\\"Web Tier\\":\\"10.0.1.0/24\\"}" --watchlist-item-id "82ba292c-dc97-4dfc-969d-d4dd9e666\ +842" --workspace-name "myWorkspace" +""" + +helps['sentinel watchlist-item update'] = """ + type: command + short-summary: "Update a watchlist item." +""" + +helps['sentinel watchlist-item delete'] = """ + type: command + short-summary: "Delete a watchlist item." + examples: + - name: Delete a watchlist item. + text: |- + az sentinel watchlist-item delete --operational-insights-resource-provider \ +"Microsoft.OperationalInsights" --resource-group "myRg" --watchlist-alias "highValueAsset" --watchlist-item-id \ +"4008512e-1d30-48b2-9ee2-d3612ed9d3ea" --workspace-name "myWorkspace" +""" + helps['sentinel alert-rule'] = """ type: group - short-summary: sentinel alert-rule + short-summary: Manage alert rule with sentinel """ helps['sentinel alert-rule list'] = """ @@ -30,15 +578,23 @@ type: command short-summary: "Gets the alert rule." examples: - - name: Get an alert rule. + - name: Get a Fusion alert rule. text: |- az sentinel alert-rule show --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name \ "myWorkspace" + - name: Get a MicrosoftSecurityIncidentCreation rule. + text: |- + az sentinel alert-rule show --resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExam\ +ple" --workspace-name "myWorkspace" + - name: Get a Scheduled alert rule. + text: |- + az sentinel alert-rule show --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ +--workspace-name "myWorkspace" """ helps['sentinel alert-rule create'] = """ type: command - short-summary: "Creates or updates the action of alert rule. And Create the alert rule." + short-summary: "Create the alert rule." parameters: - name: --fusion-alert-rule short-summary: "Represents Fusion alert rule." @@ -90,32 +646,25 @@ kind: Required. The alert rule kind etag: Etag of the azure resource examples: - - name: Creates or updates an action of alert rule. - text: |- - az sentinel alert-rule create --etag "{etag}" \ ---logic-app-resource-id "/subscriptions/{subs}/resourceGroups/myRg/providers/Microsoft.Lo\ -gic/workflows/MyAlerts" --trigger-uri "https://xxx.northcentralus.logic.azure.com:443/workflows/xxx/triggers/\ -manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" \ ---action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace" - name: Creates or updates a Fusion alert rule. text: |- - az sentinel alert-rule create --fusion-alert-rule etag="{etag}" \ -alert-rule-template-name="{name}" enabled=true --resource-group "myRg" --rule-id \ + az sentinel alert-rule create --fusion-alert-rule etag="3d00c3ca-0000-0100-0000-5d42d5010000" \ +alert-rule-template-name="f71aba3d-28fb-450b-b192-4e76a83015c8" enabled=true --resource-group "myRg" --rule-id \ "myFirstFusionRule" --workspace-name "myWorkspace" - name: Creates or updates a MicrosoftSecurityIncidentCreation rule. text: |- az sentinel alert-rule create --microsoft-security-incident-creation-alert-rule \ -etag="{etag}" product-filter="Microsoft Cloud App Security" display-name="testing \ +etag="\\"260097e0-0000-0d00-0000-5d6fa88f0000\\"" product-filter="Microsoft Cloud App Security" display-name="testing \ displayname" enabled=true --resource-group "myRg" --rule-id "microsoftSecurityIncidentCreationRuleExample" \ --workspace-name "myWorkspace" - name: Creates or updates a Scheduled alert rule. text: |- - az sentinel alert-rule create --scheduled-alert-rule etag="{etag}" \ + az sentinel alert-rule create --scheduled-alert-rule etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \ query="ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden" \ query-frequency="PT1H" query-period="P2DT1H30M" severity="High" trigger-operator="GreaterThan" trigger-threshold=0 \ description="" display-name="Rule2" enabled=true suppression-duration="PT1H" suppression-enabled=false \ -tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-id "{rule-id}" \ ---workspace-name "myWorkspace" +tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5\ +" --workspace-name "myWorkspace" """ helps['sentinel alert-rule update'] = """ @@ -175,31 +724,17 @@ helps['sentinel alert-rule delete'] = """ type: command - short-summary: "Delete the action of alert rule. And Delete the alert rule." + short-summary: "Delete the alert rule." examples: - - name: Delete an action of alert rule. - text: |- - az sentinel alert-rule delete --action-id "{action-id}" --resource-group \ -"myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace" - name: Delete an alert rule. text: |- - az sentinel alert-rule delete --resource-group "myRg" --rule-id "{rule-id}" \ + az sentinel alert-rule delete --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ --workspace-name "myWorkspace" """ -helps['sentinel alert-rule get-action'] = """ - type: command - short-summary: "Gets the action of alert rule." - examples: - - name: Get an action of alert rule. - text: |- - az sentinel alert-rule get-action --action-id "{action-id}" --resource-group \ -"myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace" -""" - helps['sentinel action'] = """ type: group - short-summary: sentinel action + short-summary: Manage action with sentinel """ helps['sentinel action list'] = """ @@ -208,430 +743,69 @@ examples: - name: Get all actions of alert rule. text: |- - az sentinel action list --resource-group "myRg" --rule-id "{rule-id}" \ ---workspace-name "myWorkspace" -""" - -helps['sentinel alert-rule-template'] = """ - type: group - short-summary: sentinel alert-rule-template -""" - -helps['sentinel alert-rule-template list'] = """ - type: command - short-summary: "Gets all alert rule templates." - examples: - - name: Get all alert rule templates. - text: |- - az sentinel alert-rule-template list --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel alert-rule-template show'] = """ - type: command - short-summary: "Gets the alert rule template." - examples: - - name: Get alert rule template by Id. - text: |- - az sentinel alert-rule-template show --alert-rule-template-id "{id}" \ ---resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel bookmark'] = """ - type: group - short-summary: sentinel bookmark -""" - -helps['sentinel bookmark list'] = """ - type: command - short-summary: "Gets all bookmarks." - examples: - - name: Get all bookmarks. - text: |- - az sentinel bookmark list --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel bookmark show'] = """ - type: command - short-summary: "Gets a bookmark." - examples: - - name: Get a bookmark. - text: |- - az sentinel bookmark show --bookmark-id "{id}" --resource-group "myRg" \ + az sentinel action list --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ --workspace-name "myWorkspace" """ -helps['sentinel bookmark create'] = """ - type: command - short-summary: "Create the bookmark." - parameters: - - name: --incident-info - short-summary: "Describes an incident that relates to bookmark" - long-summary: | - Usage: --incident-info incident-id=XX severity=XX title=XX relation-name=XX - - incident-id: Required. Incident Id - severity: Required. The severity of the incident - title: Required. The title of the incident - relation-name: Required. Relation Name - examples: - - name: Creates or updates a bookmark. - text: |- - az sentinel bookmark create --etag "{etag}" --created \ -"2019-01-01T13:15:30Z" --display-name "My bookmark" --labels "Tag1" --labels "Tag2" --notes "Found a suspicious \ -activity" -q "SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" --query-result "Security \ -Event query result" --updated "2019-01-01T13:15:30Z" --bookmark-id "{id}" \ ---resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel bookmark update'] = """ - type: command - short-summary: "Update the bookmark." - parameters: - - name: --incident-info - short-summary: "Describes an incident that relates to bookmark" - long-summary: | - Usage: --incident-info incident-id=XX severity=XX title=XX relation-name=XX - - incident-id: Required. Incident Id - severity: Required. The severity of the incident - title: Required. The title of the incident - relation-name: Required. Relation Name -""" - -helps['sentinel bookmark delete'] = """ - type: command - short-summary: "Delete the bookmark." - examples: - - name: Delete a bookmark. - text: |- - az sentinel bookmark delete --bookmark-id "{id}" --resource-group \ -"myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel data-connector'] = """ - type: group - short-summary: sentinel data-connector -""" - -helps['sentinel data-connector list'] = """ - type: command - short-summary: "Gets all data connectors." - examples: - - name: Get all data connectors. - text: |- - az sentinel data-connector list --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel data-connector show'] = """ - type: command - short-summary: "Gets a data connector." - examples: - - name: Get a data connector. - text: |- - az sentinel data-connector show --data-connector-id "{id}" --resource-group "myRg" \ - --workspace-name "myWorkspace" -""" - -helps['sentinel data-connector create'] = """ - type: command - short-summary: "Create the data connector." - parameters: - - name: --aad-data-connector - short-summary: "Represents AAD (Azure Active Directory) data connector." - long-summary: | - Usage: --aad-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aatp-data-connector - short-summary: "Represents AATP (Azure Advanced Threat Protection) data connector." - long-summary: | - Usage: --aatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --asc-data-connector - short-summary: "Represents ASC (Azure Security Center) data connector." - long-summary: | - Usage: --asc-data-connector subscription-id=XX state=XX kind=XX etag=XX - - subscription-id: The subscription id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aws-cloud-trail-data-connector - short-summary: "Represents Amazon Web Services CloudTrail data connector." - long-summary: | - Usage: --aws-cloud-trail-data-connector aws-role-arn=XX state=XX kind=XX etag=XX - - aws-role-arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mcas-data-connector - short-summary: "Represents MCAS (Microsoft Cloud App Security) data connector." - long-summary: | - Usage: --mcas-data-connector tenant-id=XX state-data-types-alerts-state=XX state-data-types-discovery-logs-\ -state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-alerts-state: Describe whether this data type connection is enabled or not. - state-data-types-discovery-logs-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mdatp-data-connector - short-summary: "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector." - long-summary: | - Usage: --mdatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --office-data-connector - short-summary: "Represents office data connector." - long-summary: | - Usage: --office-data-connector tenant-id=XX state-data-types-share-point-state=XX \ -state-data-types-exchange-state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-share-point-state: Describe whether this data type connection is enabled or not. - state-data-types-exchange-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --ti-data-connector - short-summary: "Represents threat intelligence data connector." - long-summary: | - Usage: --ti-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - examples: - - name: Creates or updates an Office365 data connector. - text: |- - az sentinel data-connector create --office-data-connector etag="{etag}" \ - tenant-id="{tenant-id}" --data-connector-id "{id}" --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel data-connector update'] = """ - type: command - short-summary: "Update the data connector." - parameters: - - name: --aad-data-connector - short-summary: "Represents AAD (Azure Active Directory) data connector." - long-summary: | - Usage: --aad-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aatp-data-connector - short-summary: "Represents AATP (Azure Advanced Threat Protection) data connector." - long-summary: | - Usage: --aatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --asc-data-connector - short-summary: "Represents ASC (Azure Security Center) data connector." - long-summary: | - Usage: --asc-data-connector subscription-id=XX state=XX kind=XX etag=XX - - subscription-id: The subscription id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --aws-cloud-trail-data-connector - short-summary: "Represents Amazon Web Services CloudTrail data connector." - long-summary: | - Usage: --aws-cloud-trail-data-connector aws-role-arn=XX state=XX kind=XX etag=XX - - aws-role-arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mcas-data-connector - short-summary: "Represents MCAS (Microsoft Cloud App Security) data connector." - long-summary: | - Usage: --mcas-data-connector tenant-id=XX state-data-types-alerts-state=XX state-data-types-discovery-logs-\ -state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-alerts-state: Describe whether this data type connection is enabled or not. - state-data-types-discovery-logs-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --mdatp-data-connector - short-summary: "Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector." - long-summary: | - Usage: --mdatp-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --office-data-connector - short-summary: "Represents office data connector." - long-summary: | - Usage: --office-data-connector tenant-id=XX state-data-types-share-point-state=XX \ -state-data-types-exchange-state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state-data-types-share-point-state: Describe whether this data type connection is enabled or not. - state-data-types-exchange-state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource - - name: --ti-data-connector - short-summary: "Represents threat intelligence data connector." - long-summary: | - Usage: --ti-data-connector tenant-id=XX state=XX kind=XX etag=XX - - tenant-id: The tenant id to connect to, and get the data from. - state: Describe whether this data type connection is enabled or not. - kind: Required. The data connector kind - etag: Etag of the azure resource -""" - -helps['sentinel data-connector delete'] = """ +helps['sentinel action show'] = """ type: command - short-summary: "Delete the data connector." + short-summary: "Gets the action of alert rule." examples: - - name: Delete a data connector. + - name: Get an action of alert rule. text: |- - az sentinel data-connector delete --data-connector-id "{id}" --resource-group "myRg" \ - --workspace-name "myWorkspace" -""" - -helps['sentinel incident'] = """ - type: group - short-summary: sentinel incident + az sentinel action show --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" \ +--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" """ -helps['sentinel incident list'] = """ +helps['sentinel action create'] = """ type: command - short-summary: "Gets all incidents." + short-summary: "Create the action of alert rule." examples: - - name: Get all incidents. + - name: Creates or updates an action of alert rule. text: |- - az sentinel incident list --orderby "properties/createdTimeUtc desc" --top 1 --resource-group "myRg" \ + az sentinel action create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --logic-app-resource-id \ +"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" \ +--trigger-uri "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/m\ +anual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" --action-id \ +"912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ --workspace-name "myWorkspace" """ -helps['sentinel incident show'] = """ - type: command - short-summary: "Gets an incident." - examples: - - name: Get an incident. - text: |- - az sentinel incident show --incident-id "{id}" --resource-group "myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel incident create'] = """ - type: command - short-summary: "Create the incident." - parameters: - - name: --labels - short-summary: "List of labels relevant to this incident" - long-summary: | - Usage: --labels label-name=XX - - label-name: Required. The name of the label - - Multiple actions can be specified by using more than one --labels argument. - - name: --owner - short-summary: "Describes a user that the incident is assigned to" - long-summary: | - Usage: --owner email=XX assigned-to=XX object-id=XX user-principal-name=XX - - email: The email of the user the incident is assigned to. - assigned-to: The name of the user the incident is assigned to. - object-id: The object id of the user the incident is assigned to. - user-principal-name: The user principal name of the user the incident is assigned to. - examples: - - name: Creates or updates an incident. - text: |- - az sentinel incident create --etag "{etag}" --description "This is \ -a demo incident" --classification "FalsePositive" --classification-comment "Not a malicious activity" \ ---classification-reason "IncorrectAlertLogic" --first-activity-time-utc "2019-01-01T13:00:30Z" \ ---last-activity-time-utc "2019-01-01T13:05:30Z" --owner object-id="{oid}" --severity \ -"High" --status "Closed" --title "My incident" --incident-id "{id}" --resource-group \ -"myRg" --workspace-name "myWorkspace" -""" - -helps['sentinel incident update'] = """ +helps['sentinel action update'] = """ type: command - short-summary: "Update the incident." - parameters: - - name: --labels - short-summary: "List of labels relevant to this incident" - long-summary: | - Usage: --labels label-name=XX - - label-name: Required. The name of the label - - Multiple actions can be specified by using more than one --labels argument. - - name: --owner - short-summary: "Describes a user that the incident is assigned to" - long-summary: | - Usage: --owner email=XX assigned-to=XX object-id=XX user-principal-name=XX - - email: The email of the user the incident is assigned to. - assigned-to: The name of the user the incident is assigned to. - object-id: The object id of the user the incident is assigned to. - user-principal-name: The user principal name of the user the incident is assigned to. + short-summary: "Update the action of alert rule." """ -helps['sentinel incident delete'] = """ +helps['sentinel action delete'] = """ type: command - short-summary: "Delete the incident." + short-summary: "Delete the action of alert rule." examples: - - name: Delete an incident. + - name: Delete an action of alert rule. text: |- - az sentinel incident delete --incident-id "{id}" --resource-group \ -"myRg" --workspace-name "myWorkspace" + az sentinel action delete --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" \ +--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" """ -helps['sentinel incident-comment'] = """ +helps['sentinel alert-rule-template'] = """ type: group - short-summary: sentinel incident-comment -""" - -helps['sentinel incident-comment list'] = """ - type: command - short-summary: "Gets all incident comments." - examples: - - name: Get all incident comments. - text: |- - az sentinel incident-comment list --incident-id "{id}" --resource-group \ -"myRg" --workspace-name "myWorkspace" + short-summary: Manage alert rule template with sentinel """ -helps['sentinel incident-comment show'] = """ +helps['sentinel alert-rule-template list'] = """ type: command - short-summary: "Gets an incident comment." + short-summary: "Gets all alert rule templates." examples: - - name: Get an incident comment. + - name: Get all alert rule templates. text: |- - az sentinel incident-comment show --incident-comment-id "{comment-id}" \ ---incident-id "{id}" --resource-group "myRg" --workspace-name "myWorkspace" + az sentinel alert-rule-template list --resource-group "myRg" --workspace-name "myWorkspace" """ -helps['sentinel incident-comment create'] = """ +helps['sentinel alert-rule-template show'] = """ type: command - short-summary: "Creates the incident comment." + short-summary: "Gets the alert rule template." examples: - - name: Creates an incident comment. + - name: Get alert rule template by Id. text: |- - az sentinel incident-comment create --message "Some message" --incident-comment-id \ -"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id "{id}" --resource-group "myRg" \ ---workspace-name "myWorkspace" + az sentinel alert-rule-template show --alert-rule-template-id "65360bb0-8986-4ade-a89d-af3cf44d28aa" \ +--resource-group "myRg" --workspace-name "myWorkspace" """ diff --git a/src/securityinsight/azext_sentinel/generated/_params.py b/src/securityinsight/azext_sentinel/generated/_params.py index 8cf66c08483..581f245eb69 100644 --- a/src/securityinsight/azext_sentinel/generated/_params.py +++ b/src/securityinsight/azext_sentinel/generated/_params.py @@ -11,283 +11,603 @@ # pylint: disable=too-many-statements from azure.cli.core.commands.parameters import ( + get_three_state_flag, get_enum_type, resource_group_name_type ) +from azure.cli.core.commands.validators import validate_file_or_dict from azext_sentinel.action import ( + AddLabels, + AddOwner, + AddKillChainPhases, + AddParsedPattern, + AddGranularMarkings, + AddSortBy, AddFusionAlertRule, AddMicrosoftSecurityIncidentCreationAlertRule, - AddScheduledAlertRule, - AddIncidentInfo, - AddAadDataConnector, - AddAatpDataConnector, - AddAscDataConnector, - AddAwsCloudTrailDataConnector, - AddMcasDataConnector, - AddMdatpDataConnector, - AddOfficeDataConnector, - AddTiDataConnector, - AddLabels, - AddOwner + AddScheduledAlertRule ) def load_arguments(self, _): - with self.argument_context('sentinel alert-rule list') as c: + with self.argument_context('sentinel incident list') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('filter_', options_list=['--filter'], type=str, help='Filters the results, based on a Boolean ' + 'condition. Optional.') + c.argument('orderby', type=str, help='Sorts the results. Optional.') + c.argument('top', type=int, help='Returns only the first n results. Optional.') + c.argument('skip_token', type=str, help='Skiptoken is only used if a previous operation returned a partial ' + 'result. If a previous response contains a nextLink element, the value of the nextLink element will ' + 'include a skiptoken parameter that specifies a starting point to use for subsequent calls. ' + 'Optional.') - with self.argument_context('sentinel alert-rule show') as c: + with self.argument_context('sentinel incident show') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') + c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') - with self.argument_context('sentinel alert-rule create') as c: + with self.argument_context('sentinel incident create') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('rule_id', type=str, help='Alert rule ID') - c.argument('action_id', type=str, help='Action ID') + c.argument('incident_id', type=str, help='Incident ID') c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('logic_app_resource_id', type=str, help='Logic App Resource Id, /subscriptions/{my-subscription}/res' - 'ourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.') - c.argument('trigger_uri', type=str, help='Logic App Callback URL for this specific workflow.') - c.argument('fusion_alert_rule', action=AddFusionAlertRule, nargs='*', help='Represents Fusion alert rule.', - arg_group='AlertRule') - c.argument('microsoft_security_incident_creation_alert_rule', - action=AddMicrosoftSecurityIncidentCreationAlertRule, nargs='*', help='Represents ' - 'MicrosoftSecurityIncidentCreation rule.', arg_group='AlertRule') - c.argument('scheduled_alert_rule', action=AddScheduledAlertRule, nargs='*', help='Represents scheduled alert ' - 'rule.', arg_group='AlertRule') + c.argument('classification', arg_type=get_enum_type(['Undetermined', 'TruePositive', 'BenignPositive', + 'FalsePositive']), help='The reason the incident was ' + 'closed') + c.argument('classification_comment', type=str, help='Describes the reason the incident was closed') + c.argument('classification_reason', arg_type=get_enum_type(['SuspiciousActivity', 'SuspiciousButExpected', + 'IncorrectAlertLogic', 'InaccurateData']), + help='The classification reason the incident was closed with') + c.argument('description', type=str, help='The description of the incident') + c.argument('first_activity_time_utc', help='The time of the first activity in the incident') + c.argument('labels', action=AddLabels, nargs='+', help='List of labels relevant to this incident') + c.argument('last_activity_time_utc', help='The time of the last activity in the incident') + c.argument('owner', action=AddOwner, nargs='+', help='Describes a user that the incident is assigned to') + c.argument('severity', arg_type=get_enum_type(['High', 'Medium', 'Low', 'Informational']), help='The severity ' + 'of the incident') + c.argument('status', arg_type=get_enum_type(['New', 'Active', 'Closed']), help='The status of the incident') + c.argument('title', type=str, help='The title of the incident') - with self.argument_context('sentinel alert-rule update') as c: + with self.argument_context('sentinel incident update') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') - c.argument('fusion_alert_rule', action=AddFusionAlertRule, nargs='*', help='Represents Fusion alert rule.', - arg_group='AlertRule') - c.argument('microsoft_security_incident_creation_alert_rule', - action=AddMicrosoftSecurityIncidentCreationAlertRule, nargs='*', help='Represents ' - 'MicrosoftSecurityIncidentCreation rule.', arg_group='AlertRule') - c.argument('scheduled_alert_rule', action=AddScheduledAlertRule, nargs='*', help='Represents scheduled alert ' - 'rule.', arg_group='AlertRule') + c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') + c.argument('etag', type=str, help='Etag of the azure resource') + c.argument('classification', arg_type=get_enum_type(['Undetermined', 'TruePositive', 'BenignPositive', + 'FalsePositive']), help='The reason the incident was ' + 'closed') + c.argument('classification_comment', type=str, help='Describes the reason the incident was closed') + c.argument('classification_reason', arg_type=get_enum_type(['SuspiciousActivity', 'SuspiciousButExpected', + 'IncorrectAlertLogic', 'InaccurateData']), + help='The classification reason the incident was closed with') + c.argument('description', type=str, help='The description of the incident') + c.argument('first_activity_time_utc', help='The time of the first activity in the incident') + c.argument('labels', action=AddLabels, nargs='+', help='List of labels relevant to this incident') + c.argument('last_activity_time_utc', help='The time of the last activity in the incident') + c.argument('owner', action=AddOwner, nargs='+', help='Describes a user that the incident is assigned to') + c.argument('severity', arg_type=get_enum_type(['High', 'Medium', 'Low', 'Informational']), help='The severity ' + 'of the incident') + c.argument('status', arg_type=get_enum_type(['New', 'Active', 'Closed']), help='The status of the incident') + c.argument('title', type=str, help='The title of the incident') + c.ignore('incident') - with self.argument_context('sentinel alert-rule delete') as c: + with self.argument_context('sentinel incident delete') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') - c.argument('action_id', type=str, help='Action ID', id_part='child_name_2') + c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') - with self.argument_context('sentinel alert-rule get-action') as c: + with self.argument_context('sentinel incident list-of-alert') as c: c.argument('resource_group_name', resource_group_name_type) - c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') - c.argument('action_id', type=str, help='Action ID', id_part='child_name_2') + c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('incident_id', type=str, help='Incident ID') - with self.argument_context('sentinel action list') as c: + with self.argument_context('sentinel incident list-of-bookmark') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('rule_id', type=str, help='Alert rule ID') + c.argument('incident_id', type=str, help='Incident ID') - with self.argument_context('sentinel alert-rule-template list') as c: + with self.argument_context('sentinel incident list-of-entity') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('incident_id', type=str, help='Incident ID') - with self.argument_context('sentinel alert-rule-template show') as c: + with self.argument_context('sentinel incident-comment list') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('incident_id', type=str, help='Incident ID') + c.argument('filter_', options_list=['--filter'], type=str, help='Filters the results, based on a Boolean ' + 'condition. Optional.') + c.argument('orderby', type=str, help='Sorts the results. Optional.') + c.argument('top', type=int, help='Returns only the first n results. Optional.') + c.argument('skip_token', type=str, help='Skiptoken is only used if a previous operation returned a partial ' + 'result. If a previous response contains a nextLink element, the value of the nextLink element will ' + 'include a skiptoken parameter that specifies a starting point to use for subsequent calls. ' + 'Optional.') + + with self.argument_context('sentinel incident-comment show') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('alert_rule_template_id', type=str, help='Alert rule template ID', id_part='child_name_1') + c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') + c.argument('incident_comment_id', type=str, help='Incident comment ID', id_part='child_name_2') - with self.argument_context('sentinel bookmark list') as c: + with self.argument_context('sentinel incident-comment create') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('incident_id', type=str, help='Incident ID') + c.argument('incident_comment_id', type=str, help='Incident comment ID') + c.argument('etag', type=str, help='Etag of the azure resource') + c.argument('message', type=str, help='The comment message') - with self.argument_context('sentinel bookmark show') as c: + with self.argument_context('sentinel incident-comment delete') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('bookmark_id', type=str, help='Bookmark ID', id_part='child_name_1') + c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') + c.argument('incident_comment_id', type=str, help='Incident comment ID', id_part='child_name_2') - with self.argument_context('sentinel bookmark create') as c: + with self.argument_context('sentinel incident-relation list') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('bookmark_id', type=str, help='Bookmark ID') + c.argument('incident_id', type=str, help='Incident ID') + c.argument('filter_', options_list=['--filter'], type=str, help='Filters the results, based on a Boolean ' + 'condition. Optional.') + c.argument('orderby', type=str, help='Sorts the results. Optional.') + c.argument('top', type=int, help='Returns only the first n results. Optional.') + c.argument('skip_token', type=str, help='Skiptoken is only used if a previous operation returned a partial ' + 'result. If a previous response contains a nextLink element, the value of the nextLink element will ' + 'include a skiptoken parameter that specifies a starting point to use for subsequent calls. ' + 'Optional.') + + with self.argument_context('sentinel incident-relation create') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('incident_id', type=str, help='Incident ID') + c.argument('relation_name', type=str, help='Relation Name') c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('created', help='The time the bookmark was created') - c.argument('display_name', type=str, help='The display name of the bookmark') - c.argument('labels', nargs='*', help='List of labels relevant to this bookmark') - c.argument('notes', type=str, help='The notes of the bookmark') - c.argument('query_content', options_list=['-q'], type=str, help='The query of the bookmark.') - c.argument('query_result', type=str, help='The query result of the bookmark.') - c.argument('updated', help='The last time the bookmark was updated') - c.argument('incident_info', action=AddIncidentInfo, nargs='*', help='Describes an incident that relates to ' - 'bookmark') - c.argument('updated_by_object_id', help='The object id of the user.') - - with self.argument_context('sentinel bookmark update') as c: + c.argument('related_resource_id', type=str, help='The resource ID of the related resource') + + with self.argument_context('sentinel incident-relation delete') as c: c.argument('resource_group_name', resource_group_name_type) c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('bookmark_id', type=str, help='Bookmark ID', id_part='child_name_1') - c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('created', help='The time the bookmark was created') - c.argument('display_name', type=str, help='The display name of the bookmark') - c.argument('labels', nargs='*', help='List of labels relevant to this bookmark') - c.argument('notes', type=str, help='The notes of the bookmark') - c.argument('query_content', options_list=['-q'], type=str, help='The query of the bookmark.') - c.argument('query_result', type=str, help='The query result of the bookmark.') - c.argument('updated', help='The last time the bookmark was updated') - c.argument('incident_info', action=AddIncidentInfo, nargs='*', help='Describes an incident that relates to ' - 'bookmark') - c.argument('updated_by_object_id', help='The object id of the user.') - - with self.argument_context('sentinel bookmark delete') as c: + c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') + c.argument('relation_name', type=str, help='Relation Name', id_part='child_name_2') + + with self.argument_context('sentinel incident-relation show-relation') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') + c.argument('relation_name', type=str, help='Relation Name', id_part='child_name_2') + + with self.argument_context('sentinel threat-intelligence-indicator show') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('bookmark_id', type=str, help='Bookmark ID', id_part='child_name_1') + c.argument('name', type=str, help='Threat intelligence indicator name field.', id_part='child_name_2') - with self.argument_context('sentinel data-connector list') as c: + with self.argument_context('sentinel threat-intelligence-indicator create') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.') c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('name', type=str, help='Threat intelligence indicator name field.') + c.argument('etag', type=str, help='Etag of the azure resource') + c.argument('threat_intelligence_tags', nargs='+', help='List of tags') + c.argument('last_updated_time_utc', type=str, help='Last updated time in UTC') + c.argument('source', type=str, help='Source of a threat intelligence entity') + c.argument('display_name', type=str, help='Display name of a threat intelligence entity') + c.argument('description', type=str, help='Description of a threat intelligence entity') + c.argument('indicator_types', nargs='+', help='Indicator types of threat intelligence entities') + c.argument('pattern', type=str, help='Pattern of a threat intelligence entity') + c.argument('pattern_type', type=str, help='Pattern type of a threat intelligence entity') + c.argument('pattern_version', type=str, help='Pattern version of a threat intelligence entity') + c.argument('kill_chain_phases', action=AddKillChainPhases, nargs='+', help='Kill chain phases') + c.argument('parsed_pattern', action=AddParsedPattern, nargs='+', help='Parsed patterns') + c.argument('external_id', type=str, help='External ID of threat intelligence entity') + c.argument('created_by_ref', type=str, help='Created by reference of threat intelligence entity') + c.argument('defanged', arg_type=get_three_state_flag(), help='Is threat intelligence entity defanged') + c.argument('external_last_updated_time_utc', type=str, help='External last updated time in UTC') + c.argument('external_references', type=validate_file_or_dict, help='External References Expected value: ' + 'json-string/@json-file.') + c.argument('granular_markings', action=AddGranularMarkings, nargs='+', help='Granular Markings') + c.argument('labels', nargs='+', help='Labels of threat intelligence entity') + c.argument('revoked', arg_type=get_three_state_flag(), help='Is threat intelligence entity revoked') + c.argument('confidence', type=int, help='Confidence of threat intelligence entity') + c.argument('object_marking_refs', nargs='+', help='Threat intelligence entity object marking references') + c.argument('language', type=str, help='Language of threat intelligence entity') + c.argument('threat_types', nargs='+', help='Threat types') + c.argument('valid_from', type=str, help='Valid from') + c.argument('valid_until', type=str, help='Valid until') + c.argument('created', type=str, help='Created by') + c.argument('modified', type=str, help='Modified by') + c.argument('extensions', type=validate_file_or_dict, help='Extensions map Expected value: ' + 'json-string/@json-file.') - with self.argument_context('sentinel data-connector show') as c: + with self.argument_context('sentinel threat-intelligence-indicator delete') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('data_connector_id', type=str, help='Connector ID', id_part='child_name_1') + c.argument('name', type=str, help='Threat intelligence indicator name field.', id_part='child_name_2') - with self.argument_context('sentinel data-connector create') as c: + with self.argument_context('sentinel threat-intelligence-indicator append-tag') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('name', type=str, help='Threat intelligence indicator name field.', id_part='child_name_2') + c.argument('threat_intelligence_tags', nargs='+', help='List of tags to be appended.') + + with self.argument_context('sentinel threat-intelligence-indicator create-indicator') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.') c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('data_connector_id', type=str, help='Connector ID') - c.argument('aad_data_connector', action=AddAadDataConnector, nargs='*', help='Represents AAD (Azure Active ' - 'Directory) data connector.', arg_group='DataConnector') - c.argument('aatp_data_connector', action=AddAatpDataConnector, nargs='*', help='Represents AATP (Azure ' - 'Advanced Threat Protection) data connector.', arg_group='DataConnector') - c.argument('asc_data_connector', action=AddAscDataConnector, nargs='*', help='Represents ASC (Azure Security ' - 'Center) data connector.', arg_group='DataConnector') - c.argument('aws_cloud_trail_data_connector', action=AddAwsCloudTrailDataConnector, nargs='*', help='Represents ' - 'Amazon Web Services CloudTrail data connector.', arg_group='DataConnector') - c.argument('mcas_data_connector', action=AddMcasDataConnector, nargs='*', help='Represents MCAS (Microsoft ' - 'Cloud App Security) data connector.', arg_group='DataConnector') - c.argument('mdatp_data_connector', action=AddMdatpDataConnector, nargs='*', help='Represents MDATP (Microsoft ' - 'Defender Advanced Threat Protection) data connector.', arg_group='DataConnector') - c.argument('office_data_connector', action=AddOfficeDataConnector, nargs='*', help='Represents office data ' - 'connector.', arg_group='DataConnector') - c.argument('ti_data_connector', action=AddTiDataConnector, nargs='*', help='Represents threat intelligence ' - 'data connector.', arg_group='DataConnector') - - with self.argument_context('sentinel data-connector update') as c: + c.argument('etag', type=str, help='Etag of the azure resource') + c.argument('threat_intelligence_tags', nargs='+', help='List of tags') + c.argument('last_updated_time_utc', type=str, help='Last updated time in UTC') + c.argument('source', type=str, help='Source of a threat intelligence entity') + c.argument('display_name', type=str, help='Display name of a threat intelligence entity') + c.argument('description', type=str, help='Description of a threat intelligence entity') + c.argument('indicator_types', nargs='+', help='Indicator types of threat intelligence entities') + c.argument('pattern', type=str, help='Pattern of a threat intelligence entity') + c.argument('pattern_type', type=str, help='Pattern type of a threat intelligence entity') + c.argument('pattern_version', type=str, help='Pattern version of a threat intelligence entity') + c.argument('kill_chain_phases', action=AddKillChainPhases, nargs='+', help='Kill chain phases') + c.argument('parsed_pattern', action=AddParsedPattern, nargs='+', help='Parsed patterns') + c.argument('external_id', type=str, help='External ID of threat intelligence entity') + c.argument('created_by_ref', type=str, help='Created by reference of threat intelligence entity') + c.argument('defanged', arg_type=get_three_state_flag(), help='Is threat intelligence entity defanged') + c.argument('external_last_updated_time_utc', type=str, help='External last updated time in UTC') + c.argument('external_references', type=validate_file_or_dict, help='External References Expected value: ' + 'json-string/@json-file.') + c.argument('granular_markings', action=AddGranularMarkings, nargs='+', help='Granular Markings') + c.argument('labels', nargs='+', help='Labels of threat intelligence entity') + c.argument('revoked', arg_type=get_three_state_flag(), help='Is threat intelligence entity revoked') + c.argument('confidence', type=int, help='Confidence of threat intelligence entity') + c.argument('object_marking_refs', nargs='+', help='Threat intelligence entity object marking references') + c.argument('language', type=str, help='Language of threat intelligence entity') + c.argument('threat_types', nargs='+', help='Threat types') + c.argument('valid_from', type=str, help='Valid from') + c.argument('valid_until', type=str, help='Valid until') + c.argument('created', type=str, help='Created by') + c.argument('modified', type=str, help='Modified by') + c.argument('extensions', type=validate_file_or_dict, help='Extensions map Expected value: ' + 'json-string/@json-file.') + + with self.argument_context('sentinel threat-intelligence-indicator query-indicator') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('data_connector_id', type=str, help='Connector ID', id_part='child_name_1') - c.argument('aad_data_connector', action=AddAadDataConnector, nargs='*', help='Represents AAD (Azure Active ' - 'Directory) data connector.', arg_group='DataConnector') - c.argument('aatp_data_connector', action=AddAatpDataConnector, nargs='*', help='Represents AATP (Azure ' - 'Advanced Threat Protection) data connector.', arg_group='DataConnector') - c.argument('asc_data_connector', action=AddAscDataConnector, nargs='*', help='Represents ASC (Azure Security ' - 'Center) data connector.', arg_group='DataConnector') - c.argument('aws_cloud_trail_data_connector', action=AddAwsCloudTrailDataConnector, nargs='*', help='Represents ' - 'Amazon Web Services CloudTrail data connector.', arg_group='DataConnector') - c.argument('mcas_data_connector', action=AddMcasDataConnector, nargs='*', help='Represents MCAS (Microsoft ' - 'Cloud App Security) data connector.', arg_group='DataConnector') - c.argument('mdatp_data_connector', action=AddMdatpDataConnector, nargs='*', help='Represents MDATP (Microsoft ' - 'Defender Advanced Threat Protection) data connector.', arg_group='DataConnector') - c.argument('office_data_connector', action=AddOfficeDataConnector, nargs='*', help='Represents office data ' - 'connector.', arg_group='DataConnector') - c.argument('ti_data_connector', action=AddTiDataConnector, nargs='*', help='Represents threat intelligence ' - 'data connector.', arg_group='DataConnector') - - with self.argument_context('sentinel data-connector delete') as c: + c.argument('page_size', type=int, help='Page size') + c.argument('min_confidence', type=int, help='Minimum confidence.') + c.argument('max_confidence', type=int, help='Maximum confidence.') + c.argument('min_valid_until', type=str, help='Start time for ValidUntil filter.') + c.argument('max_valid_until', type=str, help='End time for ValidUntil filter.') + c.argument('include_disabled', arg_type=get_three_state_flag(), help='Parameter to include/exclude disabled ' + 'indicators.') + c.argument('sort_by', action=AddSortBy, nargs='+', help='Columns to sort by and sorting order') + c.argument('sources', nargs='+', help='Sources of threat intelligence indicators') + c.argument('pattern_types', nargs='+', help='Pattern types') + c.argument('threat_types', nargs='+', help='Threat types of threat intelligence indicators') + c.argument('ids', nargs='+', help='Ids of threat intelligence indicators') + c.argument('keywords', nargs='+', help='Keywords for searching threat intelligence indicators') + c.argument('skip_token', type=str, help='Skip token.') + + with self.argument_context('sentinel threat-intelligence-indicator replace-tag') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('data_connector_id', type=str, help='Connector ID', id_part='child_name_1') + c.argument('name', type=str, help='Threat intelligence indicator name field.', id_part='child_name_2') + c.argument('etag', type=str, help='Etag of the azure resource') + c.argument('threat_intelligence_tags', nargs='+', help='List of tags') + c.argument('last_updated_time_utc', type=str, help='Last updated time in UTC') + c.argument('source', type=str, help='Source of a threat intelligence entity') + c.argument('display_name', type=str, help='Display name of a threat intelligence entity') + c.argument('description', type=str, help='Description of a threat intelligence entity') + c.argument('indicator_types', nargs='+', help='Indicator types of threat intelligence entities') + c.argument('pattern', type=str, help='Pattern of a threat intelligence entity') + c.argument('pattern_type', type=str, help='Pattern type of a threat intelligence entity') + c.argument('pattern_version', type=str, help='Pattern version of a threat intelligence entity') + c.argument('kill_chain_phases', action=AddKillChainPhases, nargs='+', help='Kill chain phases') + c.argument('parsed_pattern', action=AddParsedPattern, nargs='+', help='Parsed patterns') + c.argument('external_id', type=str, help='External ID of threat intelligence entity') + c.argument('created_by_ref', type=str, help='Created by reference of threat intelligence entity') + c.argument('defanged', arg_type=get_three_state_flag(), help='Is threat intelligence entity defanged') + c.argument('external_last_updated_time_utc', type=str, help='External last updated time in UTC') + c.argument('external_references', type=validate_file_or_dict, help='External References Expected value: ' + 'json-string/@json-file.') + c.argument('granular_markings', action=AddGranularMarkings, nargs='+', help='Granular Markings') + c.argument('labels', nargs='+', help='Labels of threat intelligence entity') + c.argument('revoked', arg_type=get_three_state_flag(), help='Is threat intelligence entity revoked') + c.argument('confidence', type=int, help='Confidence of threat intelligence entity') + c.argument('object_marking_refs', nargs='+', help='Threat intelligence entity object marking references') + c.argument('language', type=str, help='Language of threat intelligence entity') + c.argument('threat_types', nargs='+', help='Threat types') + c.argument('valid_from', type=str, help='Valid from') + c.argument('valid_until', type=str, help='Valid until') + c.argument('created', type=str, help='Created by') + c.argument('modified', type=str, help='Modified by') + c.argument('extensions', type=validate_file_or_dict, help='Extensions map Expected value: ' + 'json-string/@json-file.') - with self.argument_context('sentinel incident list') as c: + with self.argument_context('sentinel threat-intelligence-indicator list') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.') c.argument('workspace_name', type=str, help='The name of the workspace.') c.argument('filter_', options_list=['--filter'], type=str, help='Filters the results, based on a Boolean ' 'condition. Optional.') - c.argument('orderby', type=str, help='Sorts the results. Optional.') c.argument('top', type=int, help='Returns only the first n results. Optional.') c.argument('skip_token', type=str, help='Skiptoken is only used if a previous operation returned a partial ' 'result. If a previous response contains a nextLink element, the value of the nextLink element will ' 'include a skiptoken parameter that specifies a starting point to use for subsequent calls. ' 'Optional.') + c.argument('orderby', type=str, help='Sorts the results. Optional.') - with self.argument_context('sentinel incident show') as c: + with self.argument_context('sentinel threat-intelligence-indicator-metric list') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.') + c.argument('workspace_name', type=str, help='The name of the workspace.') + + with self.argument_context('sentinel watchlist list') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.') + c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('skip_token', type=str, help='Skiptoken is only used if a previous operation returned a partial ' + 'result. If a previous response contains a nextLink element, the value of the nextLink element will ' + 'include a skiptoken parameter that specifies a starting point to use for subsequent calls. ' + 'Optional.') + + with self.argument_context('sentinel watchlist show') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') + c.argument('watchlist_alias', type=str, help='The watchlist alias', id_part='child_name_1') - with self.argument_context('sentinel incident create') as c: + with self.argument_context('sentinel watchlist create') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.') c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('incident_id', type=str, help='Incident ID') + c.argument('watchlist_alias', type=str, help='The watchlist alias') c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('classification', arg_type=get_enum_type(['Undetermined', 'TruePositive', 'BenignPositive', '' - 'FalsePositive']), help='The reason the incident was ' - 'closed') - c.argument('classification_comment', type=str, help='Describes the reason the incident was closed') - c.argument('classification_reason', arg_type=get_enum_type(['SuspiciousActivity', 'SuspiciousButExpected', '' - 'IncorrectAlertLogic', 'InaccurateData']), help='' - 'The classification reason the incident was closed with') - c.argument('description', type=str, help='The description of the incident') - c.argument('first_activity_time_utc', help='The time of the first activity in the incident') - c.argument('labels', action=AddLabels, nargs='*', help='List of labels relevant to this incident') - c.argument('last_activity_time_utc', help='The time of the last activity in the incident') - c.argument('owner', action=AddOwner, nargs='*', help='Describes a user that the incident is assigned to') - c.argument('severity', arg_type=get_enum_type(['High', 'Medium', 'Low', 'Informational']), help='The severity ' - 'of the incident') - c.argument('status', arg_type=get_enum_type(['New', 'Active', 'Closed']), help='The status of the incident') - c.argument('title', type=str, help='The title of the incident') + c.argument('watchlist_id', type=str, help='The id (a Guid) of the watchlist') + c.argument('display_name', type=str, help='The display name of the watchlist') + c.argument('provider', type=str, help='The provider of the watchlist') + c.argument('source', arg_type=get_enum_type(['Local file', 'Remote storage']), help='The source of the ' + 'watchlist') + c.argument('created', help='The time the watchlist was created') + c.argument('updated', help='The last time the watchlist was updated') + c.argument('description', type=str, help='A description of the watchlist') + c.argument('watchlist_type', type=str, help='The type of the watchlist') + c.argument('watchlist_properties_watchlist_alias', type=str, help='The alias of the watchlist') + c.argument('is_deleted', arg_type=get_three_state_flag(), help='A flag that indicates if the watchlist is ' + 'deleted or not') + c.argument('labels', nargs='+', help='List of labels relevant to this watchlist') + c.argument('default_duration', help='The default duration of a watchlist (in ISO 8601 duration format)') + c.argument('tenant_id', type=str, help='The tenantId where the watchlist belongs to') + c.argument('number_of_lines_to_skip', type=int, help='The number of lines in a csv content to skip before the ' + 'header') + c.argument('raw_content', type=str, help='The raw content that represents to watchlist items to create. ' + 'Example : This line will be skipped header1,header2 value1,value2') + c.argument('items_search_key', type=str, help='The search key is used to optimize query performance when using ' + 'watchlists for joins with other data. For example, enable a column with IP addresses to be the ' + 'designated SearchKey field, then use this field as the key field when joining to other event data ' + 'by IP address.') + c.argument('properties_content_type', type=str, help='The content type of the raw content. For now, only ' + 'text/csv is valid') + c.argument('upload_status', type=str, help='The status of the Watchlist upload : New, InProgress or Complete. ' + '**Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted') + c.argument('object_id', help='The object id of the user.', arg_group='Updated By') + c.argument('user_info_object_id', help='The object id of the user.', arg_group='Created By') - with self.argument_context('sentinel incident update') as c: + with self.argument_context('sentinel watchlist update') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') + c.argument('watchlist_alias', type=str, help='The watchlist alias', id_part='child_name_1') c.argument('etag', type=str, help='Etag of the azure resource') - c.argument('classification', arg_type=get_enum_type(['Undetermined', 'TruePositive', 'BenignPositive', '' - 'FalsePositive']), help='The reason the incident was ' - 'closed') - c.argument('classification_comment', type=str, help='Describes the reason the incident was closed') - c.argument('classification_reason', arg_type=get_enum_type(['SuspiciousActivity', 'SuspiciousButExpected', '' - 'IncorrectAlertLogic', 'InaccurateData']), help='' - 'The classification reason the incident was closed with') - c.argument('description', type=str, help='The description of the incident') - c.argument('first_activity_time_utc', help='The time of the first activity in the incident') - c.argument('labels', action=AddLabels, nargs='*', help='List of labels relevant to this incident') - c.argument('last_activity_time_utc', help='The time of the last activity in the incident') - c.argument('owner', action=AddOwner, nargs='*', help='Describes a user that the incident is assigned to') - c.argument('severity', arg_type=get_enum_type(['High', 'Medium', 'Low', 'Informational']), help='The severity ' - 'of the incident') - c.argument('status', arg_type=get_enum_type(['New', 'Active', 'Closed']), help='The status of the incident') - c.argument('title', type=str, help='The title of the incident') + c.argument('watchlist_id', type=str, help='The id (a Guid) of the watchlist') + c.argument('display_name', type=str, help='The display name of the watchlist') + c.argument('provider', type=str, help='The provider of the watchlist') + c.argument('source', arg_type=get_enum_type(['Local file', 'Remote storage']), help='The source of the ' + 'watchlist') + c.argument('created', help='The time the watchlist was created') + c.argument('updated', help='The last time the watchlist was updated') + c.argument('description', type=str, help='A description of the watchlist') + c.argument('watchlist_type', type=str, help='The type of the watchlist') + c.argument('watchlist_properties_watchlist_alias', type=str, help='The alias of the watchlist', + id_part='child_name_1') + c.argument('is_deleted', arg_type=get_three_state_flag(), help='A flag that indicates if the watchlist is ' + 'deleted or not') + c.argument('labels', nargs='+', help='List of labels relevant to this watchlist') + c.argument('default_duration', help='The default duration of a watchlist (in ISO 8601 duration format)') + c.argument('tenant_id', type=str, help='The tenantId where the watchlist belongs to') + c.argument('number_of_lines_to_skip', type=int, help='The number of lines in a csv content to skip before the ' + 'header') + c.argument('raw_content', type=str, help='The raw content that represents to watchlist items to create. ' + 'Example : This line will be skipped header1,header2 value1,value2') + c.argument('items_search_key', type=str, help='The search key is used to optimize query performance when using ' + 'watchlists for joins with other data. For example, enable a column with IP addresses to be the ' + 'designated SearchKey field, then use this field as the key field when joining to other event data ' + 'by IP address.') + c.argument('properties_content_type', type=str, help='The content type of the raw content. For now, only ' + 'text/csv is valid') + c.argument('upload_status', type=str, help='The status of the Watchlist upload : New, InProgress or Complete. ' + '**Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted') + c.argument('object_id', help='The object id of the user.', arg_group='Updated By') + c.argument('user_info_object_id', help='The object id of the user.', arg_group='Created By') + c.ignore('watchlist') - with self.argument_context('sentinel incident delete') as c: + with self.argument_context('sentinel watchlist delete') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') + c.argument('watchlist_alias', type=str, help='The watchlist alias', id_part='child_name_1') - with self.argument_context('sentinel incident-comment list') as c: + with self.argument_context('sentinel watchlist-item list') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.') c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('incident_id', type=str, help='Incident ID') - c.argument('filter_', options_list=['--filter'], type=str, help='Filters the results, based on a Boolean ' - 'condition. Optional.') - c.argument('orderby', type=str, help='Sorts the results. Optional.') - c.argument('top', type=int, help='Returns only the first n results. Optional.') + c.argument('watchlist_alias', type=str, help='The watchlist alias') c.argument('skip_token', type=str, help='Skiptoken is only used if a previous operation returned a partial ' 'result. If a previous response contains a nextLink element, the value of the nextLink element will ' 'include a skiptoken parameter that specifies a starting point to use for subsequent calls. ' 'Optional.') - with self.argument_context('sentinel incident-comment show') as c: + with self.argument_context('sentinel watchlist-item show') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') - c.argument('incident_id', type=str, help='Incident ID', id_part='child_name_1') - c.argument('incident_comment_id', type=str, help='Incident comment ID', id_part='child_name_2') + c.argument('watchlist_alias', type=str, help='The watchlist alias', id_part='child_name_1') + c.argument('watchlist_item_id', type=str, help='The watchlist item id (GUID)', id_part='child_name_2') - with self.argument_context('sentinel incident-comment create') as c: + with self.argument_context('sentinel watchlist-item create') as c: c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.') c.argument('workspace_name', type=str, help='The name of the workspace.') - c.argument('incident_id', type=str, help='Incident ID') - c.argument('incident_comment_id', type=str, help='Incident comment ID') - c.argument('message', type=str, help='The comment message') + c.argument('watchlist_alias', type=str, help='The watchlist alias') + c.argument('watchlist_item_id', type=str, help='The watchlist item id (GUID)') + c.argument('etag', type=str, help='Etag of the azure resource') + c.argument('watchlist_item_type', type=str, help='The type of the watchlist item') + c.argument('watchlist_item_properties_watchlist_item_id_watchlist_item_id', type=str, help='The id (a Guid) of ' + 'the watchlist item') + c.argument('tenant_id', type=str, help='The tenantId to which the watchlist item belongs to') + c.argument('is_deleted', arg_type=get_three_state_flag(), help='A flag that indicates if the watchlist item is ' + 'deleted or not') + c.argument('created', help='The time the watchlist item was created') + c.argument('updated', help='The last time the watchlist item was updated') + c.argument('items_key_value', type=validate_file_or_dict, help='key-value pairs for a watchlist item Expected ' + 'value: json-string/@json-file.') + c.argument('entity_mapping', type=validate_file_or_dict, help='key-value pairs for a watchlist item entity ' + 'mapping Expected value: json-string/@json-file.') + c.argument('object_id', help='The object id of the user.', arg_group='Updated By') + c.argument('user_info_object_id', help='The object id of the user.', arg_group='Created By') + + with self.argument_context('sentinel watchlist-item update') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('watchlist_alias', type=str, help='The watchlist alias', id_part='child_name_1') + c.argument('watchlist_item_id', type=str, help='The watchlist item id (GUID)', id_part='child_name_2') + c.argument('etag', type=str, help='Etag of the azure resource') + c.argument('watchlist_item_type', type=str, help='The type of the watchlist item') + c.argument('watchlist_item_properties_watchlist_item_id_watchlist_item_id', type=str, help='The id (a Guid) of ' + 'the watchlist item', id_part='child_name_2') + c.argument('tenant_id', type=str, help='The tenantId to which the watchlist item belongs to') + c.argument('is_deleted', arg_type=get_three_state_flag(), help='A flag that indicates if the watchlist item is ' + 'deleted or not') + c.argument('created', help='The time the watchlist item was created') + c.argument('updated', help='The last time the watchlist item was updated') + c.argument('items_key_value', type=validate_file_or_dict, help='key-value pairs for a watchlist item Expected ' + 'value: json-string/@json-file.') + c.argument('entity_mapping', type=validate_file_or_dict, help='key-value pairs for a watchlist item entity ' + 'mapping Expected value: json-string/@json-file.') + c.argument('object_id', help='The object id of the user.', arg_group='Updated By') + c.argument('user_info_object_id', help='The object id of the user.', arg_group='Created By') + c.ignore('watchlist_item') + + with self.argument_context('sentinel watchlist-item delete') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('operational_insights_resource_provider', type=str, help='The namespace of workspaces resource ' + 'provider- Microsoft.OperationalInsights.', id_part='namespace') + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('watchlist_alias', type=str, help='The watchlist alias', id_part='child_name_1') + c.argument('watchlist_item_id', type=str, help='The watchlist item id (GUID)', id_part='child_name_2') + + with self.argument_context('sentinel alert-rule list') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.') + + with self.argument_context('sentinel alert-rule show') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') + + with self.argument_context('sentinel alert-rule create') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('rule_id', type=str, help='Alert rule ID') + c.argument('fusion_alert_rule', action=AddFusionAlertRule, nargs='+', help='Represents Fusion alert rule.', + arg_group='AlertRule') + c.argument('microsoft_security_incident_creation_alert_rule', + action=AddMicrosoftSecurityIncidentCreationAlertRule, nargs='+', help='Represents ' + 'MicrosoftSecurityIncidentCreation rule.', arg_group='AlertRule') + c.argument('scheduled_alert_rule', action=AddScheduledAlertRule, nargs='+', help='Represents scheduled alert ' + 'rule.', arg_group='AlertRule') + + with self.argument_context('sentinel alert-rule update') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') + c.argument('fusion_alert_rule', action=AddFusionAlertRule, nargs='+', help='Represents Fusion alert rule.', + arg_group='AlertRule') + c.argument('microsoft_security_incident_creation_alert_rule', + action=AddMicrosoftSecurityIncidentCreationAlertRule, nargs='+', help='Represents ' + 'MicrosoftSecurityIncidentCreation rule.', arg_group='AlertRule') + c.argument('scheduled_alert_rule', action=AddScheduledAlertRule, nargs='+', help='Represents scheduled alert ' + 'rule.', arg_group='AlertRule') + + with self.argument_context('sentinel alert-rule delete') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') + + with self.argument_context('sentinel action list') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('rule_id', type=str, help='Alert rule ID') + + with self.argument_context('sentinel action show') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') + c.argument('action_id', type=str, help='Action ID', id_part='child_name_2') + + with self.argument_context('sentinel action create') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.') + c.argument('rule_id', type=str, help='Alert rule ID') + c.argument('action_id', type=str, help='Action ID') + c.argument('etag', type=str, help='Etag of the azure resource') + c.argument('logic_app_resource_id', type=str, help='Logic App Resource Id, /subscriptions/{my-subscription}/res' + 'ourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.') + c.argument('trigger_uri', type=str, help='Logic App Callback URL for this specific workflow.') + + with self.argument_context('sentinel action update') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') + c.argument('action_id', type=str, help='Action ID', id_part='child_name_2') + c.argument('etag', type=str, help='Etag of the azure resource') + c.argument('logic_app_resource_id', type=str, help='Logic App Resource Id, /subscriptions/{my-subscription}/res' + 'ourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.') + c.argument('trigger_uri', type=str, help='Logic App Callback URL for this specific workflow.') + + with self.argument_context('sentinel action delete') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('rule_id', type=str, help='Alert rule ID', id_part='child_name_1') + c.argument('action_id', type=str, help='Action ID', id_part='child_name_2') + + with self.argument_context('sentinel alert-rule-template list') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.') + + with self.argument_context('sentinel alert-rule-template show') as c: + c.argument('resource_group_name', resource_group_name_type) + c.argument('workspace_name', type=str, help='The name of the workspace.', id_part='name') + c.argument('alert_rule_template_id', type=str, help='Alert rule template ID', id_part='child_name_1') diff --git a/src/securityinsight/azext_sentinel/generated/action.py b/src/securityinsight/azext_sentinel/generated/action.py index 6fa9f30cb9b..e281844449a 100644 --- a/src/securityinsight/azext_sentinel/generated/action.py +++ b/src/securityinsight/azext_sentinel/generated/action.py @@ -14,76 +14,10 @@ from knack.util import CLIError -class AddFusionAlertRule(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.fusion_alert_rule = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'alert-rule-template-name': - d['alert_rule_template_name'] = v[0] - elif kl == 'enabled': - d['enabled'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'Fusion' - return d - - -class AddMicrosoftSecurityIncidentCreationAlertRule(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.microsoft_security_incident_creation_alert_rule = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'display-names-filter': - d['display_names_filter'] = v - elif kl == 'display-names-exclude-filter': - d['display_names_exclude_filter'] = v - elif kl == 'product-filter': - d['product_filter'] = v[0] - elif kl == 'severities-filter': - d['severities_filter'] = v - elif kl == 'alert-rule-template-name': - d['alert_rule_template_name'] = v[0] - elif kl == 'description': - d['description'] = v[0] - elif kl == 'display-name': - d['display_name'] = v[0] - elif kl == 'enabled': - d['enabled'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'MicrosoftSecurityIncidentCreation' - return d - - -class AddScheduledAlertRule(argparse.Action): +class AddLabels(argparse._AppendAction): def __call__(self, parser, namespace, values, option_string=None): action = self.get_action(values, option_string) - namespace.scheduled_alert_rule = action + super(AddLabels, self).__call__(parser, namespace, action, option_string) def get_action(self, values, option_string): # pylint: disable=no-self-use try: @@ -97,42 +31,18 @@ def get_action(self, values, option_string): # pylint: disable=no-self-use for k in properties: kl = k.lower() v = properties[k] - if kl == 'query': - d['query'] = v[0] - elif kl == 'query-frequency': - d['query_frequency'] = v[0] - elif kl == 'query-period': - d['query_period'] = v[0] - elif kl == 'severity': - d['severity'] = v[0] - elif kl == 'trigger-operator': - d['trigger_operator'] = v[0] - elif kl == 'trigger-threshold': - d['trigger_threshold'] = v[0] - elif kl == 'alert-rule-template-name': - d['alert_rule_template_name'] = v[0] - elif kl == 'description': - d['description'] = v[0] - elif kl == 'display-name': - d['display_name'] = v[0] - elif kl == 'enabled': - d['enabled'] = v[0] - elif kl == 'suppression-duration': - d['suppression_duration'] = v[0] - elif kl == 'suppression-enabled': - d['suppression_enabled'] = v[0] - elif kl == 'tactics': - d['tactics'] = v - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'Scheduled' + if kl == 'label-name': + d['label_name'] = v[0] + else: + raise CLIError('Unsupported Key {} is provided for parameter labels. All possible keys are: label-name' + .format(k)) return d -class AddIncidentInfo(argparse.Action): +class AddOwner(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): action = self.get_action(values, option_string) - namespace.incident_info = action + namespace.owner = action def get_action(self, values, option_string): # pylint: disable=no-self-use try: @@ -146,21 +56,24 @@ def get_action(self, values, option_string): # pylint: disable=no-self-use for k in properties: kl = k.lower() v = properties[k] - if kl == 'incident-id': - d['incident_id'] = v[0] - elif kl == 'severity': - d['severity'] = v[0] - elif kl == 'title': - d['title'] = v[0] - elif kl == 'relation-name': - d['relation_name'] = v[0] + if kl == 'email': + d['email'] = v[0] + elif kl == 'assigned-to': + d['assigned_to'] = v[0] + elif kl == 'object-id': + d['object_id'] = v[0] + elif kl == 'user-principal-name': + d['user_principal_name'] = v[0] + else: + raise CLIError('Unsupported Key {} is provided for parameter owner. All possible keys are: email, ' + 'assigned-to, object-id, user-principal-name'.format(k)) return d -class AddAadDataConnector(argparse.Action): +class AddKillChainPhases(argparse._AppendAction): def __call__(self, parser, namespace, values, option_string=None): action = self.get_action(values, option_string) - namespace.aad_data_connector = action + super(AddKillChainPhases, self).__call__(parser, namespace, action, option_string) def get_action(self, values, option_string): # pylint: disable=no-self-use try: @@ -174,20 +87,20 @@ def get_action(self, values, option_string): # pylint: disable=no-self-use for k in properties: kl = k.lower() v = properties[k] - if kl == 'tenant-id': - d['tenant_id'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'AzureActiveDirectory' + if kl == 'kill-chain-name': + d['kill_chain_name'] = v[0] + elif kl == 'phase-name': + d['phase_name'] = v[0] + else: + raise CLIError('Unsupported Key {} is provided for parameter kill_chain_phases. All possible keys are: ' + 'kill-chain-name, phase-name'.format(k)) return d -class AddAatpDataConnector(argparse.Action): +class AddParsedPattern(argparse._AppendAction): def __call__(self, parser, namespace, values, option_string=None): action = self.get_action(values, option_string) - namespace.aatp_data_connector = action + super(AddParsedPattern, self).__call__(parser, namespace, action, option_string) def get_action(self, values, option_string): # pylint: disable=no-self-use try: @@ -201,20 +114,20 @@ def get_action(self, values, option_string): # pylint: disable=no-self-use for k in properties: kl = k.lower() v = properties[k] - if kl == 'tenant-id': - d['tenant_id'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'AzureAdvancedThreatProtection' + if kl == 'pattern-type-key': + d['pattern_type_key'] = v[0] + elif kl == 'pattern-type-values': + d['pattern_type_values'] = v + else: + raise CLIError('Unsupported Key {} is provided for parameter parsed_pattern. All possible keys are: ' + 'pattern-type-key, pattern-type-values'.format(k)) return d -class AddAscDataConnector(argparse.Action): +class AddGranularMarkings(argparse._AppendAction): def __call__(self, parser, namespace, values, option_string=None): action = self.get_action(values, option_string) - namespace.asc_data_connector = action + super(AddGranularMarkings, self).__call__(parser, namespace, action, option_string) def get_action(self, values, option_string): # pylint: disable=no-self-use try: @@ -228,20 +141,22 @@ def get_action(self, values, option_string): # pylint: disable=no-self-use for k in properties: kl = k.lower() v = properties[k] - if kl == 'subscription-id': - d['subscription_id'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'AzureSecurityCenter' + if kl == 'language': + d['language'] = v[0] + elif kl == 'marking-ref': + d['marking_ref'] = v[0] + elif kl == 'selectors': + d['selectors'] = v + else: + raise CLIError('Unsupported Key {} is provided for parameter granular_markings. All possible keys are: ' + 'language, marking-ref, selectors'.format(k)) return d -class AddAwsCloudTrailDataConnector(argparse.Action): +class AddSortBy(argparse._AppendAction): def __call__(self, parser, namespace, values, option_string=None): action = self.get_action(values, option_string) - namespace.aws_cloud_trail_data_connector = action + super(AddSortBy, self).__call__(parser, namespace, action, option_string) def get_action(self, values, option_string): # pylint: disable=no-self-use try: @@ -255,20 +170,20 @@ def get_action(self, values, option_string): # pylint: disable=no-self-use for k in properties: kl = k.lower() v = properties[k] - if kl == 'aws-role-arn': - d['aws_role_arn'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'AmazonWebServicesCloudTrail' + if kl == 'item-key': + d['item_key'] = v[0] + elif kl == 'sort-order': + d['sort_order'] = v[0] + else: + raise CLIError('Unsupported Key {} is provided for parameter sort_by. All possible keys are: item-key, ' + 'sort-order'.format(k)) return d -class AddMcasDataConnector(argparse.Action): +class AddFusionAlertRule(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): action = self.get_action(values, option_string) - namespace.mcas_data_connector = action + namespace.fusion_alert_rule = action def get_action(self, values, option_string): # pylint: disable=no-self-use try: @@ -282,22 +197,23 @@ def get_action(self, values, option_string): # pylint: disable=no-self-use for k in properties: kl = k.lower() v = properties[k] - if kl == 'tenant-id': - d['tenant_id'] = v[0] - elif kl == 'state-data-types-alerts-state': - d['state_data_types_alerts_state'] = v[0] - elif kl == 'state-data-types-discovery-logs-state': - d['state_data_types_discovery_logs_state'] = v[0] + if kl == 'alert-rule-template-name': + d['alert_rule_template_name'] = v[0] + elif kl == 'enabled': + d['enabled'] = v[0] elif kl == 'etag': d['etag'] = v[0] - d['kind'] = 'MicrosoftCloudAppSecurity' + else: + raise CLIError('Unsupported Key {} is provided for parameter fusion_alert_rule. All possible keys are: ' + 'alert-rule-template-name, enabled, etag'.format(k)) + d['kind'] = 'Fusion' return d -class AddMdatpDataConnector(argparse.Action): +class AddMicrosoftSecurityIncidentCreationAlertRule(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): action = self.get_action(values, option_string) - namespace.mdatp_data_connector = action + namespace.microsoft_security_incident_creation_alert_rule = action def get_action(self, values, option_string): # pylint: disable=no-self-use try: @@ -311,55 +227,37 @@ def get_action(self, values, option_string): # pylint: disable=no-self-use for k in properties: kl = k.lower() v = properties[k] - if kl == 'tenant-id': - d['tenant_id'] = v[0] - elif kl == 'state': - d['state'] = v[0] - elif kl == 'etag': - d['etag'] = v[0] - d['kind'] = 'MicrosoftDefenderAdvancedThreatProtection' - return d - - -class AddOfficeDataConnector(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.office_data_connector = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = { - 'dataTypes': { - 'sharePoint': {'state': 'Disabled'}, - 'exchange': {'state': 'Disabled'} - } - } - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'tenant-id': - d['tenantId'] = v[0] - elif kl == 'sharepoint-enabled': - d['dataTypes']['sharePoint']['state'] = 'Enabled' - elif kl == 'exchange-enabled': - d['dataTypes']['exchange']['state'] = 'Enabled' + if kl == 'display-names-filter': + d['display_names_filter'] = v + elif kl == 'display-names-exclude-filter': + d['display_names_exclude_filter'] = v + elif kl == 'product-filter': + d['product_filter'] = v[0] + elif kl == 'severities-filter': + d['severities_filter'] = v + elif kl == 'alert-rule-template-name': + d['alert_rule_template_name'] = v[0] + elif kl == 'description': + d['description'] = v[0] + elif kl == 'display-name': + d['display_name'] = v[0] + elif kl == 'enabled': + d['enabled'] = v[0] elif kl == 'etag': d['etag'] = v[0] - d['kind'] = 'Office365' - print(d) + else: + raise CLIError('Unsupported Key {} is provided for parameter microsoft_security_incident_creation_alert' + '_rule. All possible keys are: display-names-filter, display-names-exclude-filter, ' + 'product-filter, severities-filter, alert-rule-template-name, description, ' + 'display-name, enabled, etag'.format(k)) + d['kind'] = 'MicrosoftSecurityIncidentCreation' return d -class AddTiDataConnector(argparse.Action): +class AddScheduledAlertRule(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): action = self.get_action(values, option_string) - namespace.ti_data_connector = action + namespace.scheduled_alert_rule = action def get_action(self, values, option_string): # pylint: disable=no-self-use try: @@ -373,61 +271,38 @@ def get_action(self, values, option_string): # pylint: disable=no-self-use for k in properties: kl = k.lower() v = properties[k] - if kl == 'tenant-id': - d['tenant_id'] = v[0] - elif kl == 'state': - d['state'] = v[0] + if kl == 'query': + d['query'] = v[0] + elif kl == 'query-frequency': + d['query_frequency'] = v[0] + elif kl == 'query-period': + d['query_period'] = v[0] + elif kl == 'severity': + d['severity'] = v[0] + elif kl == 'trigger-operator': + d['trigger_operator'] = v[0] + elif kl == 'trigger-threshold': + d['trigger_threshold'] = v[0] + elif kl == 'alert-rule-template-name': + d['alert_rule_template_name'] = v[0] + elif kl == 'description': + d['description'] = v[0] + elif kl == 'display-name': + d['display_name'] = v[0] + elif kl == 'enabled': + d['enabled'] = v[0] + elif kl == 'suppression-duration': + d['suppression_duration'] = v[0] + elif kl == 'suppression-enabled': + d['suppression_enabled'] = v[0] + elif kl == 'tactics': + d['tactics'] = v elif kl == 'etag': d['etag'] = v[0] - d['kind'] = 'ThreatIntelligence' - return d - - -class AddLabels(argparse._AppendAction): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - super(AddLabels, self).__call__(parser, namespace, action, option_string) - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'label-name': - d['label_name'] = v[0] - return d - - -class AddOwner(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - action = self.get_action(values, option_string) - namespace.owner = action - - def get_action(self, values, option_string): # pylint: disable=no-self-use - try: - properties = defaultdict(list) - for (k, v) in (x.split('=', 1) for x in values): - properties[k].append(v) - properties = dict(properties) - except ValueError: - raise CLIError('usage error: {} [KEY=VALUE ...]'.format(option_string)) - d = {} - for k in properties: - kl = k.lower() - v = properties[k] - if kl == 'email': - d['email'] = v[0] - elif kl == 'assigned-to': - d['assigned_to'] = v[0] - elif kl == 'object-id': - d['object_id'] = v[0] - elif kl == 'user-principal-name': - d['user_principal_name'] = v[0] + else: + raise CLIError('Unsupported Key {} is provided for parameter scheduled_alert_rule. All possible keys ' + 'are: query, query-frequency, query-period, severity, trigger-operator, ' + 'trigger-threshold, alert-rule-template-name, description, display-name, enabled, ' + 'suppression-duration, suppression-enabled, tactics, etag'.format(k)) + d['kind'] = 'Scheduled' return d diff --git a/src/securityinsight/azext_sentinel/generated/commands.py b/src/securityinsight/azext_sentinel/generated/commands.py index f8dac3f83d6..cc422446693 100644 --- a/src/securityinsight/azext_sentinel/generated/commands.py +++ b/src/securityinsight/azext_sentinel/generated/commands.py @@ -15,86 +15,138 @@ def load_command_table(self, _): + from azext_sentinel.generated._client_factory import cf_incident + sentinel_incident = CliCommandType( + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._incidents_operations#IncidentsOperati' + 'ons.{}', + client_factory=cf_incident) + with self.command_group('sentinel incident', sentinel_incident, client_factory=cf_incident) as g: + g.custom_command('list', 'sentinel_incident_list') + g.custom_show_command('show', 'sentinel_incident_show') + g.custom_command('create', 'sentinel_incident_create') + g.generic_update_command('update', setter_arg_name='incident', custom_func_name='sentinel_incident_update') + g.custom_command('delete', 'sentinel_incident_delete', confirmation=True) + g.custom_command('list-of-alert', 'sentinel_incident_list_of_alert') + g.custom_command('list-of-bookmark', 'sentinel_incident_list_of_bookmark') + g.custom_command('list-of-entity', 'sentinel_incident_list_of_entity') + + from azext_sentinel.generated._client_factory import cf_incident_comment + sentinel_incident_comment = CliCommandType( + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._incident_comments_operations#Incident' + 'CommentsOperations.{}', + client_factory=cf_incident_comment) + with self.command_group('sentinel incident-comment', sentinel_incident_comment, + client_factory=cf_incident_comment) as g: + g.custom_command('list', 'sentinel_incident_comment_list') + g.custom_show_command('show', 'sentinel_incident_comment_show') + g.custom_command('create', 'sentinel_incident_comment_create') + g.custom_command('delete', 'sentinel_incident_comment_delete', confirmation=True) + + from azext_sentinel.generated._client_factory import cf_incident_relation + sentinel_incident_relation = CliCommandType( + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._incident_relations_operations#Inciden' + 'tRelationsOperations.{}', + client_factory=cf_incident_relation) + with self.command_group('sentinel incident-relation', sentinel_incident_relation, + client_factory=cf_incident_relation) as g: + g.custom_command('list', 'sentinel_incident_relation_list') + g.custom_command('create', 'sentinel_incident_relation_create') + g.custom_command('delete', 'sentinel_incident_relation_delete', confirmation=True) + g.custom_command('show-relation', 'sentinel_incident_relation_show_relation') + + from azext_sentinel.generated._client_factory import cf_threat_intelligence_indicator + sentinel_threat_intelligence_indicator = CliCommandType( + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._threat_intelligence_indicator_operati' + 'ons#ThreatIntelligenceIndicatorOperations.{}', + client_factory=cf_threat_intelligence_indicator) + with self.command_group('sentinel threat-intelligence-indicator', sentinel_threat_intelligence_indicator, + client_factory=cf_threat_intelligence_indicator) as g: + g.custom_show_command('show', 'sentinel_threat_intelligence_indicator_show') + g.custom_command('create', 'sentinel_threat_intelligence_indicator_create') + g.custom_command('delete', 'sentinel_threat_intelligence_indicator_delete', confirmation=True) + g.custom_command('append-tag', 'sentinel_threat_intelligence_indicator_append_tag') + g.custom_command('create-indicator', 'sentinel_threat_intelligence_indicator_create_indicator') + g.custom_command('query-indicator', 'sentinel_threat_intelligence_indicator_query_indicator') + g.custom_command('replace-tag', 'sentinel_threat_intelligence_indicator_replace_tag') + + from azext_sentinel.generated._client_factory import cf_threat_intelligence_indicator + sentinel_threat_intelligence_indicator = CliCommandType( + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._threat_intelligence_indicators_operat' + 'ions#ThreatIntelligenceIndicatorsOperations.{}', + client_factory=cf_threat_intelligence_indicator) + with self.command_group('sentinel threat-intelligence-indicator', sentinel_threat_intelligence_indicator, + client_factory=cf_threat_intelligence_indicator) as g: + g.custom_command('list', 'sentinel_threat_intelligence_indicator_list') + + from azext_sentinel.generated._client_factory import cf_threat_intelligence_indicator_metric + sentinel_threat_intelligence_indicator_metric = CliCommandType( + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._threat_intelligence_indicator_metrics' + '_operations#ThreatIntelligenceIndicatorMetricsOperations.{}', + client_factory=cf_threat_intelligence_indicator_metric) + with self.command_group('sentinel threat-intelligence-indicator-metric', + sentinel_threat_intelligence_indicator_metric, + client_factory=cf_threat_intelligence_indicator_metric) as g: + g.custom_command('list', 'sentinel_threat_intelligence_indicator_metric_list') + + from azext_sentinel.generated._client_factory import cf_watchlist + sentinel_watchlist = CliCommandType( + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._watchlists_operations#WatchlistsOpera' + 'tions.{}', + client_factory=cf_watchlist) + with self.command_group('sentinel watchlist', sentinel_watchlist, client_factory=cf_watchlist) as g: + g.custom_command('list', 'sentinel_watchlist_list') + g.custom_show_command('show', 'sentinel_watchlist_show') + g.custom_command('create', 'sentinel_watchlist_create') + g.generic_update_command('update', setter_arg_name='watchlist', custom_func_name='sentinel_watchlist_update') + g.custom_command('delete', 'sentinel_watchlist_delete', confirmation=True) + + from azext_sentinel.generated._client_factory import cf_watchlist_item + sentinel_watchlist_item = CliCommandType( + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._watchlist_items_operations#WatchlistI' + 'temsOperations.{}', + client_factory=cf_watchlist_item) + with self.command_group('sentinel watchlist-item', sentinel_watchlist_item, + client_factory=cf_watchlist_item) as g: + g.custom_command('list', 'sentinel_watchlist_item_list') + g.custom_show_command('show', 'sentinel_watchlist_item_show') + g.custom_command('create', 'sentinel_watchlist_item_create') + g.generic_update_command('update', setter_arg_name='watchlist_item', + custom_func_name='sentinel_watchlist_item_update') + g.custom_command('delete', 'sentinel_watchlist_item_delete', confirmation=True) + from azext_sentinel.generated._client_factory import cf_alert_rule sentinel_alert_rule = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._alert_rule_operations#AlertRuleOperat' - 'ions.{}', + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._alert_rules_operations#AlertRulesOper' + 'ations.{}', client_factory=cf_alert_rule) - with self.command_group('sentinel alert-rule', sentinel_alert_rule, client_factory=cf_alert_rule, - is_experimental=True) as g: + with self.command_group('sentinel alert-rule', sentinel_alert_rule, client_factory=cf_alert_rule) as g: g.custom_command('list', 'sentinel_alert_rule_list') g.custom_show_command('show', 'sentinel_alert_rule_show') g.custom_command('create', 'sentinel_alert_rule_create') - g.generic_update_command('update', setter_arg_name='alert_rule', - custom_func_name='sentinel_alert_rule_update') + g.custom_command('update', 'sentinel_alert_rule_update') g.custom_command('delete', 'sentinel_alert_rule_delete', confirmation=True) - g.custom_command('get-action', 'sentinel_alert_rule_get_action') from azext_sentinel.generated._client_factory import cf_action sentinel_action = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._action_operations#ActionOperations.{}' - '', + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._actions_operations#ActionsOperations.' + '{}', client_factory=cf_action) - with self.command_group('sentinel action', sentinel_action, client_factory=cf_action, is_experimental=True) as g: + with self.command_group('sentinel action', sentinel_action, client_factory=cf_action) as g: g.custom_command('list', 'sentinel_action_list') + g.custom_show_command('show', 'sentinel_action_show') + g.custom_command('create', 'sentinel_action_create') + g.custom_command('update', 'sentinel_action_update') + g.custom_command('delete', 'sentinel_action_delete', confirmation=True) from azext_sentinel.generated._client_factory import cf_alert_rule_template sentinel_alert_rule_template = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._alert_rule_template_operations#AlertR' - 'uleTemplateOperations.{}', + operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._alert_rule_templates_operations#Alert' + 'RuleTemplatesOperations.{}', client_factory=cf_alert_rule_template) with self.command_group('sentinel alert-rule-template', sentinel_alert_rule_template, - client_factory=cf_alert_rule_template, is_experimental=True) as g: + client_factory=cf_alert_rule_template) as g: g.custom_command('list', 'sentinel_alert_rule_template_list') g.custom_show_command('show', 'sentinel_alert_rule_template_show') - from azext_sentinel.generated._client_factory import cf_bookmark - sentinel_bookmark = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._bookmark_operations#BookmarkOperation' - 's.{}', - client_factory=cf_bookmark) - with self.command_group('sentinel bookmark', sentinel_bookmark, client_factory=cf_bookmark, - is_experimental=True) as g: - g.custom_command('list', 'sentinel_bookmark_list') - g.custom_show_command('show', 'sentinel_bookmark_show') - g.custom_command('create', 'sentinel_bookmark_create') - g.custom_command('update', 'sentinel_bookmark_update') - g.custom_command('delete', 'sentinel_bookmark_delete', confirmation=True) - - from azext_sentinel.generated._client_factory import cf_data_connector - sentinel_data_connector = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._data_connector_operations#DataConnect' - 'orOperations.{}', - client_factory=cf_data_connector) - with self.command_group('sentinel data-connector', sentinel_data_connector, client_factory=cf_data_connector, - is_experimental=True) as g: - g.custom_command('list', 'sentinel_data_connector_list') - g.custom_show_command('show', 'sentinel_data_connector_show') - g.custom_command('create', 'sentinel_data_connector_create') - g.generic_update_command('update', setter_arg_name='data_connector', custom_func_name='' - 'sentinel_data_connector_update') - g.custom_command('delete', 'sentinel_data_connector_delete', confirmation=True) - - from azext_sentinel.generated._client_factory import cf_incident - sentinel_incident = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._incident_operations#IncidentOperation' - 's.{}', - client_factory=cf_incident) - with self.command_group('sentinel incident', sentinel_incident, client_factory=cf_incident, - is_experimental=True) as g: - g.custom_command('list', 'sentinel_incident_list') - g.custom_show_command('show', 'sentinel_incident_show') - g.custom_command('create', 'sentinel_incident_create') - g.custom_command('update', 'sentinel_incident_update') - g.custom_command('delete', 'sentinel_incident_delete', confirmation=True) - - from azext_sentinel.generated._client_factory import cf_incident_comment - sentinel_incident_comment = CliCommandType( - operations_tmpl='azext_sentinel.vendored_sdks.securityinsight.operations._incident_comment_operations#IncidentC' - 'ommentOperations.{}', - client_factory=cf_incident_comment) - with self.command_group('sentinel incident-comment', sentinel_incident_comment, client_factory=cf_incident_comment, - is_experimental=True) as g: - g.custom_command('list', 'sentinel_incident_comment_list') - g.custom_show_command('show', 'sentinel_incident_comment_show') - g.custom_command('create', 'sentinel_incident_comment_create') + with self.command_group('sentinel', is_experimental=True): + pass diff --git a/src/securityinsight/azext_sentinel/generated/custom.py b/src/securityinsight/azext_sentinel/generated/custom.py index f0bd94de342..779bd24d4bb 100644 --- a/src/securityinsight/azext_sentinel/generated/custom.py +++ b/src/securityinsight/azext_sentinel/generated/custom.py @@ -13,286 +13,6 @@ from knack.util import CLIError -def sentinel_alert_rule_list(client, - resource_group_name, - workspace_name): - return client.list(resource_group_name=resource_group_name, - workspace_name=workspace_name) - - -def sentinel_alert_rule_show(client, - resource_group_name, - workspace_name, - rule_id): - return client.get(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id) - - -def sentinel_alert_rule_create(client, - resource_group_name, - workspace_name, - rule_id, - action_id=None, - etag=None, - logic_app_resource_id=None, - trigger_uri=None, - fusion_alert_rule=None, - microsoft_security_incident_creation_alert_rule=None, - scheduled_alert_rule=None): - all_alert_rule = [] - if fusion_alert_rule is not None: - all_alert_rule.append(fusion_alert_rule) - if microsoft_security_incident_creation_alert_rule is not None: - all_alert_rule.append(microsoft_security_incident_creation_alert_rule) - if scheduled_alert_rule is not None: - all_alert_rule.append(scheduled_alert_rule) - if len(all_alert_rule) > 1: - raise CLIError('at most one of fusion_alert_rule, microsoft_security_incident_creation_alert_rule, ' - 'scheduled_alert_rule is needed for alert_rule!') - alert_rule = all_alert_rule[0] if len(all_alert_rule) == 1 else None - if resource_group_name and workspace_name is not None and rule_id is not None and action_id is not None: - return client.create_or_update_action(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id, - action_id=action_id, - etag=etag, - logic_app_resource_id=logic_app_resource_id, - trigger_uri=trigger_uri) - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id, - alert_rule=alert_rule) - - -def sentinel_alert_rule_update(instance, - resource_group_name, - workspace_name, - rule_id, - fusion_alert_rule=None, - microsoft_security_incident_creation_alert_rule=None, - scheduled_alert_rule=None): - return instance - - -def sentinel_alert_rule_delete(client, - resource_group_name, - workspace_name, - rule_id, - action_id=None): - if resource_group_name and workspace_name is not None and rule_id is not None and action_id is not None: - return client.delete_action(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id, - action_id=action_id) - return client.delete(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id) - - -def sentinel_alert_rule_get_action(client, - resource_group_name, - workspace_name, - rule_id, - action_id): - return client.get_action(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id, - action_id=action_id) - - -def sentinel_action_list(client, - resource_group_name, - workspace_name, - rule_id): - return client.list_by_alert_rule(resource_group_name=resource_group_name, - workspace_name=workspace_name, - rule_id=rule_id) - - -def sentinel_alert_rule_template_list(client, - resource_group_name, - workspace_name): - return client.list(resource_group_name=resource_group_name, - workspace_name=workspace_name) - - -def sentinel_alert_rule_template_show(client, - resource_group_name, - workspace_name, - alert_rule_template_id): - return client.get(resource_group_name=resource_group_name, - workspace_name=workspace_name, - alert_rule_template_id=alert_rule_template_id) - - -def sentinel_bookmark_list(client, - resource_group_name, - workspace_name): - return client.list(resource_group_name=resource_group_name, - workspace_name=workspace_name) - - -def sentinel_bookmark_show(client, - resource_group_name, - workspace_name, - bookmark_id): - return client.get(resource_group_name=resource_group_name, - workspace_name=workspace_name, - bookmark_id=bookmark_id) - - -def sentinel_bookmark_create(client, - resource_group_name, - workspace_name, - bookmark_id, - etag=None, - created=None, - display_name=None, - labels=None, - notes=None, - query_content=None, - query_result=None, - updated=None, - incident_info=None, - updated_by_object_id=None): - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - bookmark_id=bookmark_id, - etag=etag, - created=created, - display_name=display_name, - labels=labels, - notes=notes, - query=query_content, - query_result=query_result, - updated=updated, - incident_info=incident_info, - object_id=updated_by_object_id) - - -def sentinel_bookmark_update(client, - resource_group_name, - workspace_name, - bookmark_id, - etag=None, - created=None, - display_name=None, - labels=None, - notes=None, - query_content=None, - query_result=None, - updated=None, - incident_info=None, - updated_by_object_id=None): - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - bookmark_id=bookmark_id, - etag=etag, - created=created, - display_name=display_name, - labels=labels, - notes=notes, - query=query_content, - query_result=query_result, - updated=updated, - incident_info=incident_info, - object_id=updated_by_object_id) - - -def sentinel_bookmark_delete(client, - resource_group_name, - workspace_name, - bookmark_id): - return client.delete(resource_group_name=resource_group_name, - workspace_name=workspace_name, - bookmark_id=bookmark_id) - - -def sentinel_data_connector_list(client, - resource_group_name, - workspace_name): - return client.list(resource_group_name=resource_group_name, - workspace_name=workspace_name) - - -def sentinel_data_connector_show(client, - resource_group_name, - workspace_name, - data_connector_id): - return client.get(resource_group_name=resource_group_name, - workspace_name=workspace_name, - data_connector_id=data_connector_id) - - -def sentinel_data_connector_create(client, - resource_group_name, - workspace_name, - data_connector_id, - aad_data_connector=None, - aatp_data_connector=None, - asc_data_connector=None, - aws_cloud_trail_data_connector=None, - mcas_data_connector=None, - mdatp_data_connector=None, - office_data_connector=None, - ti_data_connector=None): - all_data_connector = [] - if aad_data_connector is not None: - all_data_connector.append(aad_data_connector) - if aatp_data_connector is not None: - all_data_connector.append(aatp_data_connector) - if asc_data_connector is not None: - all_data_connector.append(asc_data_connector) - if aws_cloud_trail_data_connector is not None: - all_data_connector.append(aws_cloud_trail_data_connector) - if mcas_data_connector is not None: - all_data_connector.append(mcas_data_connector) - if mdatp_data_connector is not None: - all_data_connector.append(mdatp_data_connector) - if office_data_connector is not None: - all_data_connector.append(office_data_connector) - if ti_data_connector is not None: - all_data_connector.append(ti_data_connector) - if len(all_data_connector) > 1: - raise CLIError('at most one of aad_data_connector, aatp_data_connector, asc_data_connector, ' - 'aws_cloud_trail_data_connector, mcas_data_connector, mdatp_data_connector, ' - 'office_data_connector, ti_data_connector is needed for data_connector!') - if len(all_data_connector) != 1: - raise CLIError('data_connector is required. but none of aad_data_connector, aatp_data_connector, ' - 'asc_data_connector, aws_cloud_trail_data_connector, mcas_data_connector, mdatp_data_connector, ' - 'office_data_connector, ti_data_connector is provided!') - data_connector = all_data_connector[0] if len(all_data_connector) == 1 else None - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - data_connector_id=data_connector_id, - data_connector=data_connector) - - -def sentinel_data_connector_update(instance, - resource_group_name, - workspace_name, - data_connector_id, - aad_data_connector=None, - aatp_data_connector=None, - asc_data_connector=None, - aws_cloud_trail_data_connector=None, - mcas_data_connector=None, - mdatp_data_connector=None, - office_data_connector=None, - ti_data_connector=None): - return instance - - -def sentinel_data_connector_delete(client, - resource_group_name, - workspace_name, - data_connector_id): - return client.delete(resource_group_name=resource_group_name, - workspace_name=workspace_name, - data_connector_id=data_connector_id) - - def sentinel_incident_list(client, resource_group_name, workspace_name, @@ -333,24 +53,26 @@ def sentinel_incident_create(client, severity=None, status=None, title=None): + incident = {} + incident['etag'] = etag + incident['classification'] = classification + incident['classification_comment'] = classification_comment + incident['classification_reason'] = classification_reason + incident['description'] = description + incident['first_activity_time_utc'] = first_activity_time_utc + incident['labels'] = labels + incident['last_activity_time_utc'] = last_activity_time_utc + incident['owner'] = owner + incident['severity'] = severity + incident['status'] = status + incident['title'] = title return client.create_or_update(resource_group_name=resource_group_name, workspace_name=workspace_name, incident_id=incident_id, - etag=etag, - classification=classification, - classification_comment=classification_comment, - classification_reason=classification_reason, - description=description, - first_activity_time_utc=first_activity_time_utc, - labels=labels, - last_activity_time_utc=last_activity_time_utc, - owner=owner, - severity=severity, - status=status, - title=title) - - -def sentinel_incident_update(client, + incident=incident) + + +def sentinel_incident_update(instance, resource_group_name, workspace_name, incident_id, @@ -366,21 +88,31 @@ def sentinel_incident_update(client, severity=None, status=None, title=None): - return client.create_or_update(resource_group_name=resource_group_name, - workspace_name=workspace_name, - incident_id=incident_id, - etag=etag, - classification=classification, - classification_comment=classification_comment, - classification_reason=classification_reason, - description=description, - first_activity_time_utc=first_activity_time_utc, - labels=labels, - last_activity_time_utc=last_activity_time_utc, - owner=owner, - severity=severity, - status=status, - title=title) + if etag is not None: + instance.etag = etag + if classification is not None: + instance.classification = classification + if classification_comment is not None: + instance.classification_comment = classification_comment + if classification_reason is not None: + instance.classification_reason = classification_reason + if description is not None: + instance.description = description + if first_activity_time_utc is not None: + instance.first_activity_time_utc = first_activity_time_utc + if labels is not None: + instance.labels = labels + if last_activity_time_utc is not None: + instance.last_activity_time_utc = last_activity_time_utc + if owner is not None: + instance.owner = owner + if severity is not None: + instance.severity = severity + if status is not None: + instance.status = status + if title is not None: + instance.title = title + return instance def sentinel_incident_delete(client, @@ -392,6 +124,33 @@ def sentinel_incident_delete(client, incident_id=incident_id) +def sentinel_incident_list_of_alert(client, + resource_group_name, + workspace_name, + incident_id): + return client.list_of_alerts(resource_group_name=resource_group_name, + workspace_name=workspace_name, + incident_id=incident_id) + + +def sentinel_incident_list_of_bookmark(client, + resource_group_name, + workspace_name, + incident_id): + return client.list_of_bookmarks(resource_group_name=resource_group_name, + workspace_name=workspace_name, + incident_id=incident_id) + + +def sentinel_incident_list_of_entity(client, + resource_group_name, + workspace_name, + incident_id): + return client.list_of_entities(resource_group_name=resource_group_name, + workspace_name=workspace_name, + incident_id=incident_id) + + def sentinel_incident_comment_list(client, resource_group_name, workspace_name, @@ -425,9 +184,839 @@ def sentinel_incident_comment_create(client, workspace_name, incident_id, incident_comment_id, + etag=None, message=None): + incident_comment = {} + incident_comment['etag'] = etag + incident_comment['message'] = message return client.create_comment(resource_group_name=resource_group_name, workspace_name=workspace_name, incident_id=incident_id, incident_comment_id=incident_comment_id, - message=message) + incident_comment=incident_comment) + + +def sentinel_incident_comment_delete(client, + resource_group_name, + workspace_name, + incident_id, + incident_comment_id): + return client.delete_comment(resource_group_name=resource_group_name, + workspace_name=workspace_name, + incident_id=incident_id, + incident_comment_id=incident_comment_id) + + +def sentinel_incident_relation_list(client, + resource_group_name, + workspace_name, + incident_id, + filter_=None, + orderby=None, + top=None, + skip_token=None): + return client.list(resource_group_name=resource_group_name, + workspace_name=workspace_name, + incident_id=incident_id, + filter=filter_, + orderby=orderby, + top=top, + skip_token=skip_token) + + +def sentinel_incident_relation_create(client, + resource_group_name, + workspace_name, + incident_id, + relation_name, + etag=None, + related_resource_id=None): + relation = {} + relation['etag'] = etag + relation['related_resource_id'] = related_resource_id + return client.create_or_update_relation(resource_group_name=resource_group_name, + workspace_name=workspace_name, + incident_id=incident_id, + relation_name=relation_name, + relation=relation) + + +def sentinel_incident_relation_delete(client, + resource_group_name, + workspace_name, + incident_id, + relation_name): + return client.delete_relation(resource_group_name=resource_group_name, + workspace_name=workspace_name, + incident_id=incident_id, + relation_name=relation_name) + + +def sentinel_incident_relation_show_relation(client, + resource_group_name, + workspace_name, + incident_id, + relation_name): + return client.get_relation(resource_group_name=resource_group_name, + workspace_name=workspace_name, + incident_id=incident_id, + relation_name=relation_name) + + +def sentinel_threat_intelligence_indicator_show(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + name): + return client.get(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + name=name) + + +def sentinel_threat_intelligence_indicator_create(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + name, + etag=None, + threat_intelligence_tags=None, + last_updated_time_utc=None, + source=None, + display_name=None, + description=None, + indicator_types=None, + pattern=None, + pattern_type=None, + pattern_version=None, + kill_chain_phases=None, + parsed_pattern=None, + external_id=None, + created_by_ref=None, + defanged=None, + external_last_updated_time_utc=None, + external_references=None, + granular_markings=None, + labels=None, + revoked=None, + confidence=None, + object_marking_refs=None, + language=None, + threat_types=None, + valid_from=None, + valid_until=None, + created=None, + modified=None, + extensions=None): + threat_intelligence_properties = {} + threat_intelligence_properties['kind'] = "indicator" + threat_intelligence_properties['etag'] = etag + threat_intelligence_properties['threat_intelligence_tags'] = threat_intelligence_tags + threat_intelligence_properties['last_updated_time_utc'] = last_updated_time_utc + threat_intelligence_properties['source'] = source + threat_intelligence_properties['display_name'] = display_name + threat_intelligence_properties['description'] = description + threat_intelligence_properties['indicator_types'] = indicator_types + threat_intelligence_properties['pattern'] = pattern + threat_intelligence_properties['pattern_type'] = pattern_type + threat_intelligence_properties['pattern_version'] = pattern_version + threat_intelligence_properties['kill_chain_phases'] = kill_chain_phases + threat_intelligence_properties['parsed_pattern'] = parsed_pattern + threat_intelligence_properties['external_id'] = external_id + threat_intelligence_properties['created_by_ref'] = created_by_ref + threat_intelligence_properties['defanged'] = defanged + threat_intelligence_properties['external_last_updated_time_utc'] = external_last_updated_time_utc + threat_intelligence_properties['external_references'] = external_references + threat_intelligence_properties['granular_markings'] = granular_markings + threat_intelligence_properties['labels'] = labels + threat_intelligence_properties['revoked'] = revoked + threat_intelligence_properties['confidence'] = confidence + threat_intelligence_properties['object_marking_refs'] = object_marking_refs + threat_intelligence_properties['language'] = language + threat_intelligence_properties['threat_types'] = threat_types + threat_intelligence_properties['valid_from'] = valid_from + threat_intelligence_properties['valid_until'] = valid_until + threat_intelligence_properties['created'] = created + threat_intelligence_properties['modified'] = modified + threat_intelligence_properties['extensions'] = extensions + return client.create(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + name=name, + threat_intelligence_properties=threat_intelligence_properties) + + +def sentinel_threat_intelligence_indicator_delete(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + name): + return client.delete(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + name=name) + + +def sentinel_threat_intelligence_indicator_append_tag(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + name, + threat_intelligence_tags=None): + threat_intelligence_append_tags = {} + threat_intelligence_append_tags['threat_intelligence_tags'] = threat_intelligence_tags + return client.append_tags(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + name=name, + threat_intelligence_append_tags=threat_intelligence_append_tags) + + +def sentinel_threat_intelligence_indicator_create_indicator(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + etag=None, + threat_intelligence_tags=None, + last_updated_time_utc=None, + source=None, + display_name=None, + description=None, + indicator_types=None, + pattern=None, + pattern_type=None, + pattern_version=None, + kill_chain_phases=None, + parsed_pattern=None, + external_id=None, + created_by_ref=None, + defanged=None, + external_last_updated_time_utc=None, + external_references=None, + granular_markings=None, + labels=None, + revoked=None, + confidence=None, + object_marking_refs=None, + language=None, + threat_types=None, + valid_from=None, + valid_until=None, + created=None, + modified=None, + extensions=None): + threat_intelligence_properties = {} + threat_intelligence_properties['kind'] = "indicator" + threat_intelligence_properties['etag'] = etag + threat_intelligence_properties['threat_intelligence_tags'] = threat_intelligence_tags + threat_intelligence_properties['last_updated_time_utc'] = last_updated_time_utc + threat_intelligence_properties['source'] = source + threat_intelligence_properties['display_name'] = display_name + threat_intelligence_properties['description'] = description + threat_intelligence_properties['indicator_types'] = indicator_types + threat_intelligence_properties['pattern'] = pattern + threat_intelligence_properties['pattern_type'] = pattern_type + threat_intelligence_properties['pattern_version'] = pattern_version + threat_intelligence_properties['kill_chain_phases'] = kill_chain_phases + threat_intelligence_properties['parsed_pattern'] = parsed_pattern + threat_intelligence_properties['external_id'] = external_id + threat_intelligence_properties['created_by_ref'] = created_by_ref + threat_intelligence_properties['defanged'] = defanged + threat_intelligence_properties['external_last_updated_time_utc'] = external_last_updated_time_utc + threat_intelligence_properties['external_references'] = external_references + threat_intelligence_properties['granular_markings'] = granular_markings + threat_intelligence_properties['labels'] = labels + threat_intelligence_properties['revoked'] = revoked + threat_intelligence_properties['confidence'] = confidence + threat_intelligence_properties['object_marking_refs'] = object_marking_refs + threat_intelligence_properties['language'] = language + threat_intelligence_properties['threat_types'] = threat_types + threat_intelligence_properties['valid_from'] = valid_from + threat_intelligence_properties['valid_until'] = valid_until + threat_intelligence_properties['created'] = created + threat_intelligence_properties['modified'] = modified + threat_intelligence_properties['extensions'] = extensions + return client.create_indicator(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + threat_intelligence_properties=threat_intelligence_properties) + + +def sentinel_threat_intelligence_indicator_query_indicator(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + page_size=None, + min_confidence=None, + max_confidence=None, + min_valid_until=None, + max_valid_until=None, + include_disabled=None, + sort_by=None, + sources=None, + pattern_types=None, + threat_types=None, + ids=None, + keywords=None, + skip_token=None): + threat_intelligence_filtering_criteria = {} + threat_intelligence_filtering_criteria['page_size'] = page_size + threat_intelligence_filtering_criteria['min_confidence'] = min_confidence + threat_intelligence_filtering_criteria['max_confidence'] = max_confidence + threat_intelligence_filtering_criteria['min_valid_until'] = min_valid_until + threat_intelligence_filtering_criteria['max_valid_until'] = max_valid_until + threat_intelligence_filtering_criteria['include_disabled'] = include_disabled + threat_intelligence_filtering_criteria['sort_by'] = sort_by + threat_intelligence_filtering_criteria['sources'] = sources + threat_intelligence_filtering_criteria['pattern_types'] = pattern_types + threat_intelligence_filtering_criteria['threat_types'] = threat_types + threat_intelligence_filtering_criteria['ids'] = ids + threat_intelligence_filtering_criteria['keywords'] = keywords + threat_intelligence_filtering_criteria['skip_token'] = skip_token + return client.query_indicators(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + threat_intelligence_filtering_criteria=threat_intelligence_filtering_criteria) + + +def sentinel_threat_intelligence_indicator_replace_tag(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + name, + etag=None, + threat_intelligence_tags=None, + last_updated_time_utc=None, + source=None, + display_name=None, + description=None, + indicator_types=None, + pattern=None, + pattern_type=None, + pattern_version=None, + kill_chain_phases=None, + parsed_pattern=None, + external_id=None, + created_by_ref=None, + defanged=None, + external_last_updated_time_utc=None, + external_references=None, + granular_markings=None, + labels=None, + revoked=None, + confidence=None, + object_marking_refs=None, + language=None, + threat_types=None, + valid_from=None, + valid_until=None, + created=None, + modified=None, + extensions=None): + threat_intelligence_replace_tags = {} + threat_intelligence_replace_tags['kind'] = "indicator" + threat_intelligence_replace_tags['etag'] = etag + threat_intelligence_replace_tags['threat_intelligence_tags'] = threat_intelligence_tags + threat_intelligence_replace_tags['last_updated_time_utc'] = last_updated_time_utc + threat_intelligence_replace_tags['source'] = source + threat_intelligence_replace_tags['display_name'] = display_name + threat_intelligence_replace_tags['description'] = description + threat_intelligence_replace_tags['indicator_types'] = indicator_types + threat_intelligence_replace_tags['pattern'] = pattern + threat_intelligence_replace_tags['pattern_type'] = pattern_type + threat_intelligence_replace_tags['pattern_version'] = pattern_version + threat_intelligence_replace_tags['kill_chain_phases'] = kill_chain_phases + threat_intelligence_replace_tags['parsed_pattern'] = parsed_pattern + threat_intelligence_replace_tags['external_id'] = external_id + threat_intelligence_replace_tags['created_by_ref'] = created_by_ref + threat_intelligence_replace_tags['defanged'] = defanged + threat_intelligence_replace_tags['external_last_updated_time_utc'] = external_last_updated_time_utc + threat_intelligence_replace_tags['external_references'] = external_references + threat_intelligence_replace_tags['granular_markings'] = granular_markings + threat_intelligence_replace_tags['labels'] = labels + threat_intelligence_replace_tags['revoked'] = revoked + threat_intelligence_replace_tags['confidence'] = confidence + threat_intelligence_replace_tags['object_marking_refs'] = object_marking_refs + threat_intelligence_replace_tags['language'] = language + threat_intelligence_replace_tags['threat_types'] = threat_types + threat_intelligence_replace_tags['valid_from'] = valid_from + threat_intelligence_replace_tags['valid_until'] = valid_until + threat_intelligence_replace_tags['created'] = created + threat_intelligence_replace_tags['modified'] = modified + threat_intelligence_replace_tags['extensions'] = extensions + return client.replace_tags(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + name=name, + threat_intelligence_replace_tags=threat_intelligence_replace_tags) + + +def sentinel_threat_intelligence_indicator_list(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + filter_=None, + top=None, + skip_token=None, + orderby=None): + return client.list(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + filter=filter_, + top=top, + skip_token=skip_token, + orderby=orderby) + + +def sentinel_threat_intelligence_indicator_metric_list(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name): + return client.list(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name) + + +def sentinel_watchlist_list(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + skip_token=None): + return client.list(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + skip_token=skip_token) + + +def sentinel_watchlist_show(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + watchlist_alias): + return client.get(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + watchlist_alias=watchlist_alias) + + +def sentinel_watchlist_create(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + watchlist_alias, + properties_content_type, + etag=None, + watchlist_id=None, + display_name=None, + provider=None, + source=None, + created=None, + updated=None, + description=None, + watchlist_type=None, + watchlist_properties_watchlist_alias=None, + is_deleted=None, + labels=None, + default_duration=None, + tenant_id=None, + number_of_lines_to_skip=None, + raw_content=None, + items_search_key=None, + upload_status=None, + object_id=None, + user_info_object_id=None): + watchlist = {} + watchlist['etag'] = etag + watchlist['watchlist_id'] = watchlist_id + watchlist['display_name'] = display_name + watchlist['provider'] = provider + watchlist['source'] = source + watchlist['created'] = created + watchlist['updated'] = updated + watchlist['description'] = description + watchlist['watchlist_type'] = watchlist_type + watchlist['watchlist_alias'] = watchlist_properties_watchlist_alias + watchlist['is_deleted'] = is_deleted + watchlist['labels'] = labels + watchlist['default_duration'] = default_duration + watchlist['tenant_id'] = tenant_id + watchlist['number_of_lines_to_skip'] = number_of_lines_to_skip + watchlist['raw_content'] = raw_content + watchlist['items_search_key'] = items_search_key + watchlist['content_type'] = properties_content_type + watchlist['upload_status'] = upload_status + watchlist['updated_by'] = {} + watchlist['updated_by']['object_id'] = object_id + watchlist['created_by'] = {} + watchlist['created_by']['object_id'] = user_info_object_id + return client.create_or_update(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + watchlist_alias=watchlist_alias, + watchlist=watchlist) + + +def sentinel_watchlist_update(instance, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + watchlist_alias, + properties_content_type, + etag=None, + watchlist_id=None, + display_name=None, + provider=None, + source=None, + created=None, + updated=None, + description=None, + watchlist_type=None, + watchlist_properties_watchlist_alias=None, + is_deleted=None, + labels=None, + default_duration=None, + tenant_id=None, + number_of_lines_to_skip=None, + raw_content=None, + items_search_key=None, + upload_status=None, + object_id=None, + user_info_object_id=None): + if etag is not None: + instance.etag = etag + if watchlist_id is not None: + instance.watchlist_id = watchlist_id + if display_name is not None: + instance.display_name = display_name + if provider is not None: + instance.provider = provider + if source is not None: + instance.source = source + if created is not None: + instance.created = created + if updated is not None: + instance.updated = updated + if description is not None: + instance.description = description + if watchlist_type is not None: + instance.watchlist_type = watchlist_type + if watchlist_properties_watchlist_alias is not None: + instance.watchlist_alias = watchlist_properties_watchlist_alias + if is_deleted is not None: + instance.is_deleted = is_deleted + if labels is not None: + instance.labels = labels + if default_duration is not None: + instance.default_duration = default_duration + if tenant_id is not None: + instance.tenant_id = tenant_id + if number_of_lines_to_skip is not None: + instance.number_of_lines_to_skip = number_of_lines_to_skip + if raw_content is not None: + instance.raw_content = raw_content + if items_search_key is not None: + instance.items_search_key = items_search_key + if properties_content_type is not None: + instance.content_type = properties_content_type + if upload_status is not None: + instance.upload_status = upload_status + if object_id is not None: + instance.updated_by.object_id = object_id + if user_info_object_id is not None: + instance.created_by.object_id = user_info_object_id + return instance + + +def sentinel_watchlist_delete(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + watchlist_alias): + return client.delete(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + watchlist_alias=watchlist_alias) + + +def sentinel_watchlist_item_list(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + watchlist_alias, + skip_token=None): + return client.list(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + watchlist_alias=watchlist_alias, + skip_token=skip_token) + + +def sentinel_watchlist_item_show(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + watchlist_alias, + watchlist_item_id): + return client.get(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + watchlist_alias=watchlist_alias, + watchlist_item_id=watchlist_item_id) + + +def sentinel_watchlist_item_create(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + watchlist_alias, + watchlist_item_id, + etag=None, + watchlist_item_type=None, + watchlist_item_properties_watchlist_item_id_watchlist_item_id=None, + tenant_id=None, + is_deleted=None, + created=None, + updated=None, + items_key_value=None, + entity_mapping=None, + object_id=None, + user_info_object_id=None): + watchlist_item = {} + watchlist_item['etag'] = etag + watchlist_item['watchlist_item_type'] = watchlist_item_type + watchlist_item['watchlist_item_id'] = watchlist_item_properties_watchlist_item_id_watchlist_item_id + watchlist_item['tenant_id'] = tenant_id + watchlist_item['is_deleted'] = is_deleted + watchlist_item['created'] = created + watchlist_item['updated'] = updated + watchlist_item['items_key_value'] = items_key_value + watchlist_item['entity_mapping'] = entity_mapping + watchlist_item['updated_by'] = {} + watchlist_item['updated_by']['object_id'] = object_id + watchlist_item['created_by'] = {} + watchlist_item['created_by']['object_id'] = user_info_object_id + return client.create_or_update(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + watchlist_alias=watchlist_alias, + watchlist_item_id=watchlist_item_id, + watchlist_item=watchlist_item) + + +def sentinel_watchlist_item_update(instance, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + watchlist_alias, + watchlist_item_id, + etag=None, + watchlist_item_type=None, + watchlist_item_properties_watchlist_item_id_watchlist_item_id=None, + tenant_id=None, + is_deleted=None, + created=None, + updated=None, + items_key_value=None, + entity_mapping=None, + object_id=None, + user_info_object_id=None): + if etag is not None: + instance.etag = etag + if watchlist_item_type is not None: + instance.watchlist_item_type = watchlist_item_type + if watchlist_item_properties_watchlist_item_id_watchlist_item_id is not None: + instance.watchlist_item_id = watchlist_item_properties_watchlist_item_id_watchlist_item_id + if tenant_id is not None: + instance.tenant_id = tenant_id + if is_deleted is not None: + instance.is_deleted = is_deleted + if created is not None: + instance.created = created + if updated is not None: + instance.updated = updated + if items_key_value is not None: + instance.items_key_value = items_key_value + if entity_mapping is not None: + instance.entity_mapping = entity_mapping + if object_id is not None: + instance.updated_by.object_id = object_id + if user_info_object_id is not None: + instance.created_by.object_id = user_info_object_id + return instance + + +def sentinel_watchlist_item_delete(client, + resource_group_name, + operational_insights_resource_provider, + workspace_name, + watchlist_alias, + watchlist_item_id): + return client.delete(resource_group_name=resource_group_name, + operational_insights_resource_provider=operational_insights_resource_provider, + workspace_name=workspace_name, + watchlist_alias=watchlist_alias, + watchlist_item_id=watchlist_item_id) + + +def sentinel_alert_rule_list(client, + resource_group_name, + workspace_name): + return client.list(resource_group_name=resource_group_name, + workspace_name=workspace_name) + + +def sentinel_alert_rule_show(client, + resource_group_name, + workspace_name, + rule_id): + return client.get(resource_group_name=resource_group_name, + workspace_name=workspace_name, + rule_id=rule_id) + + +def sentinel_alert_rule_create(client, + resource_group_name, + workspace_name, + rule_id, + fusion_alert_rule=None, + microsoft_security_incident_creation_alert_rule=None, + scheduled_alert_rule=None): + all_alert_rule = [] + if fusion_alert_rule is not None: + all_alert_rule.append(fusion_alert_rule) + if microsoft_security_incident_creation_alert_rule is not None: + all_alert_rule.append(microsoft_security_incident_creation_alert_rule) + if scheduled_alert_rule is not None: + all_alert_rule.append(scheduled_alert_rule) + if len(all_alert_rule) > 1: + raise CLIError('at most one of fusion_alert_rule, microsoft_security_incident_creation_alert_rule, ' + 'scheduled_alert_rule is needed for alert_rule!') + if len(all_alert_rule) != 1: + raise CLIError('alert_rule is required. but none of fusion_alert_rule, microsoft_security_incident_creation_ale' + 'rt_rule, scheduled_alert_rule is provided!') + alert_rule = all_alert_rule[0] if len(all_alert_rule) == 1 else None + return client.create_or_update(resource_group_name=resource_group_name, + workspace_name=workspace_name, + rule_id=rule_id, + alert_rule=alert_rule) + + +def sentinel_alert_rule_update(client, + resource_group_name, + workspace_name, + rule_id, + fusion_alert_rule=None, + microsoft_security_incident_creation_alert_rule=None, + scheduled_alert_rule=None): + all_alert_rule = [] + if fusion_alert_rule is not None: + all_alert_rule.append(fusion_alert_rule) + if microsoft_security_incident_creation_alert_rule is not None: + all_alert_rule.append(microsoft_security_incident_creation_alert_rule) + if scheduled_alert_rule is not None: + all_alert_rule.append(scheduled_alert_rule) + if len(all_alert_rule) > 1: + raise CLIError('at most one of fusion_alert_rule, microsoft_security_incident_creation_alert_rule, ' + 'scheduled_alert_rule is needed for alert_rule!') + if len(all_alert_rule) != 1: + raise CLIError('alert_rule is required. but none of fusion_alert_rule, microsoft_security_incident_creation_ale' + 'rt_rule, scheduled_alert_rule is provided!') + alert_rule = all_alert_rule[0] if len(all_alert_rule) == 1 else None + return client.create_or_update(resource_group_name=resource_group_name, + workspace_name=workspace_name, + rule_id=rule_id, + alert_rule=alert_rule) + + +def sentinel_alert_rule_delete(client, + resource_group_name, + workspace_name, + rule_id): + return client.delete(resource_group_name=resource_group_name, + workspace_name=workspace_name, + rule_id=rule_id) + + +def sentinel_action_list(client, + resource_group_name, + workspace_name, + rule_id): + return client.list_by_alert_rule(resource_group_name=resource_group_name, + workspace_name=workspace_name, + rule_id=rule_id) + + +def sentinel_action_show(client, + resource_group_name, + workspace_name, + rule_id, + action_id): + return client.get(resource_group_name=resource_group_name, + workspace_name=workspace_name, + rule_id=rule_id, + action_id=action_id) + + +def sentinel_action_create(client, + resource_group_name, + workspace_name, + rule_id, + action_id, + etag=None, + logic_app_resource_id=None, + trigger_uri=None): + action = {} + action['etag'] = etag + action['logic_app_resource_id'] = logic_app_resource_id + action['trigger_uri'] = trigger_uri + return client.create_or_update(resource_group_name=resource_group_name, + workspace_name=workspace_name, + rule_id=rule_id, + action_id=action_id, + action=action) + + +def sentinel_action_update(client, + resource_group_name, + workspace_name, + rule_id, + action_id, + etag=None, + logic_app_resource_id=None, + trigger_uri=None): + action = {} + action['etag'] = etag + action['logic_app_resource_id'] = logic_app_resource_id + action['trigger_uri'] = trigger_uri + return client.create_or_update(resource_group_name=resource_group_name, + workspace_name=workspace_name, + rule_id=rule_id, + action_id=action_id, + action=action) + + +def sentinel_action_delete(client, + resource_group_name, + workspace_name, + rule_id, + action_id): + return client.delete(resource_group_name=resource_group_name, + workspace_name=workspace_name, + rule_id=rule_id, + action_id=action_id) + + +def sentinel_alert_rule_template_list(client, + resource_group_name, + workspace_name): + return client.list(resource_group_name=resource_group_name, + workspace_name=workspace_name) + + +def sentinel_alert_rule_template_show(client, + resource_group_name, + workspace_name, + alert_rule_template_id): + return client.get(resource_group_name=resource_group_name, + workspace_name=workspace_name, + alert_rule_template_id=alert_rule_template_id) diff --git a/src/securityinsight/azext_sentinel/tests/__init__.py b/src/securityinsight/azext_sentinel/tests/__init__.py index 50e0627daff..70488e93851 100644 --- a/src/securityinsight/azext_sentinel/tests/__init__.py +++ b/src/securityinsight/azext_sentinel/tests/__init__.py @@ -31,8 +31,8 @@ def try_manual(func): def import_manual_function(origin_func): from importlib import import_module - decorated_path = inspect.getfile(origin_func) - module_path = __path__[0] + decorated_path = inspect.getfile(origin_func).lower() + module_path = __path__[0].lower() if not decorated_path.startswith(module_path): raise Exception("Decorator can only be used in submodules!") manual_path = os.path.join( @@ -46,7 +46,6 @@ def import_manual_function(origin_func): def get_func_to_call(): func_to_call = func try: - func_to_call = import_manual_function(func) func_to_call = import_manual_function(func) logger.info("Found manual override for %s(...)", func.__name__) except (ImportError, AttributeError): @@ -66,6 +65,9 @@ def wrapper(*args, **kwargs): ret = func_to_call(*args, **kwargs) except (AssertionError, AzureError, CliTestError, CliExecutionError, SystemExit, JMESPathCheckAssertionError) as e: + use_exception_cache = os.getenv("TEST_EXCEPTION_CACHE") + if use_exception_cache is None or use_exception_cache.lower() != "true": + raise test_map[func.__name__]["end_dt"] = dt.datetime.utcnow() test_map[func.__name__]["result"] = FAILED test_map[func.__name__]["error_message"] = str(e).replace("\r\n", " ").replace("\n", " ")[:500] diff --git a/src/securityinsight/azext_sentinel/tests/latest/example_steps.py b/src/securityinsight/azext_sentinel/tests/latest/example_steps.py new file mode 100644 index 00000000000..040caafdc3d --- /dev/null +++ b/src/securityinsight/azext_sentinel/tests/latest/example_steps.py @@ -0,0 +1,687 @@ +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for +# license information. +# +# Code generated by Microsoft (R) AutoRest Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is +# regenerated. +# -------------------------------------------------------------------------- + + +from .. import try_manual + + +# EXAMPLE: /Actions/put/Creates or updates an action of alert rule. +@try_manual +def step_action_create(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel action create ' + '--etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" ' + '--logic-app-resource-id "/subscriptions/{subscription_id}/resourceGroups/{rg}/providers/Microsoft.Logic/w' + 'orkflows/MyAlerts" ' + '--trigger-uri "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d4' + '8d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signatur' + 'e" ' + '--action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" ' + '--resource-group "{rg}" ' + '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Actions/get/Get all actions of alert rule. +@try_manual +def step_action_list(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel action list ' + '--resource-group "{rg}" ' + '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Actions/get/Get an action of alert rule. +@try_manual +def step_action_show(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel action show ' + '--action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" ' + '--resource-group "{rg}" ' + '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Actions/delete/Delete an action of alert rule. +@try_manual +def step_action_delete(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel action delete -y ' + '--action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" ' + '--resource-group "{rg}" ' + '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /AlertRules/put/Creates or updates a Fusion alert rule. +@try_manual +def step_alert_rule_create(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel alert-rule create ' + '--fusion-alert-rule etag="3d00c3ca-0000-0100-0000-5d42d5010000" alert-rule-template-name="f71aba3d-28fb-4' + '50b-b192-4e76a83015c8" enabled=true ' + '--resource-group "{rg}" ' + '--rule-id "myFirstFusionRule" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /AlertRules/put/Creates or updates a MicrosoftSecurityIncidentCreation rule. +@try_manual +def step_alert_rule_create2(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel alert-rule create ' + '--microsoft-security-incident-creation-alert-rule etag="\\"260097e0-0000-0d00-0000-5d6fa88f0000\\"" ' + 'product-filter="Microsoft Cloud App Security" display-name="testing displayname" enabled=true ' + '--resource-group "{rg}" ' + '--rule-id "microsoftSecurityIncidentCreationRuleExample" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /AlertRules/put/Creates or updates a Scheduled alert rule. +@try_manual +def step_alert_rule_create3(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel alert-rule create ' + '--scheduled-alert-rule etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" query="ProtectionStatus | ' + 'extend HostCustomEntity query-frequency="PT1H" query-period="P2DT1H30M" severity="High" ' + 'trigger-operator="GreaterThan" trigger-threshold=0 description="" display-name="Rule2" enabled=true ' + 'suppression-duration="PT1H" suppression-enabled=false tactics="Persistence" tactics="LateralMovement" ' + '--resource-group "{rg}" ' + '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /AlertRules/get/Get a Fusion alert rule. +@try_manual +def step_alert_rule_show(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel alert-rule show ' + '--resource-group "{rg}" ' + '--rule-id "myFirstFusionRule" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /AlertRules/get/Get a MicrosoftSecurityIncidentCreation rule. +@try_manual +def step_alert_rule_show2(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel alert-rule show ' + '--resource-group "{rg}" ' + '--rule-id "microsoftSecurityIncidentCreationRuleExample" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /AlertRules/get/Get a Scheduled alert rule. +@try_manual +def step_alert_rule_show3(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel alert-rule show ' + '--resource-group "{rg}" ' + '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /AlertRules/get/Get all alert rules. +@try_manual +def step_alert_rule_list(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel alert-rule list ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /AlertRules/delete/Delete an alert rule. +@try_manual +def step_alert_rule_delete(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel alert-rule delete -y ' + '--resource-group "{rg}" ' + '--rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /AlertRuleTemplates/get/Get alert rule template by Id. +@try_manual +def step_alert_rule_template_show(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel alert-rule-template show ' + '--alert-rule-template-id "65360bb0-8986-4ade-a89d-af3cf44d28aa" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /AlertRuleTemplates/get/Get all alert rule templates. +@try_manual +def step_alert_rule_template_list(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel alert-rule-template list ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /IncidentComments/put/Creates or updates an incident comment. +@try_manual +def step_incident_comment_create(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident-comment create ' + '--message "Some message" ' + '--incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" ' + '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /IncidentComments/get/Get all incident comments. +@try_manual +def step_incident_comment_list(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident-comment list ' + '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /IncidentComments/get/Get an incident comment. +@try_manual +def step_incident_comment_show(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident-comment show ' + '--incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" ' + '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /IncidentComments/delete/Delete the incident comment. +@try_manual +def step_incident_comment_delete(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident-comment delete -y ' + '--incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" ' + '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /IncidentRelations/put/Creates or updates an incident relation. +@try_manual +def step_incident_relation_create(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident-relation create ' + '--incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" ' + '--related-resource-id "/subscriptions/{subscription_id}/resourceGroups/{rg}/providers/Microsoft.Operation' + 'alInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-' + 'd2df8c535096" ' + '--relation-name "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /IncidentRelations/get/Get all incident relations. +@try_manual +def step_incident_relation_list(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident-relation list ' + '--incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /IncidentRelations/get/Get an incident relation. +@try_manual +def step_incident_relation_show_relation(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident-relation show-relation ' + '--incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" ' + '--relation-name "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /IncidentRelations/delete/Delete the incident relation. +@try_manual +def step_incident_relation_delete(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident-relation delete -y ' + '--incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" ' + '--relation-name "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Incidents/put/Creates or updates an incident. +@try_manual +def step_incident_create(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident create ' + '--etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" ' + '--description "This is a demo incident" ' + '--classification "FalsePositive" ' + '--classification-comment "Not a malicious activity" ' + '--classification-reason "IncorrectAlertLogic" ' + '--first-activity-time-utc "2019-01-01T13:00:30Z" ' + '--last-activity-time-utc "2019-01-01T13:05:30Z" ' + '--owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" ' + '--severity "High" ' + '--status "Closed" ' + '--title "My incident" ' + '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Incidents/get/Get all incidents. +@try_manual +def step_incident_list(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident list ' + '--orderby "properties/createdTimeUtc desc" ' + '--top 1 ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Incidents/get/Get an incident. +@try_manual +def step_incident_show(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident show ' + '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Incidents/post/Get all incident alerts. +@try_manual +def step_incident_list_of_alert(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident list-of-alert ' + '--incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Incidents/post/Get all incident bookmarks. +@try_manual +def step_incident_list_of_bookmark(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident list-of-bookmark ' + '--incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Incidents/post/Gets all incident related entities +@try_manual +def step_incident_list_of_entity(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident list-of-entity ' + '--incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Incidents/delete/Delete an incident. +@try_manual +def step_incident_delete(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel incident delete -y ' + '--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /ThreatIntelligenceIndicator/put/Update a threat Intelligence indicator +@try_manual +def step_threat_intelligence_indicator_create(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel threat-intelligence-indicator create ' + '--name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" ' + '--description "debugging indicators" ' + '--confidence 78 ' + '--created-by-ref "contoso@contoso.com" ' + '--display-name "new schema" ' + '--external-references "[]" ' + '--modified "" ' + '--pattern "[url:value = \'https://www.contoso.com\']" ' + '--pattern-type "url" ' + '--revoked false ' + '--source "Azure Sentinel" ' + '--threat-intelligence-tags "new schema" ' + '--threat-types "compromised" ' + '--valid-from "2020-04-15T17:44:00.114052Z" ' + '--valid-until "" ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /ThreatIntelligenceIndicator/get/View a threat intelligence indicator by name +@try_manual +def step_threat_intelligence_indicator_show(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel threat-intelligence-indicator show ' + '--name "e16ef847-962e-d7b6-9c8b-a33e4bd30e47" ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /ThreatIntelligenceIndicator/post/Append tags to a threat intelligence indicator +@try_manual +def step_threat_intelligence_indicator_append_tag(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel threat-intelligence-indicator append-tag ' + '--name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" ' + '--threat-intelligence-tags "tag1" "tag2" ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /ThreatIntelligenceIndicator/post/Create a new Threat Intelligence +@try_manual +def step_threat_intelligence_indicator(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel threat-intelligence-indicator create-indicator ' + '--description "debugging indicators" ' + '--confidence 78 ' + '--created-by-ref "contoso@contoso.com" ' + '--display-name "new schema" ' + '--external-references "[]" ' + '--modified "" ' + '--pattern "[url:value = \'https://www.contoso.com\']" ' + '--pattern-type "url" ' + '--revoked false ' + '--source "Azure Sentinel" ' + '--threat-intelligence-tags "new schema" ' + '--threat-types "compromised" ' + '--valid-from "2020-04-15T17:44:00.114052Z" ' + '--valid-until "" ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /ThreatIntelligenceIndicator/post/Query threat intelligence indicators as per filtering criteria +@try_manual +def step_threat_intelligence_indicator_query_indicator(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel threat-intelligence-indicator query-indicator ' + '--max-confidence 80 ' + '--max-valid-until "2020-04-25T17:44:00.114052Z" ' + '--min-confidence 25 ' + '--min-valid-until "2020-04-05T17:44:00.114052Z" ' + '--page-size 100 ' + '--sort-by item-key="lastUpdatedTimeUtc" sort-order="descending" ' + '--sources "Azure Sentinel" ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /ThreatIntelligenceIndicator/post/Replace tags to a Threat Intelligence +@try_manual +def step_threat_intelligence_indicator_replace_tag(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel threat-intelligence-indicator replace-tag ' + '--name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" ' + '--etag "\\"0000262c-0000-0800-0000-5e9767060000\\"" ' + '--threat-intelligence-tags "patching tags" ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /ThreatIntelligenceIndicator/delete/Delete a threat intelligence indicator +@try_manual +def step_threat_intelligence_indicator_delete(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel threat-intelligence-indicator delete -y ' + '--name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /ThreatIntelligenceIndicatorMetrics/get/Get threat intelligence indicators metrics. +@try_manual +def step_threat_intelligence_indicator_metric_list(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel threat-intelligence-indicator-metric list ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /ThreatIntelligenceIndicators/get/Get all threat intelligence indicators +@try_manual +def step_threat_intelligence_indicator_list(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel threat-intelligence-indicator list ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /WatchlistItems/put/Create or update a watchlist item. +@try_manual +def step_watchlist_item_create(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel watchlist-item create ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--watchlist-alias "highValueAsset" ' + '--etag "0300bf09-0000-0000-0000-5c37296e0000" ' + '--items-key-value "{{\\"Business tier\\":\\"10.0.2.0/24\\",\\"Data tier\\":\\"10.0.2.0/24\\",\\"Gateway ' + 'subnet\\":\\"10.0.255.224/27\\",\\"Private DMZ in\\":\\"10.0.0.0/27\\",\\"Public DMZ ' + 'out\\":\\"10.0.0.96/27\\",\\"Web Tier\\":\\"10.0.1.0/24\\"}}" ' + '--watchlist-item-id "82ba292c-dc97-4dfc-969d-d4dd9e666842" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /WatchlistItems/get/Get a watchlist item. +@try_manual +def step_watchlist_item_show(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel watchlist-item show ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--watchlist-alias "highValueAsset" ' + '--watchlist-item-id "3f8901fe-63d9-4875-9ad5-9fb3b8105797" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /WatchlistItems/get/Get all watchlist Items. +@try_manual +def step_watchlist_item_list(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel watchlist-item list ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--watchlist-alias "highValueAsset" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /WatchlistItems/delete/Delete a watchlist item. +@try_manual +def step_watchlist_item_delete(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel watchlist-item delete -y ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--watchlist-alias "highValueAsset" ' + '--watchlist-item-id "4008512e-1d30-48b2-9ee2-d3612ed9d3ea" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Watchlists/put/Create or update a watchlist and bulk creates watchlist items. +@try_manual +def step_watchlist_create(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel watchlist create ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" ' + '--description "Watchlist from CSV content" ' + '--properties-content-type "text/csv" ' + '--display-name "High Value Assets Watchlist" ' + '--items-search-key "header1" ' + '--number-of-lines-to-skip 1 ' + '--provider "Microsoft" ' + '--raw-content "This line will be skipped\\nheader1,header2\\nvalue1,value2" ' + '--source "Local file" ' + '--watchlist-alias "highValueAsset" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Watchlists/put/Create or update a watchlist. +@try_manual +def step_watchlist_create2(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel watchlist create ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" ' + '--description "Watchlist from CSV content" ' + '--display-name "High Value Assets Watchlist" ' + '--items-search-key "header1" ' + '--provider "Microsoft" ' + '--source "Local file" ' + '--watchlist-alias "highValueAsset" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Watchlists/get/Get a watchlist. +@try_manual +def step_watchlist_show(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel watchlist show ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--watchlist-alias "highValueAsset" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Watchlists/get/Get all watchlists. +@try_manual +def step_watchlist_list(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel watchlist list ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--workspace-name "myWorkspace"', + checks=checks) + + +# EXAMPLE: /Watchlists/delete/Delete a watchlist. +@try_manual +def step_watchlist_delete(test, rg, checks=None): + if checks is None: + checks = [] + test.cmd('az sentinel watchlist delete -y ' + '--operational-insights-resource-provider "Microsoft.OperationalInsights" ' + '--resource-group "{rg}" ' + '--watchlist-alias "highValueAsset" ' + '--workspace-name "myWorkspace"', + checks=checks) + diff --git a/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario.py b/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario.py index 24904409004..2b03a6874ac 100644 --- a/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario.py +++ b/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario.py @@ -10,11 +10,64 @@ import os from azure.cli.testsdk import ScenarioTest -from .. import try_manual, raise_if, calc_coverage from azure.cli.testsdk import ResourceGroupPreparer from azure_devtools.scenario_tests import AllowLargeResponse +from .example_steps import step_action_create +from .example_steps import step_action_list +from .example_steps import step_action_show +from .example_steps import step_action_delete +from .example_steps import step_alert_rule_create +from .example_steps import step_alert_rule_create2 +from .example_steps import step_alert_rule_create3 +from .example_steps import step_alert_rule_show +from .example_steps import step_alert_rule_show2 +from .example_steps import step_alert_rule_show3 +from .example_steps import step_alert_rule_list +from .example_steps import step_alert_rule_delete +from .example_steps import step_alert_rule_template_show +from .example_steps import step_alert_rule_template_list +from .example_steps import step_incident_comment_create +from .example_steps import step_incident_comment_list +from .example_steps import step_incident_comment_show +from .example_steps import step_incident_comment_delete +from .example_steps import step_incident_relation_create +from .example_steps import step_incident_relation_list +from .example_steps import step_incident_relation_show_relation +from .example_steps import step_incident_relation_delete +from .example_steps import step_incident_create +from .example_steps import step_incident_list +from .example_steps import step_incident_show +from .example_steps import step_incident_list_of_alert +from .example_steps import step_incident_list_of_bookmark +from .example_steps import step_incident_list_of_entity +from .example_steps import step_incident_delete +from .example_steps import step_threat_intelligence_indicator_create +from .example_steps import step_threat_intelligence_indicator_show +from .example_steps import step_threat_intelligence_indicator_append_tag +from .example_steps import step_threat_intelligence_indicator +from .example_steps import step_threat_intelligence_indicator_query_indicator +from .example_steps import step_threat_intelligence_indicator_replace_tag +from .example_steps import step_threat_intelligence_indicator_delete +from .example_steps import step_threat_intelligence_indicator_metric_list +from .example_steps import step_threat_intelligence_indicator_list +from .example_steps import step_watchlist_item_create +from .example_steps import step_watchlist_item_show +from .example_steps import step_watchlist_item_list +from .example_steps import step_watchlist_item_delete +from .example_steps import step_watchlist_create +from .example_steps import step_watchlist_create2 +from .example_steps import step_watchlist_show +from .example_steps import step_watchlist_list +from .example_steps import step_watchlist_delete +from .. import ( + try_manual, + raise_if, + calc_coverage +) + + TEST_DIR = os.path.abspath(os.path.join(os.path.abspath(__file__), '..')) @@ -253,3 +306,87 @@ def test_sentinel(self, rg): calc_coverage(__file__) raise_if() +# Env setup_scenario +@try_manual +def setup_scenario(test, rg): + pass + + +# Env cleanup_scenario +@try_manual +def cleanup_scenario(test, rg): + pass + + +# Testcase: Scenario +@try_manual +def call_scenario(test, rg): + setup_scenario(test, rg) + step_action_create(test, rg, checks=[]) + step_action_list(test, rg, checks=[]) + step_action_show(test, rg, checks=[]) + step_action_delete(test, rg, checks=[]) + step_alert_rule_create(test, rg, checks=[]) + step_alert_rule_create2(test, rg, checks=[]) + step_alert_rule_create3(test, rg, checks=[]) + step_alert_rule_show(test, rg, checks=[]) + step_alert_rule_show2(test, rg, checks=[]) + step_alert_rule_show3(test, rg, checks=[]) + step_alert_rule_list(test, rg, checks=[]) + step_alert_rule_delete(test, rg, checks=[]) + step_alert_rule_template_show(test, rg, checks=[]) + step_alert_rule_template_list(test, rg, checks=[]) + step_incident_comment_create(test, rg, checks=[]) + step_incident_comment_list(test, rg, checks=[]) + step_incident_comment_show(test, rg, checks=[]) + step_incident_comment_delete(test, rg, checks=[]) + step_incident_relation_create(test, rg, checks=[]) + step_incident_relation_list(test, rg, checks=[]) + step_incident_relation_show_relation(test, rg, checks=[]) + step_incident_relation_delete(test, rg, checks=[]) + step_incident_create(test, rg, checks=[]) + step_incident_list(test, rg, checks=[]) + step_incident_show(test, rg, checks=[]) + step_incident_list_of_alert(test, rg, checks=[]) + step_incident_list_of_bookmark(test, rg, checks=[]) + step_incident_list_of_entity(test, rg, checks=[]) + step_incident_delete(test, rg, checks=[]) + step_threat_intelligence_indicator_create(test, rg, checks=[]) + step_threat_intelligence_indicator_show(test, rg, checks=[]) + step_threat_intelligence_indicator_append_tag(test, rg, checks=[]) + step_threat_intelligence_indicator(test, rg, checks=[]) + step_threat_intelligence_indicator_query_indicator(test, rg, checks=[]) + step_threat_intelligence_indicator_replace_tag(test, rg, checks=[]) + step_threat_intelligence_indicator_delete(test, rg, checks=[]) + step_threat_intelligence_indicator_metric_list(test, rg, checks=[]) + step_threat_intelligence_indicator_list(test, rg, checks=[]) + step_watchlist_item_create(test, rg, checks=[]) + step_watchlist_item_show(test, rg, checks=[]) + step_watchlist_item_list(test, rg, checks=[]) + step_watchlist_item_delete(test, rg, checks=[]) + step_watchlist_create(test, rg, checks=[]) + step_watchlist_create2(test, rg, checks=[]) + step_watchlist_show(test, rg, checks=[]) + step_watchlist_list(test, rg, checks=[]) + step_watchlist_delete(test, rg, checks=[]) + cleanup_scenario(test, rg) + + +# Test class for Scenario +@try_manual +class SentinelScenarioTest(ScenarioTest): + + def __init__(self, *args, **kwargs): + super(SentinelScenarioTest, self).__init__(*args, **kwargs) + self.kwargs.update({ + 'subscription_id': self.get_subscription_id() + }) + + + + @ResourceGroupPreparer(name_prefix='clitestsentinel_myRg'[:7], key='rg', parameter_name='rg') + def test_sentinel_Scenario(self, rg): + call_scenario(self, rg) + calc_coverage(__file__) + raise_if() + diff --git a/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario_coverage.md b/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario_coverage.md deleted file mode 100644 index cb712843009..00000000000 --- a/src/securityinsight/azext_sentinel/tests/latest/test_sentinel_scenario_coverage.md +++ /dev/null @@ -1,2 +0,0 @@ -|Scenario|Result|ErrorMessage|ErrorStack|ErrorNormalized|StartDt|EndDt| -Coverage: 0/0 diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_configuration.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_configuration.py index e24ce7ef4eb..2493feec842 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_configuration.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_configuration.py @@ -47,7 +47,7 @@ def __init__( self.credential = credential self.subscription_id = subscription_id - self.api_version = "2020-01-01" + self.api_version = "2021-10-01" self.credential_scopes = kwargs.pop('credential_scopes', ['https://management.azure.com/.default']) kwargs.setdefault('sdk_moniker', 'securityinsights/{}'.format(VERSION)) self._configure(**kwargs) diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_security_insights.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_security_insights.py index 3f1b4e49c01..c9bb491d104 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_security_insights.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/_security_insights.py @@ -18,36 +18,48 @@ from azure.core.credentials import TokenCredential from ._configuration import SecurityInsightsConfiguration -from .operations import OperationOperations -from .operations import AlertRuleOperations -from .operations import ActionOperations -from .operations import AlertRuleTemplateOperations -from .operations import BookmarkOperations -from .operations import DataConnectorOperations -from .operations import IncidentOperations -from .operations import IncidentCommentOperations +from .operations import IncidentsOperations +from .operations import IncidentCommentsOperations +from .operations import IncidentRelationsOperations +from .operations import ThreatIntelligenceIndicatorOperations +from .operations import ThreatIntelligenceIndicatorsOperations +from .operations import ThreatIntelligenceIndicatorMetricsOperations +from .operations import WatchlistsOperations +from .operations import WatchlistItemsOperations +from .operations import Operations +from .operations import AlertRulesOperations +from .operations import ActionsOperations +from .operations import AlertRuleTemplatesOperations from . import models class SecurityInsights(object): """API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider. - :ivar operation: OperationOperations operations - :vartype operation: security_insights.operations.OperationOperations - :ivar alert_rule: AlertRuleOperations operations - :vartype alert_rule: security_insights.operations.AlertRuleOperations - :ivar action: ActionOperations operations - :vartype action: security_insights.operations.ActionOperations - :ivar alert_rule_template: AlertRuleTemplateOperations operations - :vartype alert_rule_template: security_insights.operations.AlertRuleTemplateOperations - :ivar bookmark: BookmarkOperations operations - :vartype bookmark: security_insights.operations.BookmarkOperations - :ivar data_connector: DataConnectorOperations operations - :vartype data_connector: security_insights.operations.DataConnectorOperations - :ivar incident: IncidentOperations operations - :vartype incident: security_insights.operations.IncidentOperations - :ivar incident_comment: IncidentCommentOperations operations - :vartype incident_comment: security_insights.operations.IncidentCommentOperations + :ivar incidents: IncidentsOperations operations + :vartype incidents: security_insights.operations.IncidentsOperations + :ivar incident_comments: IncidentCommentsOperations operations + :vartype incident_comments: security_insights.operations.IncidentCommentsOperations + :ivar incident_relations: IncidentRelationsOperations operations + :vartype incident_relations: security_insights.operations.IncidentRelationsOperations + :ivar threat_intelligence_indicator: ThreatIntelligenceIndicatorOperations operations + :vartype threat_intelligence_indicator: security_insights.operations.ThreatIntelligenceIndicatorOperations + :ivar threat_intelligence_indicators: ThreatIntelligenceIndicatorsOperations operations + :vartype threat_intelligence_indicators: security_insights.operations.ThreatIntelligenceIndicatorsOperations + :ivar threat_intelligence_indicator_metrics: ThreatIntelligenceIndicatorMetricsOperations operations + :vartype threat_intelligence_indicator_metrics: security_insights.operations.ThreatIntelligenceIndicatorMetricsOperations + :ivar watchlists: WatchlistsOperations operations + :vartype watchlists: security_insights.operations.WatchlistsOperations + :ivar watchlist_items: WatchlistItemsOperations operations + :vartype watchlist_items: security_insights.operations.WatchlistItemsOperations + :ivar operations: Operations operations + :vartype operations: security_insights.operations.Operations + :ivar alert_rules: AlertRulesOperations operations + :vartype alert_rules: security_insights.operations.AlertRulesOperations + :ivar actions: ActionsOperations operations + :vartype actions: security_insights.operations.ActionsOperations + :ivar alert_rule_templates: AlertRuleTemplatesOperations operations + :vartype alert_rule_templates: security_insights.operations.AlertRuleTemplatesOperations :param credential: Credential needed for the client to connect to Azure. :type credential: ~azure.core.credentials.TokenCredential :param subscription_id: Azure subscription ID. @@ -72,21 +84,29 @@ def __init__( self._serialize = Serializer(client_models) self._deserialize = Deserializer(client_models) - self.operation = OperationOperations( + self.incidents = IncidentsOperations( self._client, self._config, self._serialize, self._deserialize) - self.alert_rule = AlertRuleOperations( + self.incident_comments = IncidentCommentsOperations( self._client, self._config, self._serialize, self._deserialize) - self.action = ActionOperations( + self.incident_relations = IncidentRelationsOperations( self._client, self._config, self._serialize, self._deserialize) - self.alert_rule_template = AlertRuleTemplateOperations( + self.threat_intelligence_indicator = ThreatIntelligenceIndicatorOperations( self._client, self._config, self._serialize, self._deserialize) - self.bookmark = BookmarkOperations( + self.threat_intelligence_indicators = ThreatIntelligenceIndicatorsOperations( self._client, self._config, self._serialize, self._deserialize) - self.data_connector = DataConnectorOperations( + self.threat_intelligence_indicator_metrics = ThreatIntelligenceIndicatorMetricsOperations( self._client, self._config, self._serialize, self._deserialize) - self.incident = IncidentOperations( + self.watchlists = WatchlistsOperations( self._client, self._config, self._serialize, self._deserialize) - self.incident_comment = IncidentCommentOperations( + self.watchlist_items = WatchlistItemsOperations( + self._client, self._config, self._serialize, self._deserialize) + self.operations = Operations( + self._client, self._config, self._serialize, self._deserialize) + self.alert_rules = AlertRulesOperations( + self._client, self._config, self._serialize, self._deserialize) + self.actions = ActionsOperations( + self._client, self._config, self._serialize, self._deserialize) + self.alert_rule_templates = AlertRuleTemplatesOperations( self._client, self._config, self._serialize, self._deserialize) def close(self): diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_configuration.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_configuration.py index 160eb378d2f..5636b7914d6 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_configuration.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_configuration.py @@ -44,7 +44,7 @@ def __init__( self.credential = credential self.subscription_id = subscription_id - self.api_version = "2020-01-01" + self.api_version = "2021-10-01" self.credential_scopes = kwargs.pop('credential_scopes', ['https://management.azure.com/.default']) kwargs.setdefault('sdk_moniker', 'securityinsights/{}'.format(VERSION)) self._configure(**kwargs) diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_security_insights.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_security_insights.py index 7eb275a24fa..bed26ba4dcd 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_security_insights.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/_security_insights.py @@ -16,36 +16,48 @@ from azure.core.credentials_async import AsyncTokenCredential from ._configuration import SecurityInsightsConfiguration -from .operations import OperationOperations -from .operations import AlertRuleOperations -from .operations import ActionOperations -from .operations import AlertRuleTemplateOperations -from .operations import BookmarkOperations -from .operations import DataConnectorOperations -from .operations import IncidentOperations -from .operations import IncidentCommentOperations +from .operations import IncidentsOperations +from .operations import IncidentCommentsOperations +from .operations import IncidentRelationsOperations +from .operations import ThreatIntelligenceIndicatorOperations +from .operations import ThreatIntelligenceIndicatorsOperations +from .operations import ThreatIntelligenceIndicatorMetricsOperations +from .operations import WatchlistsOperations +from .operations import WatchlistItemsOperations +from .operations import Operations +from .operations import AlertRulesOperations +from .operations import ActionsOperations +from .operations import AlertRuleTemplatesOperations from .. import models class SecurityInsights(object): """API spec for Microsoft.SecurityInsights (Azure Security Insights) resource provider. - :ivar operation: OperationOperations operations - :vartype operation: security_insights.aio.operations.OperationOperations - :ivar alert_rule: AlertRuleOperations operations - :vartype alert_rule: security_insights.aio.operations.AlertRuleOperations - :ivar action: ActionOperations operations - :vartype action: security_insights.aio.operations.ActionOperations - :ivar alert_rule_template: AlertRuleTemplateOperations operations - :vartype alert_rule_template: security_insights.aio.operations.AlertRuleTemplateOperations - :ivar bookmark: BookmarkOperations operations - :vartype bookmark: security_insights.aio.operations.BookmarkOperations - :ivar data_connector: DataConnectorOperations operations - :vartype data_connector: security_insights.aio.operations.DataConnectorOperations - :ivar incident: IncidentOperations operations - :vartype incident: security_insights.aio.operations.IncidentOperations - :ivar incident_comment: IncidentCommentOperations operations - :vartype incident_comment: security_insights.aio.operations.IncidentCommentOperations + :ivar incidents: IncidentsOperations operations + :vartype incidents: security_insights.aio.operations.IncidentsOperations + :ivar incident_comments: IncidentCommentsOperations operations + :vartype incident_comments: security_insights.aio.operations.IncidentCommentsOperations + :ivar incident_relations: IncidentRelationsOperations operations + :vartype incident_relations: security_insights.aio.operations.IncidentRelationsOperations + :ivar threat_intelligence_indicator: ThreatIntelligenceIndicatorOperations operations + :vartype threat_intelligence_indicator: security_insights.aio.operations.ThreatIntelligenceIndicatorOperations + :ivar threat_intelligence_indicators: ThreatIntelligenceIndicatorsOperations operations + :vartype threat_intelligence_indicators: security_insights.aio.operations.ThreatIntelligenceIndicatorsOperations + :ivar threat_intelligence_indicator_metrics: ThreatIntelligenceIndicatorMetricsOperations operations + :vartype threat_intelligence_indicator_metrics: security_insights.aio.operations.ThreatIntelligenceIndicatorMetricsOperations + :ivar watchlists: WatchlistsOperations operations + :vartype watchlists: security_insights.aio.operations.WatchlistsOperations + :ivar watchlist_items: WatchlistItemsOperations operations + :vartype watchlist_items: security_insights.aio.operations.WatchlistItemsOperations + :ivar operations: Operations operations + :vartype operations: security_insights.aio.operations.Operations + :ivar alert_rules: AlertRulesOperations operations + :vartype alert_rules: security_insights.aio.operations.AlertRulesOperations + :ivar actions: ActionsOperations operations + :vartype actions: security_insights.aio.operations.ActionsOperations + :ivar alert_rule_templates: AlertRuleTemplatesOperations operations + :vartype alert_rule_templates: security_insights.aio.operations.AlertRuleTemplatesOperations :param credential: Credential needed for the client to connect to Azure. :type credential: ~azure.core.credentials_async.AsyncTokenCredential :param subscription_id: Azure subscription ID. @@ -69,21 +81,29 @@ def __init__( self._serialize = Serializer(client_models) self._deserialize = Deserializer(client_models) - self.operation = OperationOperations( + self.incidents = IncidentsOperations( self._client, self._config, self._serialize, self._deserialize) - self.alert_rule = AlertRuleOperations( + self.incident_comments = IncidentCommentsOperations( self._client, self._config, self._serialize, self._deserialize) - self.action = ActionOperations( + self.incident_relations = IncidentRelationsOperations( self._client, self._config, self._serialize, self._deserialize) - self.alert_rule_template = AlertRuleTemplateOperations( + self.threat_intelligence_indicator = ThreatIntelligenceIndicatorOperations( self._client, self._config, self._serialize, self._deserialize) - self.bookmark = BookmarkOperations( + self.threat_intelligence_indicators = ThreatIntelligenceIndicatorsOperations( self._client, self._config, self._serialize, self._deserialize) - self.data_connector = DataConnectorOperations( + self.threat_intelligence_indicator_metrics = ThreatIntelligenceIndicatorMetricsOperations( self._client, self._config, self._serialize, self._deserialize) - self.incident = IncidentOperations( + self.watchlists = WatchlistsOperations( self._client, self._config, self._serialize, self._deserialize) - self.incident_comment = IncidentCommentOperations( + self.watchlist_items = WatchlistItemsOperations( + self._client, self._config, self._serialize, self._deserialize) + self.operations = Operations( + self._client, self._config, self._serialize, self._deserialize) + self.alert_rules = AlertRulesOperations( + self._client, self._config, self._serialize, self._deserialize) + self.actions = ActionsOperations( + self._client, self._config, self._serialize, self._deserialize) + self.alert_rule_templates = AlertRuleTemplatesOperations( self._client, self._config, self._serialize, self._deserialize) async def close(self) -> None: diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/__init__.py index 5e67996dcd4..ac1147562ea 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/__init__.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/__init__.py @@ -6,22 +6,30 @@ # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- -from ._operation_operations import OperationOperations -from ._alert_rule_operations import AlertRuleOperations -from ._action_operations import ActionOperations -from ._alert_rule_template_operations import AlertRuleTemplateOperations -from ._bookmark_operations import BookmarkOperations -from ._data_connector_operations import DataConnectorOperations -from ._incident_operations import IncidentOperations -from ._incident_comment_operations import IncidentCommentOperations +from ._incidents_operations import IncidentsOperations +from ._incident_comments_operations import IncidentCommentsOperations +from ._incident_relations_operations import IncidentRelationsOperations +from ._threat_intelligence_indicator_operations import ThreatIntelligenceIndicatorOperations +from ._threat_intelligence_indicators_operations import ThreatIntelligenceIndicatorsOperations +from ._threat_intelligence_indicator_metrics_operations import ThreatIntelligenceIndicatorMetricsOperations +from ._watchlists_operations import WatchlistsOperations +from ._watchlist_items_operations import WatchlistItemsOperations +from ._operations import Operations +from ._alert_rules_operations import AlertRulesOperations +from ._actions_operations import ActionsOperations +from ._alert_rule_templates_operations import AlertRuleTemplatesOperations __all__ = [ - 'OperationOperations', - 'AlertRuleOperations', - 'ActionOperations', - 'AlertRuleTemplateOperations', - 'BookmarkOperations', - 'DataConnectorOperations', - 'IncidentOperations', - 'IncidentCommentOperations', + 'IncidentsOperations', + 'IncidentCommentsOperations', + 'IncidentRelationsOperations', + 'ThreatIntelligenceIndicatorOperations', + 'ThreatIntelligenceIndicatorsOperations', + 'ThreatIntelligenceIndicatorMetricsOperations', + 'WatchlistsOperations', + 'WatchlistItemsOperations', + 'Operations', + 'AlertRulesOperations', + 'ActionsOperations', + 'AlertRuleTemplatesOperations', ] diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_bookmark_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_actions_operations.py similarity index 73% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_bookmark_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_actions_operations.py index 6cd59a2dc8c..77c1c50c975 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_bookmark_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_actions_operations.py @@ -5,8 +5,7 @@ # Code generated by Microsoft (R) AutoRest Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- -import datetime -from typing import Any, AsyncIterable, Callable, Dict, Generic, List, Optional, TypeVar, Union +from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar, Union import warnings from azure.core.async_paging import AsyncItemPaged, AsyncList @@ -20,8 +19,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] -class BookmarkOperations: - """BookmarkOperations async operations. +class ActionsOperations: + """ActionsOperations async operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -42,30 +41,32 @@ def __init__(self, client, config, serializer, deserializer) -> None: self._deserialize = deserializer self._config = config - def list( + def list_by_alert_rule( self, resource_group_name: str, workspace_name: str, + rule_id: str, **kwargs - ) -> AsyncIterable["models.BookmarkList"]: - """Gets all bookmarks. + ) -> AsyncIterable["models.ActionsList"]: + """Gets all actions of alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str + :param rule_id: Alert rule ID. + :type rule_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either BookmarkList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.BookmarkList] + :return: An iterator like instance of either ActionsList or the result of cls(response) + :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.ActionsList] :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.BookmarkList"] + cls = kwargs.pop('cls', None) # type: ClsType["models.ActionsList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -75,11 +76,12 @@ def prepare_request(next_link=None): if not next_link: # Construct URL - url = self.list.metadata['url'] # type: ignore + url = self.list_by_alert_rule.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) # Construct parameters @@ -94,7 +96,7 @@ def prepare_request(next_link=None): return request async def extract_data(pipeline_response): - deserialized = self._deserialize('BookmarkList', pipeline_response) + deserialized = self._deserialize('ActionsList', pipeline_response) list_of_elem = deserialized.value if cls: list_of_elem = cls(list_of_elem) @@ -115,44 +117,47 @@ async def get_next(next_link=None): return AsyncItemPaged( get_next, extract_data ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks'} # type: ignore + list_by_alert_rule.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions'} # type: ignore async def get( self, resource_group_name: str, workspace_name: str, - bookmark_id: str, + rule_id: str, + action_id: str, **kwargs - ) -> "models.Bookmark": - """Gets a bookmark. + ) -> "models.ActionResponse": + """Gets the action of alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str + :param rule_id: Alert rule ID. + :type rule_id: str + :param action_id: Action ID. + :type action_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: Bookmark, or the result of cls(response) - :rtype: ~security_insights.models.Bookmark + :return: ActionResponse, or the result of cls(response) + :rtype: ~security_insights.models.ActionResponse :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"] + cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL url = self.get.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'actionId': self._serialize.url("action_id", action_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -172,73 +177,46 @@ async def get( map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('Bookmark', pipeline_response) + deserialized = self._deserialize('ActionResponse', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore async def create_or_update( self, resource_group_name: str, workspace_name: str, - bookmark_id: str, - etag: Optional[str] = None, - created: Optional[datetime.datetime] = None, - display_name: Optional[str] = None, - labels: Optional[List[str]] = None, - notes: Optional[str] = None, - query: Optional[str] = None, - query_result: Optional[str] = None, - updated: Optional[datetime.datetime] = None, - incident_info: Optional["models.IncidentInfo"] = None, - object_id: Optional[str] = None, + rule_id: str, + action_id: str, + action: "models.ActionRequest", **kwargs - ) -> "models.Bookmark": - """Creates or updates the bookmark. + ) -> "models.ActionResponse": + """Creates or updates the action of alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param created: The time the bookmark was created. - :type created: ~datetime.datetime - :param display_name: The display name of the bookmark. - :type display_name: str - :param labels: List of labels relevant to this bookmark. - :type labels: list[str] - :param notes: The notes of the bookmark. - :type notes: str - :param query: The query of the bookmark. - :type query: str - :param query_result: The query result of the bookmark. - :type query_result: str - :param updated: The last time the bookmark was updated. - :type updated: ~datetime.datetime - :param incident_info: Describes an incident that relates to bookmark. - :type incident_info: ~security_insights.models.IncidentInfo - :param object_id: The object id of the user. - :type object_id: str + :param rule_id: Alert rule ID. + :type rule_id: str + :param action_id: Action ID. + :type action_id: str + :param action: The action. + :type action: ~security_insights.models.ActionRequest :keyword callable cls: A custom type or function that will be passed the direct response - :return: Bookmark, or the result of cls(response) - :rtype: ~security_insights.models.Bookmark + :return: ActionResponse, or the result of cls(response) + :rtype: ~security_insights.models.ActionResponse :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"] + cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - - bookmark = models.Bookmark(etag=etag, created=created, display_name=display_name, labels=labels, notes=notes, query=query, query_result=query_result, updated=updated, incident_info=incident_info, object_id_updated_by_object_id=object_id) - api_version = "2020-01-01" + api_version = "2021-10-01" content_type = kwargs.pop("content_type", "application/json") accept = "application/json" @@ -246,9 +224,10 @@ async def create_or_update( url = self.create_or_update.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'actionId': self._serialize.url("action_id", action_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -262,7 +241,7 @@ async def create_or_update( header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(bookmark, 'Bookmark') + body_content = self._serialize.body(action, 'ActionRequest') body_content_kwargs['content'] = body_content request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) @@ -273,33 +252,35 @@ async def create_or_update( raise HttpResponseError(response=response, error_format=ARMErrorFormat) if response.status_code == 200: - deserialized = self._deserialize('Bookmark', pipeline_response) + deserialized = self._deserialize('ActionResponse', pipeline_response) if response.status_code == 201: - deserialized = self._deserialize('Bookmark', pipeline_response) + deserialized = self._deserialize('ActionResponse', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore + create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore async def delete( self, resource_group_name: str, workspace_name: str, - bookmark_id: str, + rule_id: str, + action_id: str, **kwargs ) -> None: - """Delete the bookmark. + """Delete the action of alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str + :param rule_id: Alert rule ID. + :type rule_id: str + :param action_id: Action ID. + :type action_id: str :keyword callable cls: A custom type or function that will be passed the direct response :return: None, or the result of cls(response) :rtype: None @@ -310,16 +291,17 @@ async def delete( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL url = self.delete.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'actionId': self._serialize.url("action_id", action_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -342,4 +324,4 @@ async def delete( if cls: return cls(pipeline_response, None, {}) - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_template_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_templates_operations.py similarity index 95% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_template_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_templates_operations.py index 986138cb66b..ae8acdeca8e 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_template_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_templates_operations.py @@ -19,8 +19,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] -class AlertRuleTemplateOperations: - """AlertRuleTemplateOperations async operations. +class AlertRuleTemplatesOperations: + """AlertRuleTemplatesOperations async operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -49,8 +49,7 @@ def list( ) -> AsyncIterable["models.AlertRuleTemplatesList"]: """Gets all alert rule templates. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str @@ -64,7 +63,7 @@ def list( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -77,7 +76,7 @@ def prepare_request(next_link=None): url = self.list.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), } url = self._client.format_url(url, **path_format_arguments) @@ -125,8 +124,7 @@ async def get( ) -> "models.AlertRuleTemplate": """Gets the alert rule template. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str @@ -142,14 +140,14 @@ async def get( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL url = self.get.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), 'alertRuleTemplateId': self._serialize.url("alert_rule_template_id", alert_rule_template_id, 'str'), } diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_data_connector_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rules_operations.py similarity index 81% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_data_connector_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rules_operations.py index 9f83b3170a9..193f828e00d 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_data_connector_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rules_operations.py @@ -19,8 +19,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] -class DataConnectorOperations: - """DataConnectorOperations async operations. +class AlertRulesOperations: + """AlertRulesOperations async operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -46,25 +46,24 @@ def list( resource_group_name: str, workspace_name: str, **kwargs - ) -> AsyncIterable["models.DataConnectorList"]: - """Gets all data connectors. + ) -> AsyncIterable["models.AlertRulesList"]: + """Gets all alert rules. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either DataConnectorList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.DataConnectorList] + :return: An iterator like instance of either AlertRulesList or the result of cls(response) + :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.AlertRulesList] :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnectorList"] + cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRulesList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -77,7 +76,7 @@ def prepare_request(next_link=None): url = self.list.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), } url = self._client.format_url(url, **path_format_arguments) @@ -93,7 +92,7 @@ def prepare_request(next_link=None): return request async def extract_data(pipeline_response): - deserialized = self._deserialize('DataConnectorList', pipeline_response) + deserialized = self._deserialize('AlertRulesList', pipeline_response) list_of_elem = deserialized.value if cls: list_of_elem = cls(list_of_elem) @@ -114,44 +113,43 @@ async def get_next(next_link=None): return AsyncItemPaged( get_next, extract_data ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors'} # type: ignore + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules'} # type: ignore async def get( self, resource_group_name: str, workspace_name: str, - data_connector_id: str, + rule_id: str, **kwargs - ) -> "models.DataConnector": - """Gets a data connector. + ) -> "models.AlertRule": + """Gets the alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str + :param rule_id: Alert rule ID. + :type rule_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: DataConnector, or the result of cls(response) - :rtype: ~security_insights.models.DataConnector + :return: AlertRule, or the result of cls(response) + :rtype: ~security_insights.models.AlertRule :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"] + cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL url = self.get.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -171,44 +169,43 @@ async def get( map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('DataConnector', pipeline_response) + deserialized = self._deserialize('AlertRule', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore async def create_or_update( self, resource_group_name: str, workspace_name: str, - data_connector_id: str, - data_connector: "models.DataConnector", + rule_id: str, + alert_rule: "models.AlertRule", **kwargs - ) -> "models.DataConnector": - """Creates or updates the data connector. + ) -> "models.AlertRule": + """Creates or updates the alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str - :param data_connector: The data connector. - :type data_connector: ~security_insights.models.DataConnector + :param rule_id: Alert rule ID. + :type rule_id: str + :param alert_rule: The alert rule. + :type alert_rule: ~security_insights.models.AlertRule :keyword callable cls: A custom type or function that will be passed the direct response - :return: DataConnector, or the result of cls(response) - :rtype: ~security_insights.models.DataConnector + :return: AlertRule, or the result of cls(response) + :rtype: ~security_insights.models.AlertRule :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"] + cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" content_type = kwargs.pop("content_type", "application/json") accept = "application/json" @@ -216,9 +213,9 @@ async def create_or_update( url = self.create_or_update.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -232,7 +229,7 @@ async def create_or_update( header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(data_connector, 'DataConnector') + body_content = self._serialize.body(alert_rule, 'AlertRule') body_content_kwargs['content'] = body_content request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) @@ -243,33 +240,32 @@ async def create_or_update( raise HttpResponseError(response=response, error_format=ARMErrorFormat) if response.status_code == 200: - deserialized = self._deserialize('DataConnector', pipeline_response) + deserialized = self._deserialize('AlertRule', pipeline_response) if response.status_code == 201: - deserialized = self._deserialize('DataConnector', pipeline_response) + deserialized = self._deserialize('AlertRule', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore + create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore async def delete( self, resource_group_name: str, workspace_name: str, - data_connector_id: str, + rule_id: str, **kwargs ) -> None: - """Delete the data connector. + """Delete the alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str + :param rule_id: Alert rule ID. + :type rule_id: str :keyword callable cls: A custom type or function that will be passed the direct response :return: None, or the result of cls(response) :rtype: None @@ -280,16 +276,16 @@ async def delete( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL url = self.delete.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -312,4 +308,4 @@ async def delete( if cls: return cls(pipeline_response, None, {}) - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comment_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comments_operations.py similarity index 77% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comment_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comments_operations.py index cc2b8403fc1..4f19d9b6239 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comment_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_comments_operations.py @@ -5,7 +5,7 @@ # Code generated by Microsoft (R) AutoRest Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- -from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar +from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar, Union import warnings from azure.core.async_paging import AsyncItemPaged, AsyncList @@ -19,8 +19,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] -class IncidentCommentOperations: - """IncidentCommentOperations async operations. +class IncidentCommentsOperations: + """IncidentCommentsOperations async operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -52,7 +52,7 @@ def list_by_incident( skip_token: Optional[str] = None, **kwargs ) -> AsyncIterable["models.IncidentCommentList"]: - """Gets all incident comments. + """Gets all comments for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -81,7 +81,7 @@ def list_by_incident( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -150,7 +150,7 @@ async def get( incident_comment_id: str, **kwargs ) -> "models.IncidentComment": - """Gets an incident comment. + """Gets a comment for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -171,7 +171,7 @@ async def get( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL @@ -215,10 +215,10 @@ async def create_comment( workspace_name: str, incident_id: str, incident_comment_id: str, - message: Optional[str] = None, + incident_comment: "models.IncidentComment", **kwargs ) -> "models.IncidentComment": - """Creates the incident comment. + """Creates or updates a comment for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -229,8 +229,8 @@ async def create_comment( :type incident_id: str :param incident_comment_id: Incident comment ID. :type incident_comment_id: str - :param message: The comment message. - :type message: str + :param incident_comment: The incident comment. + :type incident_comment: ~security_insights.models.IncidentComment :keyword callable cls: A custom type or function that will be passed the direct response :return: IncidentComment, or the result of cls(response) :rtype: ~security_insights.models.IncidentComment @@ -241,9 +241,7 @@ async def create_comment( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - - incident_comment = models.IncidentComment(message=message) - api_version = "2020-01-01" + api_version = "2021-10-01" content_type = kwargs.pop("content_type", "application/json") accept = "application/json" @@ -274,14 +272,82 @@ async def create_comment( pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) response = pipeline_response.http_response - if response.status_code not in [201]: + if response.status_code not in [200, 201]: map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('IncidentComment', pipeline_response) + if response.status_code == 200: + deserialized = self._deserialize('IncidentComment', pipeline_response) + + if response.status_code == 201: + deserialized = self._deserialize('IncidentComment', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized create_comment.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore + + async def delete_comment( + self, + resource_group_name: str, + workspace_name: str, + incident_id: str, + incident_comment_id: str, + **kwargs + ) -> None: + """Deletes a comment for a given incident. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param incident_id: Incident ID. + :type incident_id: str + :param incident_comment_id: Incident comment ID. + :type incident_comment_id: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: None, or the result of cls(response) + :rtype: None + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType[None] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.delete_comment.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), + 'incidentCommentId': self._serialize.url("incident_comment_id", incident_comment_id, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.delete(url, query_parameters, header_parameters) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 204]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if cls: + return cls(pipeline_response, None, {}) + + delete_comment.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_relations_operations.py similarity index 74% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_relations_operations.py index 8efc09e2788..adaf53fda3f 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incident_relations_operations.py @@ -5,8 +5,7 @@ # Code generated by Microsoft (R) AutoRest Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- -import datetime -from typing import Any, AsyncIterable, Callable, Dict, Generic, List, Optional, TypeVar, Union +from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar, Union import warnings from azure.core.async_paging import AsyncItemPaged, AsyncList @@ -20,8 +19,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] -class IncidentOperations: - """IncidentOperations async operations. +class IncidentRelationsOperations: + """IncidentRelationsOperations async operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -46,19 +45,22 @@ def list( self, resource_group_name: str, workspace_name: str, + incident_id: str, filter: Optional[str] = None, orderby: Optional[str] = None, top: Optional[int] = None, skip_token: Optional[str] = None, **kwargs - ) -> AsyncIterable["models.IncidentList"]: - """Gets all incidents. + ) -> AsyncIterable["models.RelationList"]: + """Gets all relations for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str + :param incident_id: Incident ID. + :type incident_id: str :param filter: Filters the results, based on a Boolean condition. Optional. :type filter: str :param orderby: Sorts the results. Optional. @@ -70,16 +72,16 @@ def list( a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. :type skip_token: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either IncidentList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.IncidentList] + :return: An iterator like instance of either RelationList or the result of cls(response) + :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.RelationList] :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentList"] + cls = kwargs.pop('cls', None) # type: ClsType["models.RelationList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -94,6 +96,7 @@ def prepare_request(next_link=None): 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) # Construct parameters @@ -116,7 +119,7 @@ def prepare_request(next_link=None): return request async def extract_data(pipeline_response): - deserialized = self._deserialize('IncidentList', pipeline_response) + deserialized = self._deserialize('RelationList', pipeline_response) list_of_elem = deserialized.value if cls: list_of_elem = cls(list_of_elem) @@ -137,16 +140,17 @@ async def get_next(next_link=None): return AsyncItemPaged( get_next, extract_data ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents'} # type: ignore + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations'} # type: ignore - async def get( + async def get_relation( self, resource_group_name: str, workspace_name: str, incident_id: str, + relation_name: str, **kwargs - ) -> "models.Incident": - """Gets an incident. + ) -> "models.Relation": + """Gets a relation for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -155,26 +159,29 @@ async def get( :type workspace_name: str :param incident_id: Incident ID. :type incident_id: str + :param relation_name: Relation Name. + :type relation_name: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: Incident, or the result of cls(response) - :rtype: ~security_insights.models.Incident + :return: Relation, or the result of cls(response) + :rtype: ~security_insights.models.Relation :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] + cls = kwargs.pop('cls', None) # type: ClsType["models.Relation"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL - url = self.get.metadata['url'] # type: ignore + url = self.get_relation.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), + 'relationName': self._serialize.url("relation_name", relation_name, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -194,34 +201,24 @@ async def get( map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('Incident', pipeline_response) + deserialized = self._deserialize('Relation', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore + get_relation.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}'} # type: ignore - async def create_or_update( + async def create_or_update_relation( self, resource_group_name: str, workspace_name: str, incident_id: str, - etag: Optional[str] = None, - classification: Optional[Union[str, "models.IncidentClassification"]] = None, - classification_comment: Optional[str] = None, - classification_reason: Optional[Union[str, "models.IncidentClassificationReason"]] = None, - description: Optional[str] = None, - first_activity_time_utc: Optional[datetime.datetime] = None, - labels: Optional[List["models.IncidentLabel"]] = None, - last_activity_time_utc: Optional[datetime.datetime] = None, - owner: Optional["models.IncidentOwnerInfo"] = None, - severity: Optional[Union[str, "models.IncidentSeverity"]] = None, - status: Optional[Union[str, "models.IncidentStatus"]] = None, - title: Optional[str] = None, + relation_name: str, + relation: "models.Relation", **kwargs - ) -> "models.Incident": - """Creates or updates the incident. + ) -> "models.Relation": + """Creates or updates a relation for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -230,53 +227,32 @@ async def create_or_update( :type workspace_name: str :param incident_id: Incident ID. :type incident_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param classification: The reason the incident was closed. - :type classification: str or ~security_insights.models.IncidentClassification - :param classification_comment: Describes the reason the incident was closed. - :type classification_comment: str - :param classification_reason: The classification reason the incident was closed with. - :type classification_reason: str or ~security_insights.models.IncidentClassificationReason - :param description: The description of the incident. - :type description: str - :param first_activity_time_utc: The time of the first activity in the incident. - :type first_activity_time_utc: ~datetime.datetime - :param labels: List of labels relevant to this incident. - :type labels: list[~security_insights.models.IncidentLabel] - :param last_activity_time_utc: The time of the last activity in the incident. - :type last_activity_time_utc: ~datetime.datetime - :param owner: Describes a user that the incident is assigned to. - :type owner: ~security_insights.models.IncidentOwnerInfo - :param severity: The severity of the incident. - :type severity: str or ~security_insights.models.IncidentSeverity - :param status: The status of the incident. - :type status: str or ~security_insights.models.IncidentStatus - :param title: The title of the incident. - :type title: str + :param relation_name: Relation Name. + :type relation_name: str + :param relation: The relation model. + :type relation: ~security_insights.models.Relation :keyword callable cls: A custom type or function that will be passed the direct response - :return: Incident, or the result of cls(response) - :rtype: ~security_insights.models.Incident + :return: Relation, or the result of cls(response) + :rtype: ~security_insights.models.Relation :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] + cls = kwargs.pop('cls', None) # type: ClsType["models.Relation"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - - incident = models.Incident(etag=etag, classification=classification, classification_comment=classification_comment, classification_reason=classification_reason, description=description, first_activity_time_utc=first_activity_time_utc, labels=labels, last_activity_time_utc=last_activity_time_utc, owner=owner, severity=severity, status=status, title=title) - api_version = "2020-01-01" + api_version = "2021-10-01" content_type = kwargs.pop("content_type", "application/json") accept = "application/json" # Construct URL - url = self.create_or_update.metadata['url'] # type: ignore + url = self.create_or_update_relation.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), + 'relationName': self._serialize.url("relation_name", relation_name, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -290,7 +266,7 @@ async def create_or_update( header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(incident, 'Incident') + body_content = self._serialize.body(relation, 'Relation') body_content_kwargs['content'] = body_content request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) @@ -301,25 +277,26 @@ async def create_or_update( raise HttpResponseError(response=response, error_format=ARMErrorFormat) if response.status_code == 200: - deserialized = self._deserialize('Incident', pipeline_response) + deserialized = self._deserialize('Relation', pipeline_response) if response.status_code == 201: - deserialized = self._deserialize('Incident', pipeline_response) + deserialized = self._deserialize('Relation', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore + create_or_update_relation.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}'} # type: ignore - async def delete( + async def delete_relation( self, resource_group_name: str, workspace_name: str, incident_id: str, + relation_name: str, **kwargs ) -> None: - """Delete the incident. + """Deletes a relation for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -328,6 +305,8 @@ async def delete( :type workspace_name: str :param incident_id: Incident ID. :type incident_id: str + :param relation_name: Relation Name. + :type relation_name: str :keyword callable cls: A custom type or function that will be passed the direct response :return: None, or the result of cls(response) :rtype: None @@ -338,16 +317,17 @@ async def delete( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL - url = self.delete.metadata['url'] # type: ignore + url = self.delete_relation.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), + 'relationName': self._serialize.url("relation_name", relation_name, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -370,4 +350,4 @@ async def delete( if cls: return cls(pipeline_response, None, {}) - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore + delete_relation.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incidents_operations.py similarity index 73% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incidents_operations.py index 89d90bb06be..13d6e766a01 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_alert_rule_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_incidents_operations.py @@ -19,8 +19,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] -class AlertRuleOperations: - """AlertRuleOperations async operations. +class IncidentsOperations: + """IncidentsOperations async operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -45,26 +45,40 @@ def list( self, resource_group_name: str, workspace_name: str, + filter: Optional[str] = None, + orderby: Optional[str] = None, + top: Optional[int] = None, + skip_token: Optional[str] = None, **kwargs - ) -> AsyncIterable["models.AlertRulesList"]: - """Gets all alert rules. + ) -> AsyncIterable["models.IncidentList"]: + """Gets all incidents. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str + :param filter: Filters the results, based on a Boolean condition. Optional. + :type filter: str + :param orderby: Sorts the results. Optional. + :type orderby: str + :param top: Returns only the first n results. Optional. + :type top: int + :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If + a previous response contains a nextLink element, the value of the nextLink element will include + a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. + :type skip_token: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either AlertRulesList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.AlertRulesList] + :return: An iterator like instance of either IncidentList or the result of cls(response) + :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.IncidentList] :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRulesList"] + cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -84,6 +98,14 @@ def prepare_request(next_link=None): # Construct parameters query_parameters = {} # type: Dict[str, Any] query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + if filter is not None: + query_parameters['$filter'] = self._serialize.query("filter", filter, 'str') + if orderby is not None: + query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str') + if top is not None: + query_parameters['$top'] = self._serialize.query("top", top, 'int') + if skip_token is not None: + query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') request = self._client.get(url, query_parameters, header_parameters) else: @@ -93,7 +115,7 @@ def prepare_request(next_link=None): return request async def extract_data(pipeline_response): - deserialized = self._deserialize('AlertRulesList', pipeline_response) + deserialized = self._deserialize('IncidentList', pipeline_response) list_of_elem = deserialized.value if cls: list_of_elem = cls(list_of_elem) @@ -114,35 +136,35 @@ async def get_next(next_link=None): return AsyncItemPaged( get_next, extract_data ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules'} # type: ignore + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents'} # type: ignore async def get( self, resource_group_name: str, workspace_name: str, - rule_id: str, + incident_id: str, **kwargs - ) -> "models.AlertRule": - """Gets the alert rule. + ) -> "models.Incident": + """Gets a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str + :param incident_id: Incident ID. + :type incident_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: AlertRule, or the result of cls(response) - :rtype: ~security_insights.models.AlertRule + :return: Incident, or the result of cls(response) + :rtype: ~security_insights.models.Incident :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] + cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL @@ -151,7 +173,7 @@ async def get( 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -171,44 +193,44 @@ async def get( map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('AlertRule', pipeline_response) + deserialized = self._deserialize('Incident', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore async def create_or_update( self, resource_group_name: str, workspace_name: str, - rule_id: str, - alert_rule: "models.AlertRule", + incident_id: str, + incident: "models.Incident", **kwargs - ) -> "models.AlertRule": - """Creates or updates the alert rule. + ) -> "models.Incident": + """Creates or updates an incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param alert_rule: The alert rule. - :type alert_rule: ~security_insights.models.AlertRule + :param incident_id: Incident ID. + :type incident_id: str + :param incident: The incident. + :type incident: ~security_insights.models.Incident :keyword callable cls: A custom type or function that will be passed the direct response - :return: AlertRule, or the result of cls(response) - :rtype: ~security_insights.models.AlertRule + :return: Incident, or the result of cls(response) + :rtype: ~security_insights.models.Incident :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] + cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" content_type = kwargs.pop("content_type", "application/json") accept = "application/json" @@ -218,7 +240,7 @@ async def create_or_update( 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -232,7 +254,7 @@ async def create_or_update( header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(alert_rule, 'AlertRule') + body_content = self._serialize.body(incident, 'Incident') body_content_kwargs['content'] = body_content request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) @@ -243,33 +265,33 @@ async def create_or_update( raise HttpResponseError(response=response, error_format=ARMErrorFormat) if response.status_code == 200: - deserialized = self._deserialize('AlertRule', pipeline_response) + deserialized = self._deserialize('Incident', pipeline_response) if response.status_code == 201: - deserialized = self._deserialize('AlertRule', pipeline_response) + deserialized = self._deserialize('Incident', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore + create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore async def delete( self, resource_group_name: str, workspace_name: str, - rule_id: str, + incident_id: str, **kwargs ) -> None: - """Delete the alert rule. + """Deletes a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str + :param incident_id: Incident ID. + :type incident_id: str :keyword callable cls: A custom type or function that will be passed the direct response :return: None, or the result of cls(response) :rtype: None @@ -280,7 +302,7 @@ async def delete( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL @@ -289,7 +311,7 @@ async def delete( 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -312,48 +334,44 @@ async def delete( if cls: return cls(pipeline_response, None, {}) - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore - async def get_action( + async def list_of_alerts( self, resource_group_name: str, workspace_name: str, - rule_id: str, - action_id: str, + incident_id: str, **kwargs - ) -> "models.ActionResponse": - """Gets the action of alert rule. + ) -> "models.IncidentAlertList": + """Gets all alerts for an incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str + :param incident_id: Incident ID. + :type incident_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: ActionResponse, or the result of cls(response) - :rtype: ~security_insights.models.ActionResponse + :return: IncidentAlertList, or the result of cls(response) + :rtype: ~security_insights.models.IncidentAlertList :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] + cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentAlertList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL - url = self.get_action.metadata['url'] # type: ignore + url = self.list_of_alerts.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -365,7 +383,7 @@ async def get_action( header_parameters = {} # type: Dict[str, Any] header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - request = self._client.get(url, query_parameters, header_parameters) + request = self._client.post(url, query_parameters, header_parameters) pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) response = pipeline_response.http_response @@ -373,68 +391,50 @@ async def get_action( map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('ActionResponse', pipeline_response) + deserialized = self._deserialize('IncidentAlertList', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - get_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore + list_of_alerts.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts'} # type: ignore - async def create_or_update_action( + async def list_of_bookmarks( self, resource_group_name: str, workspace_name: str, - rule_id: str, - action_id: str, - etag: Optional[str] = None, - logic_app_resource_id: Optional[str] = None, - trigger_uri: Optional[str] = None, + incident_id: str, **kwargs - ) -> "models.ActionResponse": - """Creates or updates the action of alert rule. + ) -> "models.IncidentBookmarkList": + """Gets all bookmarks for an incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param trigger_uri: Logic App Callback URL for this specific workflow. - :type trigger_uri: str + :param incident_id: Incident ID. + :type incident_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: ActionResponse, or the result of cls(response) - :rtype: ~security_insights.models.ActionResponse + :return: IncidentBookmarkList, or the result of cls(response) + :rtype: ~security_insights.models.IncidentBookmarkList :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] + cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentBookmarkList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - - action = models.ActionRequest(etag=etag, logic_app_resource_id=logic_app_resource_id, trigger_uri=trigger_uri) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") + api_version = "2021-10-01" accept = "application/json" # Construct URL - url = self.create_or_update_action.metadata['url'] # type: ignore + url = self.list_of_bookmarks.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -444,72 +444,60 @@ async def create_or_update_action( # Construct headers header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(action, 'ActionRequest') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) + request = self._client.post(url, query_parameters, header_parameters) pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) response = pipeline_response.http_response - if response.status_code not in [200, 201]: + if response.status_code not in [200]: map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - if response.status_code == 200: - deserialized = self._deserialize('ActionResponse', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('ActionResponse', pipeline_response) + deserialized = self._deserialize('IncidentBookmarkList', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - create_or_update_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore + list_of_bookmarks.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks'} # type: ignore - async def delete_action( + async def list_of_entities( self, resource_group_name: str, workspace_name: str, - rule_id: str, - action_id: str, + incident_id: str, **kwargs - ) -> None: - """Delete the action of alert rule. + ) -> "models.IncidentEntitiesResponse": + """Gets all entities for an incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str + :param incident_id: Incident ID. + :type incident_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None + :return: IncidentEntitiesResponse, or the result of cls(response) + :rtype: ~security_insights.models.IncidentEntitiesResponse :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType[None] + cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentEntitiesResponse"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL - url = self.delete_action.metadata['url'] # type: ignore + url = self.list_of_entities.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -521,15 +509,18 @@ async def delete_action( header_parameters = {} # type: Dict[str, Any] header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - request = self._client.delete(url, query_parameters, header_parameters) + request = self._client.post(url, query_parameters, header_parameters) pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) response = pipeline_response.http_response - if response.status_code not in [200, 204]: + if response.status_code not in [200]: map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) + deserialized = self._deserialize('IncidentEntitiesResponse', pipeline_response) + if cls: - return cls(pipeline_response, None, {}) + return cls(pipeline_response, deserialized, {}) - delete_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore + return deserialized + list_of_entities.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operation_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operations.py similarity index 97% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operation_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operations.py index d8d19921e5c..74bbde08b16 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operation_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_operations.py @@ -19,8 +19,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] -class OperationOperations: - """OperationOperations async operations. +class Operations: + """Operations async operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -57,7 +57,7 @@ def list( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicator_metrics_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicator_metrics_operations.py new file mode 100644 index 00000000000..9a721e4ffe5 --- /dev/null +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicator_metrics_operations.py @@ -0,0 +1,105 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) AutoRest Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +from typing import Any, Callable, Dict, Generic, Optional, TypeVar +import warnings + +from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error +from azure.core.pipeline import PipelineResponse +from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest +from azure.mgmt.core.exceptions import ARMErrorFormat + +from ... import models + +T = TypeVar('T') +ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] + +class ThreatIntelligenceIndicatorMetricsOperations: + """ThreatIntelligenceIndicatorMetricsOperations async operations. + + You should not instantiate this class directly. Instead, you should create a Client instance that + instantiates it for you and attaches it as an attribute. + + :ivar models: Alias to model classes used in this operation group. + :type models: ~security_insights.models + :param client: Client for service requests. + :param config: Configuration of service client. + :param serializer: An object model serializer. + :param deserializer: An object model deserializer. + """ + + models = models + + def __init__(self, client, config, serializer, deserializer) -> None: + self._client = client + self._serialize = serializer + self._deserialize = deserializer + self._config = config + + async def list( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + **kwargs + ) -> "models.ThreatIntelligenceMetricsList": + """Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: ThreatIntelligenceMetricsList, or the result of cls(response) + :rtype: ~security_insights.models.ThreatIntelligenceMetricsList + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceMetricsList"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.list.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + deserialized = self._deserialize('ThreatIntelligenceMetricsList', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicator_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicator_operations.py new file mode 100644 index 00000000000..dfce19d2cc8 --- /dev/null +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicator_operations.py @@ -0,0 +1,575 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) AutoRest Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar, Union +import warnings + +from azure.core.async_paging import AsyncItemPaged, AsyncList +from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error +from azure.core.pipeline import PipelineResponse +from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest +from azure.mgmt.core.exceptions import ARMErrorFormat + +from ... import models + +T = TypeVar('T') +ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] + +class ThreatIntelligenceIndicatorOperations: + """ThreatIntelligenceIndicatorOperations async operations. + + You should not instantiate this class directly. Instead, you should create a Client instance that + instantiates it for you and attaches it as an attribute. + + :ivar models: Alias to model classes used in this operation group. + :type models: ~security_insights.models + :param client: Client for service requests. + :param config: Configuration of service client. + :param serializer: An object model serializer. + :param deserializer: An object model deserializer. + """ + + models = models + + def __init__(self, client, config, serializer, deserializer) -> None: + self._client = client + self._serialize = serializer + self._deserialize = deserializer + self._config = config + + async def create_indicator( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + threat_intelligence_properties: "models.ThreatIntelligenceIndicatorModelForRequestBody", + **kwargs + ) -> "models.ThreatIntelligenceInformation": + """Create a new threat intelligence indicator. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param threat_intelligence_properties: Properties of threat intelligence indicators to create + and update. + :type threat_intelligence_properties: ~security_insights.models.ThreatIntelligenceIndicatorModelForRequestBody + :keyword callable cls: A custom type or function that will be passed the direct response + :return: ThreatIntelligenceInformation, or the result of cls(response) + :rtype: ~security_insights.models.ThreatIntelligenceInformation + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformation"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.create_indicator.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_properties, 'ThreatIntelligenceIndicatorModelForRequestBody') + body_content_kwargs['content'] = body_content + request = self._client.post(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 201]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if response.status_code == 200: + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if response.status_code == 201: + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + create_indicator.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator'} # type: ignore + + async def get( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + name: str, + **kwargs + ) -> "models.ThreatIntelligenceInformation": + """View a threat intelligence indicator by name. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param name: Threat intelligence indicator name field. + :type name: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: ThreatIntelligenceInformation, or the result of cls(response) + :rtype: ~security_insights.models.ThreatIntelligenceInformation + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformation"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.get.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'name': self._serialize.url("name", name, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}'} # type: ignore + + async def create( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + name: str, + threat_intelligence_properties: "models.ThreatIntelligenceIndicatorModelForRequestBody", + **kwargs + ) -> "models.ThreatIntelligenceInformation": + """Update a threat Intelligence indicator. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param name: Threat intelligence indicator name field. + :type name: str + :param threat_intelligence_properties: Properties of threat intelligence indicators to create + and update. + :type threat_intelligence_properties: ~security_insights.models.ThreatIntelligenceIndicatorModelForRequestBody + :keyword callable cls: A custom type or function that will be passed the direct response + :return: ThreatIntelligenceInformation, or the result of cls(response) + :rtype: ~security_insights.models.ThreatIntelligenceInformation + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformation"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.create.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'name': self._serialize.url("name", name, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_properties, 'ThreatIntelligenceIndicatorModelForRequestBody') + body_content_kwargs['content'] = body_content + request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 201]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if response.status_code == 200: + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if response.status_code == 201: + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + create.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}'} # type: ignore + + async def delete( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + name: str, + **kwargs + ) -> None: + """Delete a threat intelligence indicator. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param name: Threat intelligence indicator name field. + :type name: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: None, or the result of cls(response) + :rtype: None + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType[None] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.delete.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'name': self._serialize.url("name", name, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.delete(url, query_parameters, header_parameters) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 204]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if cls: + return cls(pipeline_response, None, {}) + + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}'} # type: ignore + + def query_indicators( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + threat_intelligence_filtering_criteria: "models.ThreatIntelligenceFilteringCriteria", + **kwargs + ) -> AsyncIterable["models.ThreatIntelligenceInformationList"]: + """Query threat intelligence indicators as per filtering criteria. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param threat_intelligence_filtering_criteria: Filtering criteria for querying threat + intelligence indicators. + :type threat_intelligence_filtering_criteria: ~security_insights.models.ThreatIntelligenceFilteringCriteria + :keyword callable cls: A custom type or function that will be passed the direct response + :return: An iterator like instance of either ThreatIntelligenceInformationList or the result of cls(response) + :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.ThreatIntelligenceInformationList] + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformationList"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = "application/json" + accept = "application/json" + + def prepare_request(next_link=None): + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + if not next_link: + # Construct URL + url = self.query_indicators.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + } + url = self._client.format_url(url, **path_format_arguments) + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_filtering_criteria, 'ThreatIntelligenceFilteringCriteria') + body_content_kwargs['content'] = body_content + request = self._client.post(url, query_parameters, header_parameters, **body_content_kwargs) + else: + url = next_link + query_parameters = {} # type: Dict[str, Any] + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_filtering_criteria, 'ThreatIntelligenceFilteringCriteria') + body_content_kwargs['content'] = body_content + request = self._client.get(url, query_parameters, header_parameters, **body_content_kwargs) + return request + + async def extract_data(pipeline_response): + deserialized = self._deserialize('ThreatIntelligenceInformationList', pipeline_response) + list_of_elem = deserialized.value + if cls: + list_of_elem = cls(list_of_elem) + return deserialized.next_link or None, AsyncList(list_of_elem) + + async def get_next(next_link=None): + request = prepare_request(next_link) + + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + return pipeline_response + + return AsyncItemPaged( + get_next, extract_data + ) + query_indicators.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators'} # type: ignore + + async def append_tags( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + name: str, + threat_intelligence_append_tags: "models.ThreatIntelligenceAppendTags", + **kwargs + ) -> None: + """Append tags to a threat intelligence indicator. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param name: Threat intelligence indicator name field. + :type name: str + :param threat_intelligence_append_tags: The threat intelligence append tags request body. + :type threat_intelligence_append_tags: ~security_insights.models.ThreatIntelligenceAppendTags + :keyword callable cls: A custom type or function that will be passed the direct response + :return: None, or the result of cls(response) + :rtype: None + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType[None] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.append_tags.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'name': self._serialize.url("name", name, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_append_tags, 'ThreatIntelligenceAppendTags') + body_content_kwargs['content'] = body_content + request = self._client.post(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if cls: + return cls(pipeline_response, None, {}) + + append_tags.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags'} # type: ignore + + async def replace_tags( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + name: str, + threat_intelligence_replace_tags: "models.ThreatIntelligenceIndicatorModelForRequestBody", + **kwargs + ) -> "models.ThreatIntelligenceInformation": + """Replace tags added to a threat intelligence indicator. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param name: Threat intelligence indicator name field. + :type name: str + :param threat_intelligence_replace_tags: Tags in the threat intelligence indicator to be + replaced. + :type threat_intelligence_replace_tags: ~security_insights.models.ThreatIntelligenceIndicatorModelForRequestBody + :keyword callable cls: A custom type or function that will be passed the direct response + :return: ThreatIntelligenceInformation, or the result of cls(response) + :rtype: ~security_insights.models.ThreatIntelligenceInformation + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformation"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.replace_tags.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'name': self._serialize.url("name", name, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_replace_tags, 'ThreatIntelligenceIndicatorModelForRequestBody') + body_content_kwargs['content'] = body_content + request = self._client.post(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + replace_tags.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_action_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicators_operations.py similarity index 64% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_action_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicators_operations.py index 378198b2cfb..86603d9d20e 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_action_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_threat_intelligence_indicators_operations.py @@ -19,8 +19,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] -class ActionOperations: - """ActionOperations async operations. +class ThreatIntelligenceIndicatorsOperations: + """ThreatIntelligenceIndicatorsOperations async operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -41,33 +41,48 @@ def __init__(self, client, config, serializer, deserializer) -> None: self._deserialize = deserializer self._config = config - def list_by_alert_rule( + def list( self, resource_group_name: str, + operational_insights_resource_provider: str, workspace_name: str, - rule_id: str, + filter: Optional[str] = None, + top: Optional[int] = None, + skip_token: Optional[str] = None, + orderby: Optional[str] = None, **kwargs - ) -> AsyncIterable["models.ActionsList"]: - """Gets all actions of alert rule. + ) -> AsyncIterable["models.ThreatIntelligenceInformationList"]: + """Get all threat intelligence indicators. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str + :param filter: Filters the results, based on a Boolean condition. Optional. + :type filter: str + :param top: Returns only the first n results. Optional. + :type top: int + :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If + a previous response contains a nextLink element, the value of the nextLink element will include + a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. + :type skip_token: str + :param orderby: Sorts the results. Optional. + :type orderby: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either ActionsList or the result of cls(response) - :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.ActionsList] + :return: An iterator like instance of either ThreatIntelligenceInformationList or the result of cls(response) + :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.ThreatIntelligenceInformationList] :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionsList"] + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformationList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -77,17 +92,25 @@ def prepare_request(next_link=None): if not next_link: # Construct URL - url = self.list_by_alert_rule.metadata['url'] # type: ignore + url = self.list.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) # Construct parameters query_parameters = {} # type: Dict[str, Any] query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + if filter is not None: + query_parameters['$filter'] = self._serialize.query("filter", filter, 'str') + if top is not None: + query_parameters['$top'] = self._serialize.query("top", top, 'int') + if skip_token is not None: + query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') + if orderby is not None: + query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str') request = self._client.get(url, query_parameters, header_parameters) else: @@ -97,7 +120,7 @@ def prepare_request(next_link=None): return request async def extract_data(pipeline_response): - deserialized = self._deserialize('ActionsList', pipeline_response) + deserialized = self._deserialize('ThreatIntelligenceInformationList', pipeline_response) list_of_elem = deserialized.value if cls: list_of_elem = cls(list_of_elem) @@ -118,4 +141,4 @@ async def get_next(next_link=None): return AsyncItemPaged( get_next, extract_data ) - list_by_alert_rule.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions'} # type: ignore + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_watchlist_items_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_watchlist_items_operations.py new file mode 100644 index 00000000000..377a08a73b3 --- /dev/null +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_watchlist_items_operations.py @@ -0,0 +1,354 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) AutoRest Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar, Union +import warnings + +from azure.core.async_paging import AsyncItemPaged, AsyncList +from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error +from azure.core.pipeline import PipelineResponse +from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest +from azure.mgmt.core.exceptions import ARMErrorFormat + +from ... import models + +T = TypeVar('T') +ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] + +class WatchlistItemsOperations: + """WatchlistItemsOperations async operations. + + You should not instantiate this class directly. Instead, you should create a Client instance that + instantiates it for you and attaches it as an attribute. + + :ivar models: Alias to model classes used in this operation group. + :type models: ~security_insights.models + :param client: Client for service requests. + :param config: Configuration of service client. + :param serializer: An object model serializer. + :param deserializer: An object model deserializer. + """ + + models = models + + def __init__(self, client, config, serializer, deserializer) -> None: + self._client = client + self._serialize = serializer + self._deserialize = deserializer + self._config = config + + def list( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + watchlist_alias: str, + skip_token: Optional[str] = None, + **kwargs + ) -> AsyncIterable["models.WatchlistItemList"]: + """Get all watchlist Items. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If + a previous response contains a nextLink element, the value of the nextLink element will include + a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. + :type skip_token: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: An iterator like instance of either WatchlistItemList or the result of cls(response) + :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.WatchlistItemList] + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.WatchlistItemList"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + def prepare_request(next_link=None): + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + if not next_link: + # Construct URL + url = self.list.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + if skip_token is not None: + query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + else: + url = next_link + query_parameters = {} # type: Dict[str, Any] + request = self._client.get(url, query_parameters, header_parameters) + return request + + async def extract_data(pipeline_response): + deserialized = self._deserialize('WatchlistItemList', pipeline_response) + list_of_elem = deserialized.value + if cls: + list_of_elem = cls(list_of_elem) + return deserialized.next_link or None, AsyncList(list_of_elem) + + async def get_next(next_link=None): + request = prepare_request(next_link) + + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + return pipeline_response + + return AsyncItemPaged( + get_next, extract_data + ) + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems'} # type: ignore + + async def get( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + watchlist_alias: str, + watchlist_item_id: str, + **kwargs + ) -> "models.WatchlistItem": + """Get a watchlist item. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :param watchlist_item_id: The watchlist item id (GUID). + :type watchlist_item_id: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: WatchlistItem, or the result of cls(response) + :rtype: ~security_insights.models.WatchlistItem + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.WatchlistItem"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.get.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + 'watchlistItemId': self._serialize.url("watchlist_item_id", watchlist_item_id, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + deserialized = self._deserialize('WatchlistItem', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}'} # type: ignore + + async def delete( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + watchlist_alias: str, + watchlist_item_id: str, + **kwargs + ) -> None: + """Delete a watchlist item. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :param watchlist_item_id: The watchlist item id (GUID). + :type watchlist_item_id: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: None, or the result of cls(response) + :rtype: None + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType[None] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.delete.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + 'watchlistItemId': self._serialize.url("watchlist_item_id", watchlist_item_id, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.delete(url, query_parameters, header_parameters) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 204]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if cls: + return cls(pipeline_response, None, {}) + + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}'} # type: ignore + + async def create_or_update( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + watchlist_alias: str, + watchlist_item_id: str, + watchlist_item: "models.WatchlistItem", + **kwargs + ) -> "models.WatchlistItem": + """Create or update a watchlist item. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :param watchlist_item_id: The watchlist item id (GUID). + :type watchlist_item_id: str + :param watchlist_item: The watchlist item. + :type watchlist_item: ~security_insights.models.WatchlistItem + :keyword callable cls: A custom type or function that will be passed the direct response + :return: WatchlistItem, or the result of cls(response) + :rtype: ~security_insights.models.WatchlistItem + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.WatchlistItem"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.create_or_update.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + 'watchlistItemId': self._serialize.url("watchlist_item_id", watchlist_item_id, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(watchlist_item, 'WatchlistItem') + body_content_kwargs['content'] = body_content + request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 201]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if response.status_code == 200: + deserialized = self._deserialize('WatchlistItem', pipeline_response) + + if response.status_code == 201: + deserialized = self._deserialize('WatchlistItem', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_watchlists_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_watchlists_operations.py new file mode 100644 index 00000000000..b7d2210314a --- /dev/null +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/aio/operations/_watchlists_operations.py @@ -0,0 +1,340 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) AutoRest Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +from typing import Any, AsyncIterable, Callable, Dict, Generic, Optional, TypeVar, Union +import warnings + +from azure.core.async_paging import AsyncItemPaged, AsyncList +from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error +from azure.core.pipeline import PipelineResponse +from azure.core.pipeline.transport import AsyncHttpResponse, HttpRequest +from azure.mgmt.core.exceptions import ARMErrorFormat + +from ... import models + +T = TypeVar('T') +ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] + +class WatchlistsOperations: + """WatchlistsOperations async operations. + + You should not instantiate this class directly. Instead, you should create a Client instance that + instantiates it for you and attaches it as an attribute. + + :ivar models: Alias to model classes used in this operation group. + :type models: ~security_insights.models + :param client: Client for service requests. + :param config: Configuration of service client. + :param serializer: An object model serializer. + :param deserializer: An object model deserializer. + """ + + models = models + + def __init__(self, client, config, serializer, deserializer) -> None: + self._client = client + self._serialize = serializer + self._deserialize = deserializer + self._config = config + + def list( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + skip_token: Optional[str] = None, + **kwargs + ) -> AsyncIterable["models.WatchlistList"]: + """Get all watchlists, without watchlist items. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If + a previous response contains a nextLink element, the value of the nextLink element will include + a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. + :type skip_token: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: An iterator like instance of either WatchlistList or the result of cls(response) + :rtype: ~azure.core.async_paging.AsyncItemPaged[~security_insights.models.WatchlistList] + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.WatchlistList"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + def prepare_request(next_link=None): + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + if not next_link: + # Construct URL + url = self.list.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + } + url = self._client.format_url(url, **path_format_arguments) + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + if skip_token is not None: + query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + else: + url = next_link + query_parameters = {} # type: Dict[str, Any] + request = self._client.get(url, query_parameters, header_parameters) + return request + + async def extract_data(pipeline_response): + deserialized = self._deserialize('WatchlistList', pipeline_response) + list_of_elem = deserialized.value + if cls: + list_of_elem = cls(list_of_elem) + return deserialized.next_link or None, AsyncList(list_of_elem) + + async def get_next(next_link=None): + request = prepare_request(next_link) + + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + return pipeline_response + + return AsyncItemPaged( + get_next, extract_data + ) + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists'} # type: ignore + + async def get( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + watchlist_alias: str, + **kwargs + ) -> "models.Watchlist": + """Get a watchlist, without its watchlist items. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: Watchlist, or the result of cls(response) + :rtype: ~security_insights.models.Watchlist + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.Watchlist"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.get.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + deserialized = self._deserialize('Watchlist', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}'} # type: ignore + + async def delete( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + watchlist_alias: str, + **kwargs + ) -> None: + """Delete a watchlist. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: None, or the result of cls(response) + :rtype: None + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType[None] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.delete.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.delete(url, query_parameters, header_parameters) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 204]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if cls: + return cls(pipeline_response, None, {}) + + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}'} # type: ignore + + async def create_or_update( + self, + resource_group_name: str, + operational_insights_resource_provider: str, + workspace_name: str, + watchlist_alias: str, + watchlist: "models.Watchlist", + **kwargs + ) -> "models.Watchlist": + """Create or update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv + content type). To create a Watchlist and its Items, we should call this endpoint with + rawContent and contentType properties. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :param watchlist: The watchlist. + :type watchlist: ~security_insights.models.Watchlist + :keyword callable cls: A custom type or function that will be passed the direct response + :return: Watchlist, or the result of cls(response) + :rtype: ~security_insights.models.Watchlist + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.Watchlist"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.create_or_update.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(watchlist, 'Watchlist') + body_content_kwargs['content'] = body_content + request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = await self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 201]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if response.status_code == 200: + deserialized = self._deserialize('Watchlist', pipeline_response) + + if response.status_code == 201: + deserialized = self._deserialize('Watchlist', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/__init__.py index d50534763d7..590d9f58086 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/__init__.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/__init__.py @@ -7,10 +7,8 @@ # -------------------------------------------------------------------------- try: - from ._models_py3 import AADDataConnector - from ._models_py3 import AATPDataConnector - from ._models_py3 import ASCDataConnector - from ._models_py3 import ASCDataConnectorProperties + from ._models_py3 import AccountEntity + from ._models_py3 import AccountEntityProperties from ._models_py3 import ActionPropertiesBase from ._models_py3 import ActionRequest from ._models_py3 import ActionRequestProperties @@ -22,61 +20,112 @@ from ._models_py3 import AlertRuleTemplateDataSource from ._models_py3 import AlertRuleTemplatesList from ._models_py3 import AlertRulesList - from ._models_py3 import AlertsDataTypeOfDataConnector - from ._models_py3 import AwsCloudTrailDataConnector - from ._models_py3 import AwsCloudTrailDataConnectorDataTypesLogs - from ._models_py3 import Bookmark - from ._models_py3 import BookmarkList + from ._models_py3 import AzureResourceEntity + from ._models_py3 import AzureResourceEntityProperties from ._models_py3 import ClientInfo - from ._models_py3 import DataConnector - from ._models_py3 import DataConnectorDataTypeCommon - from ._models_py3 import DataConnectorList - from ._models_py3 import DataConnectorTenantId - from ._models_py3 import DataConnectorWithAlertsProperties + from ._models_py3 import CloudApplicationEntity + from ._models_py3 import CloudApplicationEntityProperties + from ._models_py3 import DnsEntity + from ._models_py3 import DnsEntityProperties + from ._models_py3 import Entity + from ._models_py3 import EntityCommonProperties + from ._models_py3 import EntityEdges + from ._models_py3 import EntityKind from ._models_py3 import ErrorAdditionalInfo from ._models_py3 import ErrorResponse + from ._models_py3 import FileEntity + from ._models_py3 import FileEntityProperties + from ._models_py3 import FileHashEntity + from ._models_py3 import FileHashEntityProperties from ._models_py3 import FusionAlertRule from ._models_py3 import FusionAlertRuleTemplate + from ._models_py3 import GeoLocation + from ._models_py3 import HostEntity + from ._models_py3 import HostEntityProperties + from ._models_py3 import HuntingBookmark + from ._models_py3 import HuntingBookmarkProperties from ._models_py3 import Incident from ._models_py3 import IncidentAdditionalData + from ._models_py3 import IncidentAlertList + from ._models_py3 import IncidentBookmarkList from ._models_py3 import IncidentComment from ._models_py3 import IncidentCommentList + from ._models_py3 import IncidentEntitiesResponse + from ._models_py3 import IncidentEntitiesResultsMetadata from ._models_py3 import IncidentInfo from ._models_py3 import IncidentLabel from ._models_py3 import IncidentList from ._models_py3 import IncidentOwnerInfo - from ._models_py3 import MCASDataConnector - from ._models_py3 import MCASDataConnectorDataTypes - from ._models_py3 import MDATPDataConnector + from ._models_py3 import IoTDeviceEntity + from ._models_py3 import IoTDeviceEntityProperties + from ._models_py3 import IpEntity + from ._models_py3 import IpEntityProperties + from ._models_py3 import MailClusterEntity + from ._models_py3 import MailClusterEntityProperties + from ._models_py3 import MailMessageEntity + from ._models_py3 import MailMessageEntityProperties + from ._models_py3 import MailboxEntity + from ._models_py3 import MailboxEntityProperties + from ._models_py3 import MalwareEntity + from ._models_py3 import MalwareEntityProperties from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRule from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRuleCommonProperties from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRuleProperties from ._models_py3 import MicrosoftSecurityIncidentCreationAlertRuleTemplate - from ._models_py3 import OfficeConsent - from ._models_py3 import OfficeConsentList - from ._models_py3 import OfficeDataConnector - from ._models_py3 import OfficeDataConnectorDataTypesExchange - from ._models_py3 import OfficeDataConnectorDataTypesSharePoint from ._models_py3 import Operation from ._models_py3 import OperationDisplay from ._models_py3 import OperationsList + from ._models_py3 import ProcessEntity + from ._models_py3 import ProcessEntityProperties + from ._models_py3 import RegistryKeyEntity + from ._models_py3 import RegistryKeyEntityProperties + from ._models_py3 import RegistryValueEntity + from ._models_py3 import RegistryValueEntityProperties + from ._models_py3 import Relation + from ._models_py3 import RelationList from ._models_py3 import Resource from ._models_py3 import ResourceWithEtag from ._models_py3 import ScheduledAlertRule from ._models_py3 import ScheduledAlertRuleCommonProperties from ._models_py3 import ScheduledAlertRuleProperties from ._models_py3 import ScheduledAlertRuleTemplate - from ._models_py3 import Settings - from ._models_py3 import TIDataConnector - from ._models_py3 import TIDataConnectorDataTypesIndicators + from ._models_py3 import SecurityAlert + from ._models_py3 import SecurityAlertProperties + from ._models_py3 import SecurityAlertPropertiesConfidenceReasonsItem + from ._models_py3 import SecurityGroupEntity + from ._models_py3 import SecurityGroupEntityProperties + from ._models_py3 import SubmissionMailEntity + from ._models_py3 import SubmissionMailEntityProperties + from ._models_py3 import SystemData from ._models_py3 import ThreatIntelligence - from ._models_py3 import ToggleSettings - from ._models_py3 import UebaSettings + from ._models_py3 import ThreatIntelligenceAppendTags + from ._models_py3 import ThreatIntelligenceExternalReference + from ._models_py3 import ThreatIntelligenceFilteringCriteria + from ._models_py3 import ThreatIntelligenceGranularMarkingModel + from ._models_py3 import ThreatIntelligenceIndicatorModel + from ._models_py3 import ThreatIntelligenceIndicatorModelForRequestBody + from ._models_py3 import ThreatIntelligenceIndicatorProperties + from ._models_py3 import ThreatIntelligenceInformation + from ._models_py3 import ThreatIntelligenceInformationList + from ._models_py3 import ThreatIntelligenceKillChainPhase + from ._models_py3 import ThreatIntelligenceMetric + from ._models_py3 import ThreatIntelligenceMetricEntity + from ._models_py3 import ThreatIntelligenceMetrics + from ._models_py3 import ThreatIntelligenceMetricsList + from ._models_py3 import ThreatIntelligenceParsedPattern + from ._models_py3 import ThreatIntelligenceParsedPatternTypeValue + from ._models_py3 import ThreatIntelligenceResourceKind + from ._models_py3 import ThreatIntelligenceSortingCriteria + from ._models_py3 import UrlEntity + from ._models_py3 import UrlEntityProperties + from ._models_py3 import UserInfo + from ._models_py3 import Watchlist + from ._models_py3 import WatchlistItem + from ._models_py3 import WatchlistItemList + from ._models_py3 import WatchlistList except (SyntaxError, ImportError): - from ._models import AADDataConnector # type: ignore - from ._models import AATPDataConnector # type: ignore - from ._models import ASCDataConnector # type: ignore - from ._models import ASCDataConnectorProperties # type: ignore + from ._models import AccountEntity # type: ignore + from ._models import AccountEntityProperties # type: ignore from ._models import ActionPropertiesBase # type: ignore from ._models import ActionRequest # type: ignore from ._models import ActionRequestProperties # type: ignore @@ -88,82 +137,145 @@ from ._models import AlertRuleTemplateDataSource # type: ignore from ._models import AlertRuleTemplatesList # type: ignore from ._models import AlertRulesList # type: ignore - from ._models import AlertsDataTypeOfDataConnector # type: ignore - from ._models import AwsCloudTrailDataConnector # type: ignore - from ._models import AwsCloudTrailDataConnectorDataTypesLogs # type: ignore - from ._models import Bookmark # type: ignore - from ._models import BookmarkList # type: ignore + from ._models import AzureResourceEntity # type: ignore + from ._models import AzureResourceEntityProperties # type: ignore from ._models import ClientInfo # type: ignore - from ._models import DataConnector # type: ignore - from ._models import DataConnectorDataTypeCommon # type: ignore - from ._models import DataConnectorList # type: ignore - from ._models import DataConnectorTenantId # type: ignore - from ._models import DataConnectorWithAlertsProperties # type: ignore + from ._models import CloudApplicationEntity # type: ignore + from ._models import CloudApplicationEntityProperties # type: ignore + from ._models import DnsEntity # type: ignore + from ._models import DnsEntityProperties # type: ignore + from ._models import Entity # type: ignore + from ._models import EntityCommonProperties # type: ignore + from ._models import EntityEdges # type: ignore + from ._models import EntityKind # type: ignore from ._models import ErrorAdditionalInfo # type: ignore from ._models import ErrorResponse # type: ignore + from ._models import FileEntity # type: ignore + from ._models import FileEntityProperties # type: ignore + from ._models import FileHashEntity # type: ignore + from ._models import FileHashEntityProperties # type: ignore from ._models import FusionAlertRule # type: ignore from ._models import FusionAlertRuleTemplate # type: ignore + from ._models import GeoLocation # type: ignore + from ._models import HostEntity # type: ignore + from ._models import HostEntityProperties # type: ignore + from ._models import HuntingBookmark # type: ignore + from ._models import HuntingBookmarkProperties # type: ignore from ._models import Incident # type: ignore from ._models import IncidentAdditionalData # type: ignore + from ._models import IncidentAlertList # type: ignore + from ._models import IncidentBookmarkList # type: ignore from ._models import IncidentComment # type: ignore from ._models import IncidentCommentList # type: ignore + from ._models import IncidentEntitiesResponse # type: ignore + from ._models import IncidentEntitiesResultsMetadata # type: ignore from ._models import IncidentInfo # type: ignore from ._models import IncidentLabel # type: ignore from ._models import IncidentList # type: ignore from ._models import IncidentOwnerInfo # type: ignore - from ._models import MCASDataConnector # type: ignore - from ._models import MCASDataConnectorDataTypes # type: ignore - from ._models import MDATPDataConnector # type: ignore + from ._models import IoTDeviceEntity # type: ignore + from ._models import IoTDeviceEntityProperties # type: ignore + from ._models import IpEntity # type: ignore + from ._models import IpEntityProperties # type: ignore + from ._models import MailClusterEntity # type: ignore + from ._models import MailClusterEntityProperties # type: ignore + from ._models import MailMessageEntity # type: ignore + from ._models import MailMessageEntityProperties # type: ignore + from ._models import MailboxEntity # type: ignore + from ._models import MailboxEntityProperties # type: ignore + from ._models import MalwareEntity # type: ignore + from ._models import MalwareEntityProperties # type: ignore from ._models import MicrosoftSecurityIncidentCreationAlertRule # type: ignore from ._models import MicrosoftSecurityIncidentCreationAlertRuleCommonProperties # type: ignore from ._models import MicrosoftSecurityIncidentCreationAlertRuleProperties # type: ignore from ._models import MicrosoftSecurityIncidentCreationAlertRuleTemplate # type: ignore - from ._models import OfficeConsent # type: ignore - from ._models import OfficeConsentList # type: ignore - from ._models import OfficeDataConnector # type: ignore - from ._models import OfficeDataConnectorDataTypesExchange # type: ignore - from ._models import OfficeDataConnectorDataTypesSharePoint # type: ignore from ._models import Operation # type: ignore from ._models import OperationDisplay # type: ignore from ._models import OperationsList # type: ignore + from ._models import ProcessEntity # type: ignore + from ._models import ProcessEntityProperties # type: ignore + from ._models import RegistryKeyEntity # type: ignore + from ._models import RegistryKeyEntityProperties # type: ignore + from ._models import RegistryValueEntity # type: ignore + from ._models import RegistryValueEntityProperties # type: ignore + from ._models import Relation # type: ignore + from ._models import RelationList # type: ignore from ._models import Resource # type: ignore from ._models import ResourceWithEtag # type: ignore from ._models import ScheduledAlertRule # type: ignore from ._models import ScheduledAlertRuleCommonProperties # type: ignore from ._models import ScheduledAlertRuleProperties # type: ignore from ._models import ScheduledAlertRuleTemplate # type: ignore - from ._models import Settings # type: ignore - from ._models import TIDataConnector # type: ignore - from ._models import TIDataConnectorDataTypesIndicators # type: ignore + from ._models import SecurityAlert # type: ignore + from ._models import SecurityAlertProperties # type: ignore + from ._models import SecurityAlertPropertiesConfidenceReasonsItem # type: ignore + from ._models import SecurityGroupEntity # type: ignore + from ._models import SecurityGroupEntityProperties # type: ignore + from ._models import SubmissionMailEntity # type: ignore + from ._models import SubmissionMailEntityProperties # type: ignore + from ._models import SystemData # type: ignore from ._models import ThreatIntelligence # type: ignore - from ._models import ToggleSettings # type: ignore - from ._models import UebaSettings # type: ignore + from ._models import ThreatIntelligenceAppendTags # type: ignore + from ._models import ThreatIntelligenceExternalReference # type: ignore + from ._models import ThreatIntelligenceFilteringCriteria # type: ignore + from ._models import ThreatIntelligenceGranularMarkingModel # type: ignore + from ._models import ThreatIntelligenceIndicatorModel # type: ignore + from ._models import ThreatIntelligenceIndicatorModelForRequestBody # type: ignore + from ._models import ThreatIntelligenceIndicatorProperties # type: ignore + from ._models import ThreatIntelligenceInformation # type: ignore + from ._models import ThreatIntelligenceInformationList # type: ignore + from ._models import ThreatIntelligenceKillChainPhase # type: ignore + from ._models import ThreatIntelligenceMetric # type: ignore + from ._models import ThreatIntelligenceMetricEntity # type: ignore + from ._models import ThreatIntelligenceMetrics # type: ignore + from ._models import ThreatIntelligenceMetricsList # type: ignore + from ._models import ThreatIntelligenceParsedPattern # type: ignore + from ._models import ThreatIntelligenceParsedPatternTypeValue # type: ignore + from ._models import ThreatIntelligenceResourceKind # type: ignore + from ._models import ThreatIntelligenceSortingCriteria # type: ignore + from ._models import UrlEntity # type: ignore + from ._models import UrlEntityProperties # type: ignore + from ._models import UserInfo # type: ignore + from ._models import Watchlist # type: ignore + from ._models import WatchlistItem # type: ignore + from ._models import WatchlistItemList # type: ignore + from ._models import WatchlistList # type: ignore from ._security_insights_enums import ( AlertRuleKind, AlertSeverity, + AlertStatus, + AntispamMailDirection, AttackTactic, CaseSeverity, - DataConnectorKind, - DataTypeState, + ConfidenceLevel, + ConfidenceScoreStatus, + CreatedByType, + DeliveryAction, + DeliveryLocation, + ElevationToken, + EntityKindEnum, + FileHashAlgorithm, IncidentClassification, IncidentClassificationReason, IncidentLabelType, IncidentSeverity, IncidentStatus, - LicenseStatus, + KillChainIntent, MicrosoftSecurityProductName, - SettingKind, - StatusInMCAS, + OsFamily, + RegistryHive, + RegistryValueKind, + Source, TemplateStatus, + ThreatIntelligenceResourceInnerKind, + ThreatIntelligenceSortingOrder, TriggerOperator, ) __all__ = [ - 'AADDataConnector', - 'AATPDataConnector', - 'ASCDataConnector', - 'ASCDataConnectorProperties', + 'AccountEntity', + 'AccountEntityProperties', 'ActionPropertiesBase', 'ActionRequest', 'ActionRequestProperties', @@ -175,71 +287,136 @@ 'AlertRuleTemplateDataSource', 'AlertRuleTemplatesList', 'AlertRulesList', - 'AlertsDataTypeOfDataConnector', - 'AwsCloudTrailDataConnector', - 'AwsCloudTrailDataConnectorDataTypesLogs', - 'Bookmark', - 'BookmarkList', + 'AzureResourceEntity', + 'AzureResourceEntityProperties', 'ClientInfo', - 'DataConnector', - 'DataConnectorDataTypeCommon', - 'DataConnectorList', - 'DataConnectorTenantId', - 'DataConnectorWithAlertsProperties', + 'CloudApplicationEntity', + 'CloudApplicationEntityProperties', + 'DnsEntity', + 'DnsEntityProperties', + 'Entity', + 'EntityCommonProperties', + 'EntityEdges', + 'EntityKind', 'ErrorAdditionalInfo', 'ErrorResponse', + 'FileEntity', + 'FileEntityProperties', + 'FileHashEntity', + 'FileHashEntityProperties', 'FusionAlertRule', 'FusionAlertRuleTemplate', + 'GeoLocation', + 'HostEntity', + 'HostEntityProperties', + 'HuntingBookmark', + 'HuntingBookmarkProperties', 'Incident', 'IncidentAdditionalData', + 'IncidentAlertList', + 'IncidentBookmarkList', 'IncidentComment', 'IncidentCommentList', + 'IncidentEntitiesResponse', + 'IncidentEntitiesResultsMetadata', 'IncidentInfo', 'IncidentLabel', 'IncidentList', 'IncidentOwnerInfo', - 'MCASDataConnector', - 'MCASDataConnectorDataTypes', - 'MDATPDataConnector', + 'IoTDeviceEntity', + 'IoTDeviceEntityProperties', + 'IpEntity', + 'IpEntityProperties', + 'MailClusterEntity', + 'MailClusterEntityProperties', + 'MailMessageEntity', + 'MailMessageEntityProperties', + 'MailboxEntity', + 'MailboxEntityProperties', + 'MalwareEntity', + 'MalwareEntityProperties', 'MicrosoftSecurityIncidentCreationAlertRule', 'MicrosoftSecurityIncidentCreationAlertRuleCommonProperties', 'MicrosoftSecurityIncidentCreationAlertRuleProperties', 'MicrosoftSecurityIncidentCreationAlertRuleTemplate', - 'OfficeConsent', - 'OfficeConsentList', - 'OfficeDataConnector', - 'OfficeDataConnectorDataTypesExchange', - 'OfficeDataConnectorDataTypesSharePoint', 'Operation', 'OperationDisplay', 'OperationsList', + 'ProcessEntity', + 'ProcessEntityProperties', + 'RegistryKeyEntity', + 'RegistryKeyEntityProperties', + 'RegistryValueEntity', + 'RegistryValueEntityProperties', + 'Relation', + 'RelationList', 'Resource', 'ResourceWithEtag', 'ScheduledAlertRule', 'ScheduledAlertRuleCommonProperties', 'ScheduledAlertRuleProperties', 'ScheduledAlertRuleTemplate', - 'Settings', - 'TIDataConnector', - 'TIDataConnectorDataTypesIndicators', + 'SecurityAlert', + 'SecurityAlertProperties', + 'SecurityAlertPropertiesConfidenceReasonsItem', + 'SecurityGroupEntity', + 'SecurityGroupEntityProperties', + 'SubmissionMailEntity', + 'SubmissionMailEntityProperties', + 'SystemData', 'ThreatIntelligence', - 'ToggleSettings', - 'UebaSettings', + 'ThreatIntelligenceAppendTags', + 'ThreatIntelligenceExternalReference', + 'ThreatIntelligenceFilteringCriteria', + 'ThreatIntelligenceGranularMarkingModel', + 'ThreatIntelligenceIndicatorModel', + 'ThreatIntelligenceIndicatorModelForRequestBody', + 'ThreatIntelligenceIndicatorProperties', + 'ThreatIntelligenceInformation', + 'ThreatIntelligenceInformationList', + 'ThreatIntelligenceKillChainPhase', + 'ThreatIntelligenceMetric', + 'ThreatIntelligenceMetricEntity', + 'ThreatIntelligenceMetrics', + 'ThreatIntelligenceMetricsList', + 'ThreatIntelligenceParsedPattern', + 'ThreatIntelligenceParsedPatternTypeValue', + 'ThreatIntelligenceResourceKind', + 'ThreatIntelligenceSortingCriteria', + 'UrlEntity', + 'UrlEntityProperties', + 'UserInfo', + 'Watchlist', + 'WatchlistItem', + 'WatchlistItemList', + 'WatchlistList', 'AlertRuleKind', 'AlertSeverity', + 'AlertStatus', + 'AntispamMailDirection', 'AttackTactic', 'CaseSeverity', - 'DataConnectorKind', - 'DataTypeState', + 'ConfidenceLevel', + 'ConfidenceScoreStatus', + 'CreatedByType', + 'DeliveryAction', + 'DeliveryLocation', + 'ElevationToken', + 'EntityKindEnum', + 'FileHashAlgorithm', 'IncidentClassification', 'IncidentClassificationReason', 'IncidentLabelType', 'IncidentSeverity', 'IncidentStatus', - 'LicenseStatus', + 'KillChainIntent', 'MicrosoftSecurityProductName', - 'SettingKind', - 'StatusInMCAS', + 'OsFamily', + 'RegistryHive', + 'RegistryValueKind', + 'Source', 'TemplateStatus', + 'ThreatIntelligenceResourceInnerKind', + 'ThreatIntelligenceSortingOrder', 'TriggerOperator', ] diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models.py index f8a2cf69674..d5487728475 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models.py @@ -9,8 +9,36 @@ import msrest.serialization -class ResourceWithEtag(msrest.serialization.Model): - """An azure resource object with an Etag property. +class EntityKind(msrest.serialization.Model): + """Describes an entity with kind. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + """ + + _validation = { + 'kind': {'required': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(EntityKind, self).__init__(**kwargs) + self.kind = kwargs['kind'] + + +class Resource(msrest.serialization.Model): + """An azure resource object. Variables are only populated by the server, and will be ignored when sending a request. @@ -20,192 +48,335 @@ class ResourceWithEtag(msrest.serialization.Model): :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData """ _validation = { 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, } def __init__( self, **kwargs ): - super(ResourceWithEtag, self).__init__(**kwargs) + super(Resource, self).__init__(**kwargs) self.id = None self.name = None self.type = None - self.etag = kwargs.get('etag', None) + self.system_data = None -class DataConnector(ResourceWithEtag): - """Data connector. - - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: AwsCloudTrailDataConnector, AADDataConnector, AATPDataConnector, ASCDataConnector, MCASDataConnector, MDATPDataConnector, OfficeDataConnector, TIDataConnector. +class Entity(Resource, EntityKind): + """Specific entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'AmazonWebServicesCloudTrail': 'AwsCloudTrailDataConnector', 'AzureActiveDirectory': 'AADDataConnector', 'AzureAdvancedThreatProtection': 'AATPDataConnector', 'AzureSecurityCenter': 'ASCDataConnector', 'MicrosoftCloudAppSecurity': 'MCASDataConnector', 'MicrosoftDefenderAdvancedThreatProtection': 'MDATPDataConnector', 'Office365': 'OfficeDataConnector', 'ThreatIntelligence': 'TIDataConnector'} + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, } def __init__( self, **kwargs ): - super(DataConnector, self).__init__(**kwargs) - self.kind = 'DataConnector' # type: str + super(Entity, self).__init__(**kwargs) + self.kind = kwargs['kind'] + self.id = None + self.name = None + self.type = None + self.system_data = None -class AADDataConnector(DataConnector): - """Represents AAD (Azure Active Directory) data connector. +class AccountEntity(Entity): + """Represents an account entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar aad_tenant_id: The Azure Active Directory tenant id. + :vartype aad_tenant_id: str + :ivar aad_user_id: The Azure Active Directory user id. + :vartype aad_user_id: str + :ivar account_name: The name of the account. This field should hold only the name without any + domain added to it, i.e. administrator. + :vartype account_name: str + :ivar display_name: The display name of the account. + :vartype display_name: str + :ivar host_entity_id: The Host entity id that contains the account in case it is a local + account (not domain joined). + :vartype host_entity_id: str + :ivar is_domain_joined: Determines whether this is a domain account. + :vartype is_domain_joined: bool + :ivar nt_domain: The NetBIOS domain name as it appears in the alert format – domain\username. + Examples: NT AUTHORITY. + :vartype nt_domain: str + :ivar object_guid: The objectGUID attribute is a single-value attribute that is the unique + identifier for the object, assigned by active directory. + :vartype object_guid: str + :ivar puid: The Azure Active Directory Passport User ID. + :vartype puid: str + :ivar sid: The account security identifier, e.g. S-1-5-18. + :vartype sid: str + :ivar upn_suffix: The user principal name suffix for the account, in some cases it is also the + domain name. Examples: contoso.com. + :vartype upn_suffix: str + :ivar dns_domain: The fully qualified domain DNS name. + :vartype dns_domain: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'aad_tenant_id': {'readonly': True}, + 'aad_user_id': {'readonly': True}, + 'account_name': {'readonly': True}, + 'display_name': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'is_domain_joined': {'readonly': True}, + 'nt_domain': {'readonly': True}, + 'object_guid': {'readonly': True}, + 'puid': {'readonly': True}, + 'sid': {'readonly': True}, + 'upn_suffix': {'readonly': True}, + 'dns_domain': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'aad_tenant_id': {'key': 'properties.aadTenantId', 'type': 'str'}, + 'aad_user_id': {'key': 'properties.aadUserId', 'type': 'str'}, + 'account_name': {'key': 'properties.accountName', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'host_entity_id': {'key': 'properties.hostEntityId', 'type': 'str'}, + 'is_domain_joined': {'key': 'properties.isDomainJoined', 'type': 'bool'}, + 'nt_domain': {'key': 'properties.ntDomain', 'type': 'str'}, + 'object_guid': {'key': 'properties.objectGuid', 'type': 'str'}, + 'puid': {'key': 'properties.puid', 'type': 'str'}, + 'sid': {'key': 'properties.sid', 'type': 'str'}, + 'upn_suffix': {'key': 'properties.upnSuffix', 'type': 'str'}, + 'dns_domain': {'key': 'properties.dnsDomain', 'type': 'str'}, } def __init__( self, **kwargs ): - super(AADDataConnector, self).__init__(**kwargs) - self.kind = 'AzureActiveDirectory' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state = kwargs.get('state', None) + super(AccountEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.aad_tenant_id = None + self.aad_user_id = None + self.account_name = None + self.display_name = None + self.host_entity_id = None + self.is_domain_joined = None + self.nt_domain = None + self.object_guid = None + self.puid = None + self.sid = None + self.upn_suffix = None + self.dns_domain = None -class AATPDataConnector(DataConnector): - """Represents AATP (Azure Advanced Threat Protection) data connector. +class EntityCommonProperties(msrest.serialization.Model): + """Entity common property bag. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + """ - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(EntityCommonProperties, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + + +class AccountEntityProperties(EntityCommonProperties): + """Account entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar aad_tenant_id: The Azure Active Directory tenant id. + :vartype aad_tenant_id: str + :ivar aad_user_id: The Azure Active Directory user id. + :vartype aad_user_id: str + :ivar account_name: The name of the account. This field should hold only the name without any + domain added to it, i.e. administrator. + :vartype account_name: str + :ivar display_name: The display name of the account. + :vartype display_name: str + :ivar host_entity_id: The Host entity id that contains the account in case it is a local + account (not domain joined). + :vartype host_entity_id: str + :ivar is_domain_joined: Determines whether this is a domain account. + :vartype is_domain_joined: bool + :ivar nt_domain: The NetBIOS domain name as it appears in the alert format – domain\username. + Examples: NT AUTHORITY. + :vartype nt_domain: str + :ivar object_guid: The objectGUID attribute is a single-value attribute that is the unique + identifier for the object, assigned by active directory. + :vartype object_guid: str + :ivar puid: The Azure Active Directory Passport User ID. + :vartype puid: str + :ivar sid: The account security identifier, e.g. S-1-5-18. + :vartype sid: str + :ivar upn_suffix: The user principal name suffix for the account, in some cases it is also the + domain name. Examples: contoso.com. + :vartype upn_suffix: str + :ivar dns_domain: The fully qualified domain DNS name. + :vartype dns_domain: str """ _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'aad_tenant_id': {'readonly': True}, + 'aad_user_id': {'readonly': True}, + 'account_name': {'readonly': True}, + 'display_name': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'is_domain_joined': {'readonly': True}, + 'nt_domain': {'readonly': True}, + 'object_guid': {'readonly': True}, + 'puid': {'readonly': True}, + 'sid': {'readonly': True}, + 'upn_suffix': {'readonly': True}, + 'dns_domain': {'readonly': True}, } _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'aad_tenant_id': {'key': 'aadTenantId', 'type': 'str'}, + 'aad_user_id': {'key': 'aadUserId', 'type': 'str'}, + 'account_name': {'key': 'accountName', 'type': 'str'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'host_entity_id': {'key': 'hostEntityId', 'type': 'str'}, + 'is_domain_joined': {'key': 'isDomainJoined', 'type': 'bool'}, + 'nt_domain': {'key': 'ntDomain', 'type': 'str'}, + 'object_guid': {'key': 'objectGuid', 'type': 'str'}, + 'puid': {'key': 'puid', 'type': 'str'}, + 'sid': {'key': 'sid', 'type': 'str'}, + 'upn_suffix': {'key': 'upnSuffix', 'type': 'str'}, + 'dns_domain': {'key': 'dnsDomain', 'type': 'str'}, } def __init__( self, **kwargs ): - super(AATPDataConnector, self).__init__(**kwargs) - self.kind = 'AzureAdvancedThreatProtection' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state = kwargs.get('state', None) + super(AccountEntityProperties, self).__init__(**kwargs) + self.aad_tenant_id = None + self.aad_user_id = None + self.account_name = None + self.display_name = None + self.host_entity_id = None + self.is_domain_joined = None + self.nt_domain = None + self.object_guid = None + self.puid = None + self.sid = None + self.upn_suffix = None + self.dns_domain = None class ActionPropertiesBase(msrest.serialization.Model): @@ -235,6 +406,47 @@ def __init__( self.logic_app_resource_id = kwargs['logic_app_resource_id'] +class ResourceWithEtag(Resource): + """An azure resource object with an Etag property. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(ResourceWithEtag, self).__init__(**kwargs) + self.etag = kwargs.get('etag', None) + + class ActionRequest(ResourceWithEtag): """Action for alert rule. @@ -246,6 +458,9 @@ class ActionRequest(ResourceWithEtag): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- @@ -260,12 +475,14 @@ class ActionRequest(ResourceWithEtag): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'}, 'trigger_uri': {'key': 'properties.triggerUri', 'type': 'str'}, @@ -289,12 +506,13 @@ class ActionRequestProperties(ActionPropertiesBase): subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- workflow-id}. :type logic_app_resource_id: str - :param trigger_uri: Logic App Callback URL for this specific workflow. + :param trigger_uri: Required. Logic App Callback URL for this specific workflow. :type trigger_uri: str """ _validation = { 'logic_app_resource_id': {'required': True}, + 'trigger_uri': {'required': True}, } _attribute_map = { @@ -307,42 +525,7 @@ def __init__( **kwargs ): super(ActionRequestProperties, self).__init__(**kwargs) - self.trigger_uri = kwargs.get('trigger_uri', None) - - -class Resource(msrest.serialization.Model): - """An azure resource object. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(Resource, self).__init__(**kwargs) - self.id = None - self.name = None - self.type = None + self.trigger_uri = kwargs['trigger_uri'] class ActionResponse(Resource): @@ -356,6 +539,9 @@ class ActionResponse(Resource): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the action. :type etag: str :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- @@ -370,12 +556,14 @@ class ActionResponse(Resource): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'}, 'workflow_id': {'key': 'properties.workflowId', 'type': 'str'}, @@ -469,6 +657,9 @@ class AlertRule(ResourceWithEtag): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: @@ -480,6 +671,7 @@ class AlertRule(ResourceWithEtag): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'kind': {'required': True}, } @@ -487,6 +679,7 @@ class AlertRule(ResourceWithEtag): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'kind': {'key': 'kind', 'type': 'str'}, } @@ -551,6 +744,9 @@ class AlertRuleTemplate(Resource): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". :type kind: str or ~security_insights.models.AlertRuleKind @@ -560,6 +756,7 @@ class AlertRuleTemplate(Resource): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'kind': {'required': True}, } @@ -567,6 +764,7 @@ class AlertRuleTemplate(Resource): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'kind': {'key': 'kind', 'type': 'str'}, } @@ -637,422 +835,415 @@ def __init__( self.value = kwargs['value'] -class AlertsDataTypeOfDataConnector(msrest.serialization.Model): - """Alerts data type for data connectors. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'alerts.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(AlertsDataTypeOfDataConnector, self).__init__(**kwargs) - self.state = kwargs.get('state', None) - - -class ASCDataConnector(DataConnector): - """Represents ASC (Azure Security Center) data connector. +class AzureResourceEntity(Entity): + """Represents an azure resource entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param subscription_id: The subscription id to connect to, and get the data from. - :type subscription_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar resource_id: The azure resource id of the resource. + :vartype resource_id: str + :ivar subscription_id: The subscription id of the resource. + :vartype subscription_id: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'resource_id': {'readonly': True}, + 'subscription_id': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'resource_id': {'key': 'properties.resourceId', 'type': 'str'}, 'subscription_id': {'key': 'properties.subscriptionId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, } def __init__( self, **kwargs ): - super(ASCDataConnector, self).__init__(**kwargs) - self.kind = 'AzureSecurityCenter' # type: str - self.subscription_id = kwargs.get('subscription_id', None) - self.state = kwargs.get('state', None) + super(AzureResourceEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.resource_id = None + self.subscription_id = None -class DataConnectorWithAlertsProperties(msrest.serialization.Model): - """Data connector properties. +class AzureResourceEntityProperties(EntityCommonProperties): + """AzureResource entity property bag. - :param data_types: The available data types for the connector. - :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar resource_id: The azure resource id of the resource. + :vartype resource_id: str + :ivar subscription_id: The subscription id of the resource. + :vartype subscription_id: str """ + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'resource_id': {'readonly': True}, + 'subscription_id': {'readonly': True}, + } + _attribute_map = { - 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'resource_id': {'key': 'resourceId', 'type': 'str'}, + 'subscription_id': {'key': 'subscriptionId', 'type': 'str'}, } def __init__( self, **kwargs ): - super(DataConnectorWithAlertsProperties, self).__init__(**kwargs) - self.data_types = kwargs.get('data_types', None) + super(AzureResourceEntityProperties, self).__init__(**kwargs) + self.resource_id = None + self.subscription_id = None -class ASCDataConnectorProperties(DataConnectorWithAlertsProperties): - """ASC (Azure Security Center) data connector properties. +class ClientInfo(msrest.serialization.Model): + """Information on the client (user or application) that made some action. - :param data_types: The available data types for the connector. - :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector - :param subscription_id: The subscription id to connect to, and get the data from. - :type subscription_id: str + :param email: The email of the client. + :type email: str + :param name: The name of the client. + :type name: str + :param object_id: The object id of the client. + :type object_id: str + :param user_principal_name: The user principal name of the client. + :type user_principal_name: str """ _attribute_map = { - 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'}, - 'subscription_id': {'key': 'subscriptionId', 'type': 'str'}, + 'email': {'key': 'email', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'object_id': {'key': 'objectId', 'type': 'str'}, + 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'}, } def __init__( self, **kwargs ): - super(ASCDataConnectorProperties, self).__init__(**kwargs) - self.subscription_id = kwargs.get('subscription_id', None) + super(ClientInfo, self).__init__(**kwargs) + self.email = kwargs.get('email', None) + self.name = kwargs.get('name', None) + self.object_id = kwargs.get('object_id', None) + self.user_principal_name = kwargs.get('user_principal_name', None) -class AwsCloudTrailDataConnector(DataConnector): - """Represents Amazon Web Services CloudTrail data connector. +class CloudApplicationEntity(Entity): + """Represents a cloud application entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param aws_role_arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access - the Aws account. - :type aws_role_arn: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar app_id: The technical identifier of the application. + :vartype app_id: int + :ivar app_name: The name of the related cloud application. + :vartype app_name: str + :ivar instance_name: The user defined instance name of the cloud application. It is often used + to distinguish between several applications of the same type that a customer has. + :vartype instance_name: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'app_id': {'readonly': True}, + 'app_name': {'readonly': True}, + 'instance_name': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'aws_role_arn': {'key': 'properties.awsRoleArn', 'type': 'str'}, - 'state': {'key': 'dataTypes.logs.state', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'app_id': {'key': 'properties.appId', 'type': 'int'}, + 'app_name': {'key': 'properties.appName', 'type': 'str'}, + 'instance_name': {'key': 'properties.instanceName', 'type': 'str'}, } def __init__( self, **kwargs ): - super(AwsCloudTrailDataConnector, self).__init__(**kwargs) - self.kind = 'AmazonWebServicesCloudTrail' # type: str - self.aws_role_arn = kwargs.get('aws_role_arn', None) - self.state = kwargs.get('state', None) + super(CloudApplicationEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.app_id = None + self.app_name = None + self.instance_name = None + +class CloudApplicationEntityProperties(EntityCommonProperties): + """CloudApplication entity property bag. -class DataConnectorDataTypeCommon(msrest.serialization.Model): - """Common field for data type in data connectors. + Variables are only populated by the server, and will be ignored when sending a request. - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar app_id: The technical identifier of the application. + :vartype app_id: int + :ivar app_name: The name of the related cloud application. + :vartype app_name: str + :ivar instance_name: The user defined instance name of the cloud application. It is often used + to distinguish between several applications of the same type that a customer has. + :vartype instance_name: str """ - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'app_id': {'readonly': True}, + 'app_name': {'readonly': True}, + 'instance_name': {'readonly': True}, } - def __init__( - self, - **kwargs - ): - super(DataConnectorDataTypeCommon, self).__init__(**kwargs) - self.state = kwargs.get('state', None) - - -class AwsCloudTrailDataConnectorDataTypesLogs(DataConnectorDataTypeCommon): - """Logs data type. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'app_id': {'key': 'appId', 'type': 'int'}, + 'app_name': {'key': 'appName', 'type': 'str'}, + 'instance_name': {'key': 'instanceName', 'type': 'str'}, } def __init__( self, **kwargs ): - super(AwsCloudTrailDataConnectorDataTypesLogs, self).__init__(**kwargs) + super(CloudApplicationEntityProperties, self).__init__(**kwargs) + self.app_id = None + self.app_name = None + self.instance_name = None -class Bookmark(ResourceWithEtag): - """Represents a bookmark in Azure Security Insights. +class DnsEntity(Entity): + """Represents a dns entity. Variables are only populated by the server, and will be ignored when sending a request. + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param created: The time the bookmark was created. - :type created: ~datetime.datetime - :param display_name: The display name of the bookmark. - :type display_name: str - :param labels: List of labels relevant to this bookmark. - :type labels: list[str] - :param notes: The notes of the bookmark. - :type notes: str - :param query: The query of the bookmark. - :type query: str - :param query_result: The query result of the bookmark. - :type query_result: str - :param updated: The last time the bookmark was updated. - :type updated: ~datetime.datetime - :param incident_info: Describes an incident that relates to bookmark. - :type incident_info: ~security_insights.models.IncidentInfo - :ivar email_updated_by_email: The email of the user. - :vartype email_updated_by_email: str - :ivar name_updated_by_name: The name of the user. - :vartype name_updated_by_name: str - :param object_id_updated_by_object_id: The object id of the user. - :type object_id_updated_by_object_id: str - :ivar email_created_by_email: The email of the user. - :vartype email_created_by_email: str - :ivar name_created_by_name: The name of the user. - :vartype name_created_by_name: str - :param object_id_created_by_object_id: The object id of the user. - :type object_id_created_by_object_id: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar dns_server_ip_entity_id: An ip entity id for the dns server resolving the request. + :vartype dns_server_ip_entity_id: str + :ivar domain_name: The name of the dns record associated with the alert. + :vartype domain_name: str + :ivar host_ip_address_entity_id: An ip entity id for the dns request client. + :vartype host_ip_address_entity_id: str + :ivar ip_address_entity_ids: Ip entity identifiers for the resolved ip address. + :vartype ip_address_entity_ids: list[str] """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'email_updated_by_email': {'readonly': True}, - 'name_updated_by_name': {'readonly': True}, - 'email_created_by_email': {'readonly': True}, - 'name_created_by_name': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'dns_server_ip_entity_id': {'readonly': True}, + 'domain_name': {'readonly': True}, + 'host_ip_address_entity_id': {'readonly': True}, + 'ip_address_entity_ids': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'created': {'key': 'properties.created', 'type': 'iso-8601'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'labels': {'key': 'properties.labels', 'type': '[str]'}, - 'notes': {'key': 'properties.notes', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_result': {'key': 'properties.queryResult', 'type': 'str'}, - 'updated': {'key': 'properties.updated', 'type': 'iso-8601'}, - 'incident_info': {'key': 'properties.incidentInfo', 'type': 'IncidentInfo'}, - 'email_updated_by_email': {'key': 'updatedBy.email', 'type': 'str'}, - 'name_updated_by_name': {'key': 'updatedBy.name', 'type': 'str'}, - 'object_id_updated_by_object_id': {'key': 'updatedBy.objectId', 'type': 'str'}, - 'email_created_by_email': {'key': 'createdBy.email', 'type': 'str'}, - 'name_created_by_name': {'key': 'createdBy.name', 'type': 'str'}, - 'object_id_created_by_object_id': {'key': 'createdBy.objectId', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(Bookmark, self).__init__(**kwargs) - self.created = kwargs.get('created', None) - self.display_name = kwargs.get('display_name', None) - self.labels = kwargs.get('labels', None) - self.notes = kwargs.get('notes', None) - self.query = kwargs.get('query', None) - self.query_result = kwargs.get('query_result', None) - self.updated = kwargs.get('updated', None) - self.incident_info = kwargs.get('incident_info', None) - self.email_updated_by_email = None - self.name_updated_by_name = None - self.object_id_updated_by_object_id = kwargs.get('object_id_updated_by_object_id', None) - self.email_created_by_email = None - self.name_created_by_name = None - self.object_id_created_by_object_id = kwargs.get('object_id_created_by_object_id', None) - - -class BookmarkList(msrest.serialization.Model): - """List all the bookmarks. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of cases. - :vartype next_link: str - :param value: Required. Array of bookmarks. - :type value: list[~security_insights.models.Bookmark] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[Bookmark]'}, - } - - def __init__( - self, - **kwargs - ): - super(BookmarkList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] - - -class ClientInfo(msrest.serialization.Model): - """Information on the client (user or application) that made some action. - - :param email: The email of the client. - :type email: str - :param name: The name of the client. - :type name: str - :param object_id: The object id of the client. - :type object_id: str - :param user_principal_name: The user principal name of the client. - :type user_principal_name: str - """ - - _attribute_map = { - 'email': {'key': 'email', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'object_id': {'key': 'objectId', 'type': 'str'}, - 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'dns_server_ip_entity_id': {'key': 'properties.dnsServerIpEntityId', 'type': 'str'}, + 'domain_name': {'key': 'properties.domainName', 'type': 'str'}, + 'host_ip_address_entity_id': {'key': 'properties.hostIpAddressEntityId', 'type': 'str'}, + 'ip_address_entity_ids': {'key': 'properties.ipAddressEntityIds', 'type': '[str]'}, } def __init__( self, **kwargs ): - super(ClientInfo, self).__init__(**kwargs) - self.email = kwargs.get('email', None) - self.name = kwargs.get('name', None) - self.object_id = kwargs.get('object_id', None) - self.user_principal_name = kwargs.get('user_principal_name', None) + super(DnsEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.dns_server_ip_entity_id = None + self.domain_name = None + self.host_ip_address_entity_id = None + self.ip_address_entity_ids = None -class DataConnectorList(msrest.serialization.Model): - """List all the data connectors. +class DnsEntityProperties(EntityCommonProperties): + """Dns entity property bag. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of data connectors. - :vartype next_link: str - :param value: Required. Array of data connectors. - :type value: list[~security_insights.models.DataConnector] + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar dns_server_ip_entity_id: An ip entity id for the dns server resolving the request. + :vartype dns_server_ip_entity_id: str + :ivar domain_name: The name of the dns record associated with the alert. + :vartype domain_name: str + :ivar host_ip_address_entity_id: An ip entity id for the dns request client. + :vartype host_ip_address_entity_id: str + :ivar ip_address_entity_ids: Ip entity identifiers for the resolved ip address. + :vartype ip_address_entity_ids: list[str] """ _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'dns_server_ip_entity_id': {'readonly': True}, + 'domain_name': {'readonly': True}, + 'host_ip_address_entity_id': {'readonly': True}, + 'ip_address_entity_ids': {'readonly': True}, } _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[DataConnector]'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'dns_server_ip_entity_id': {'key': 'dnsServerIpEntityId', 'type': 'str'}, + 'domain_name': {'key': 'domainName', 'type': 'str'}, + 'host_ip_address_entity_id': {'key': 'hostIpAddressEntityId', 'type': 'str'}, + 'ip_address_entity_ids': {'key': 'ipAddressEntityIds', 'type': '[str]'}, } def __init__( self, **kwargs ): - super(DataConnectorList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] + super(DnsEntityProperties, self).__init__(**kwargs) + self.dns_server_ip_entity_id = None + self.domain_name = None + self.host_ip_address_entity_id = None + self.ip_address_entity_ids = None -class DataConnectorTenantId(msrest.serialization.Model): - """Properties data connector on tenant level. +class EntityEdges(msrest.serialization.Model): + """The edge that connects the entity to the other entity. - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str + :param target_entity_id: The target entity Id. + :type target_entity_id: str + :param additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :type additional_data: dict[str, object] """ _attribute_map = { - 'tenant_id': {'key': 'tenantId', 'type': 'str'}, + 'target_entity_id': {'key': 'targetEntityId', 'type': 'str'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, } def __init__( self, **kwargs ): - super(DataConnectorTenantId, self).__init__(**kwargs) - self.tenant_id = kwargs.get('tenant_id', None) + super(EntityEdges, self).__init__(**kwargs) + self.target_entity_id = kwargs.get('target_entity_id', None) + self.additional_data = kwargs.get('additional_data', None) class ErrorAdditionalInfo(msrest.serialization.Model): @@ -1086,7 +1277,7 @@ def __init__( class ErrorResponse(msrest.serialization.Model): - """The resource management error response. + """Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.). Variables are only populated by the server, and will be ignored when sending a request. @@ -1130,6 +1321,244 @@ def __init__( self.additional_info = None +class FileEntity(Entity): + """Represents a file entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar directory: The full path to the file. + :vartype directory: str + :ivar file_hash_entity_ids: The file hash entity identifiers associated with this file. + :vartype file_hash_entity_ids: list[str] + :ivar file_name: The file name without path (some alerts might not include path). + :vartype file_name: str + :ivar host_entity_id: The Host entity id which the file belongs to. + :vartype host_entity_id: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'directory': {'readonly': True}, + 'file_hash_entity_ids': {'readonly': True}, + 'file_name': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'directory': {'key': 'properties.directory', 'type': 'str'}, + 'file_hash_entity_ids': {'key': 'properties.fileHashEntityIds', 'type': '[str]'}, + 'file_name': {'key': 'properties.fileName', 'type': 'str'}, + 'host_entity_id': {'key': 'properties.hostEntityId', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(FileEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.directory = None + self.file_hash_entity_ids = None + self.file_name = None + self.host_entity_id = None + + +class FileEntityProperties(EntityCommonProperties): + """File entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar directory: The full path to the file. + :vartype directory: str + :ivar file_hash_entity_ids: The file hash entity identifiers associated with this file. + :vartype file_hash_entity_ids: list[str] + :ivar file_name: The file name without path (some alerts might not include path). + :vartype file_name: str + :ivar host_entity_id: The Host entity id which the file belongs to. + :vartype host_entity_id: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'directory': {'readonly': True}, + 'file_hash_entity_ids': {'readonly': True}, + 'file_name': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'directory': {'key': 'directory', 'type': 'str'}, + 'file_hash_entity_ids': {'key': 'fileHashEntityIds', 'type': '[str]'}, + 'file_name': {'key': 'fileName', 'type': 'str'}, + 'host_entity_id': {'key': 'hostEntityId', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(FileEntityProperties, self).__init__(**kwargs) + self.directory = None + self.file_hash_entity_ids = None + self.file_name = None + self.host_entity_id = None + + +class FileHashEntity(Entity): + """Represents a file hash entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar algorithm: The hash algorithm type. Possible values include: "Unknown", "MD5", "SHA1", + "SHA256", "SHA256AC". + :vartype algorithm: str or ~security_insights.models.FileHashAlgorithm + :ivar hash_value: The file hash value. + :vartype hash_value: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'algorithm': {'readonly': True}, + 'hash_value': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'algorithm': {'key': 'properties.algorithm', 'type': 'str'}, + 'hash_value': {'key': 'properties.hashValue', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(FileHashEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.algorithm = None + self.hash_value = None + + +class FileHashEntityProperties(EntityCommonProperties): + """FileHash entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar algorithm: The hash algorithm type. Possible values include: "Unknown", "MD5", "SHA1", + "SHA256", "SHA256AC". + :vartype algorithm: str or ~security_insights.models.FileHashAlgorithm + :ivar hash_value: The file hash value. + :vartype hash_value: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'algorithm': {'readonly': True}, + 'hash_value': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'algorithm': {'key': 'algorithm', 'type': 'str'}, + 'hash_value': {'key': 'hashValue', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(FileHashEntityProperties, self).__init__(**kwargs) + self.algorithm = None + self.hash_value = None + + class FusionAlertRule(AlertRule): """Represents Fusion alert rule. @@ -1143,6 +1572,9 @@ class FusionAlertRule(AlertRule): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: @@ -1169,6 +1601,7 @@ class FusionAlertRule(AlertRule): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'kind': {'required': True}, 'description': {'readonly': True}, 'display_name': {'readonly': True}, @@ -1181,6 +1614,7 @@ class FusionAlertRule(AlertRule): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'kind': {'key': 'kind', 'type': 'str'}, 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, @@ -1220,6 +1654,9 @@ class FusionAlertRuleTemplate(AlertRuleTemplate): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". :type kind: str or ~security_insights.models.AlertRuleKind @@ -1248,6 +1685,7 @@ class FusionAlertRuleTemplate(AlertRuleTemplate): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'kind': {'required': True}, 'created_date_utc': {'readonly': True}, } @@ -1256,6 +1694,7 @@ class FusionAlertRuleTemplate(AlertRuleTemplate): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'kind': {'key': 'kind', 'type': 'str'}, 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, @@ -1283,44 +1722,471 @@ def __init__( self.tactics = kwargs.get('tactics', None) -class Incident(ResourceWithEtag): - """Represents an incident in Azure Security Insights. +class GeoLocation(msrest.serialization.Model): + """The geo-location context attached to the ip entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar asn: Autonomous System Number. + :vartype asn: int + :ivar city: City name. + :vartype city: str + :ivar country_code: The country code according to ISO 3166 format. + :vartype country_code: str + :ivar country_name: Country name according to ISO 3166 Alpha 2: the lowercase of the English + Short Name. + :vartype country_name: str + :ivar latitude: The longitude of the identified location, expressed as a floating point number + with range of -180 to 180, with positive numbers representing East and negative numbers + representing West. Latitude and longitude are derived from the city or postal code. + :vartype latitude: float + :ivar longitude: The latitude of the identified location, expressed as a floating point number + with range of - 90 to 90, with positive numbers representing North and negative numbers + representing South. Latitude and longitude are derived from the city or postal code. + :vartype longitude: float + :ivar state: State name. + :vartype state: str + """ + + _validation = { + 'asn': {'readonly': True}, + 'city': {'readonly': True}, + 'country_code': {'readonly': True}, + 'country_name': {'readonly': True}, + 'latitude': {'readonly': True}, + 'longitude': {'readonly': True}, + 'state': {'readonly': True}, + } + + _attribute_map = { + 'asn': {'key': 'asn', 'type': 'int'}, + 'city': {'key': 'city', 'type': 'str'}, + 'country_code': {'key': 'countryCode', 'type': 'str'}, + 'country_name': {'key': 'countryName', 'type': 'str'}, + 'latitude': {'key': 'latitude', 'type': 'float'}, + 'longitude': {'key': 'longitude', 'type': 'float'}, + 'state': {'key': 'state', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(GeoLocation, self).__init__(**kwargs) + self.asn = None + self.city = None + self.country_code = None + self.country_name = None + self.latitude = None + self.longitude = None + self.state = None + + +class HostEntity(Entity): + """Represents a host entity. Variables are only populated by the server, and will be ignored when sending a request. + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :ivar additional_data: Additional data on the incident. - :vartype additional_data: ~security_insights.models.IncidentAdditionalData - :param classification: The reason the incident was closed. Possible values include: - "Undetermined", "TruePositive", "BenignPositive", "FalsePositive". - :type classification: str or ~security_insights.models.IncidentClassification - :param classification_comment: Describes the reason the incident was closed. - :type classification_comment: str - :param classification_reason: The classification reason the incident was closed with. Possible - values include: "SuspiciousActivity", "SuspiciousButExpected", "IncorrectAlertLogic", - "InaccurateData". - :type classification_reason: str or ~security_insights.models.IncidentClassificationReason - :ivar created_time_utc: The time the incident was created. - :vartype created_time_utc: ~datetime.datetime - :param description: The description of the incident. - :type description: str - :param first_activity_time_utc: The time of the first activity in the incident. - :type first_activity_time_utc: ~datetime.datetime - :ivar incident_url: The deep-link url to the incident in Azure portal. - :vartype incident_url: str - :ivar incident_number: A sequential number. - :vartype incident_number: int - :param labels: List of labels relevant to this incident. - :type labels: list[~security_insights.models.IncidentLabel] - :param last_activity_time_utc: The time of the last activity in the incident. - :type last_activity_time_utc: ~datetime.datetime + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar azure_id: The azure resource id of the VM. + :vartype azure_id: str + :ivar dns_domain: The DNS domain that this host belongs to. Should contain the compete DNS + suffix for the domain. + :vartype dns_domain: str + :ivar host_name: The hostname without the domain suffix. + :vartype host_name: str + :ivar is_domain_joined: Determines whether this host belongs to a domain. + :vartype is_domain_joined: bool + :ivar net_bios_name: The host name (pre-windows2000). + :vartype net_bios_name: str + :ivar nt_domain: The NT domain that this host belongs to. + :vartype nt_domain: str + :ivar oms_agent_id: The OMS agent id, if the host has OMS agent installed. + :vartype oms_agent_id: str + :param os_family: The operating system type. Possible values include: "Linux", "Windows", + "Android", "IOS", "Unknown". + :type os_family: str or ~security_insights.models.OsFamily + :ivar os_version: A free text representation of the operating system. This field is meant to + hold specific versions the are more fine grained than OSFamily or future values not supported + by OSFamily enumeration. + :vartype os_version: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'azure_id': {'readonly': True}, + 'dns_domain': {'readonly': True}, + 'host_name': {'readonly': True}, + 'is_domain_joined': {'readonly': True}, + 'net_bios_name': {'readonly': True}, + 'nt_domain': {'readonly': True}, + 'oms_agent_id': {'readonly': True}, + 'os_version': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'azure_id': {'key': 'properties.azureID', 'type': 'str'}, + 'dns_domain': {'key': 'properties.dnsDomain', 'type': 'str'}, + 'host_name': {'key': 'properties.hostName', 'type': 'str'}, + 'is_domain_joined': {'key': 'properties.isDomainJoined', 'type': 'bool'}, + 'net_bios_name': {'key': 'properties.netBiosName', 'type': 'str'}, + 'nt_domain': {'key': 'properties.ntDomain', 'type': 'str'}, + 'oms_agent_id': {'key': 'properties.omsAgentID', 'type': 'str'}, + 'os_family': {'key': 'properties.osFamily', 'type': 'str'}, + 'os_version': {'key': 'properties.osVersion', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(HostEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.azure_id = None + self.dns_domain = None + self.host_name = None + self.is_domain_joined = None + self.net_bios_name = None + self.nt_domain = None + self.oms_agent_id = None + self.os_family = kwargs.get('os_family', None) + self.os_version = None + + +class HostEntityProperties(EntityCommonProperties): + """Host entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar azure_id: The azure resource id of the VM. + :vartype azure_id: str + :ivar dns_domain: The DNS domain that this host belongs to. Should contain the compete DNS + suffix for the domain. + :vartype dns_domain: str + :ivar host_name: The hostname without the domain suffix. + :vartype host_name: str + :ivar is_domain_joined: Determines whether this host belongs to a domain. + :vartype is_domain_joined: bool + :ivar net_bios_name: The host name (pre-windows2000). + :vartype net_bios_name: str + :ivar nt_domain: The NT domain that this host belongs to. + :vartype nt_domain: str + :ivar oms_agent_id: The OMS agent id, if the host has OMS agent installed. + :vartype oms_agent_id: str + :param os_family: The operating system type. Possible values include: "Linux", "Windows", + "Android", "IOS", "Unknown". + :type os_family: str or ~security_insights.models.OsFamily + :ivar os_version: A free text representation of the operating system. This field is meant to + hold specific versions the are more fine grained than OSFamily or future values not supported + by OSFamily enumeration. + :vartype os_version: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'azure_id': {'readonly': True}, + 'dns_domain': {'readonly': True}, + 'host_name': {'readonly': True}, + 'is_domain_joined': {'readonly': True}, + 'net_bios_name': {'readonly': True}, + 'nt_domain': {'readonly': True}, + 'oms_agent_id': {'readonly': True}, + 'os_version': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'azure_id': {'key': 'azureID', 'type': 'str'}, + 'dns_domain': {'key': 'dnsDomain', 'type': 'str'}, + 'host_name': {'key': 'hostName', 'type': 'str'}, + 'is_domain_joined': {'key': 'isDomainJoined', 'type': 'bool'}, + 'net_bios_name': {'key': 'netBiosName', 'type': 'str'}, + 'nt_domain': {'key': 'ntDomain', 'type': 'str'}, + 'oms_agent_id': {'key': 'omsAgentID', 'type': 'str'}, + 'os_family': {'key': 'osFamily', 'type': 'str'}, + 'os_version': {'key': 'osVersion', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(HostEntityProperties, self).__init__(**kwargs) + self.azure_id = None + self.dns_domain = None + self.host_name = None + self.is_domain_joined = None + self.net_bios_name = None + self.nt_domain = None + self.oms_agent_id = None + self.os_family = kwargs.get('os_family', None) + self.os_version = None + + +class HuntingBookmark(Entity): + """Represents a Hunting bookmark entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :param created: The time the bookmark was created. + :type created: ~datetime.datetime + :param created_by: Describes a user that created the bookmark. + :type created_by: ~security_insights.models.UserInfo + :param display_name: The display name of the bookmark. + :type display_name: str + :param event_time: The time of the event. + :type event_time: ~datetime.datetime + :param labels: List of labels relevant to this bookmark. + :type labels: list[str] + :param notes: The notes of the bookmark. + :type notes: str + :param query: The query of the bookmark. + :type query: str + :param query_result: The query result of the bookmark. + :type query_result: str + :param updated: The last time the bookmark was updated. + :type updated: ~datetime.datetime + :param updated_by: Describes a user that updated the bookmark. + :type updated_by: ~security_insights.models.UserInfo + :param incident_info: Describes an incident that relates to bookmark. + :type incident_info: ~security_insights.models.IncidentInfo + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'created': {'key': 'properties.created', 'type': 'iso-8601'}, + 'created_by': {'key': 'properties.createdBy', 'type': 'UserInfo'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'event_time': {'key': 'properties.eventTime', 'type': 'iso-8601'}, + 'labels': {'key': 'properties.labels', 'type': '[str]'}, + 'notes': {'key': 'properties.notes', 'type': 'str'}, + 'query': {'key': 'properties.query', 'type': 'str'}, + 'query_result': {'key': 'properties.queryResult', 'type': 'str'}, + 'updated': {'key': 'properties.updated', 'type': 'iso-8601'}, + 'updated_by': {'key': 'properties.updatedBy', 'type': 'UserInfo'}, + 'incident_info': {'key': 'properties.incidentInfo', 'type': 'IncidentInfo'}, + } + + def __init__( + self, + **kwargs + ): + super(HuntingBookmark, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.created = kwargs.get('created', None) + self.created_by = kwargs.get('created_by', None) + self.display_name = kwargs.get('display_name', None) + self.event_time = kwargs.get('event_time', None) + self.labels = kwargs.get('labels', None) + self.notes = kwargs.get('notes', None) + self.query = kwargs.get('query', None) + self.query_result = kwargs.get('query_result', None) + self.updated = kwargs.get('updated', None) + self.updated_by = kwargs.get('updated_by', None) + self.incident_info = kwargs.get('incident_info', None) + + +class HuntingBookmarkProperties(EntityCommonProperties): + """Describes bookmark properties. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :param created: The time the bookmark was created. + :type created: ~datetime.datetime + :param created_by: Describes a user that created the bookmark. + :type created_by: ~security_insights.models.UserInfo + :param display_name: Required. The display name of the bookmark. + :type display_name: str + :param event_time: The time of the event. + :type event_time: ~datetime.datetime + :param labels: List of labels relevant to this bookmark. + :type labels: list[str] + :param notes: The notes of the bookmark. + :type notes: str + :param query: Required. The query of the bookmark. + :type query: str + :param query_result: The query result of the bookmark. + :type query_result: str + :param updated: The last time the bookmark was updated. + :type updated: ~datetime.datetime + :param updated_by: Describes a user that updated the bookmark. + :type updated_by: ~security_insights.models.UserInfo + :param incident_info: Describes an incident that relates to bookmark. + :type incident_info: ~security_insights.models.IncidentInfo + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'display_name': {'required': True}, + 'query': {'required': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'created': {'key': 'created', 'type': 'iso-8601'}, + 'created_by': {'key': 'createdBy', 'type': 'UserInfo'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'event_time': {'key': 'eventTime', 'type': 'iso-8601'}, + 'labels': {'key': 'labels', 'type': '[str]'}, + 'notes': {'key': 'notes', 'type': 'str'}, + 'query': {'key': 'query', 'type': 'str'}, + 'query_result': {'key': 'queryResult', 'type': 'str'}, + 'updated': {'key': 'updated', 'type': 'iso-8601'}, + 'updated_by': {'key': 'updatedBy', 'type': 'UserInfo'}, + 'incident_info': {'key': 'incidentInfo', 'type': 'IncidentInfo'}, + } + + def __init__( + self, + **kwargs + ): + super(HuntingBookmarkProperties, self).__init__(**kwargs) + self.created = kwargs.get('created', None) + self.created_by = kwargs.get('created_by', None) + self.display_name = kwargs['display_name'] + self.event_time = kwargs.get('event_time', None) + self.labels = kwargs.get('labels', None) + self.notes = kwargs.get('notes', None) + self.query = kwargs['query'] + self.query_result = kwargs.get('query_result', None) + self.updated = kwargs.get('updated', None) + self.updated_by = kwargs.get('updated_by', None) + self.incident_info = kwargs.get('incident_info', None) + + +class Incident(ResourceWithEtag): + """Represents an incident in Azure Security Insights. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + :ivar additional_data: Additional data on the incident. + :vartype additional_data: ~security_insights.models.IncidentAdditionalData + :param classification: The reason the incident was closed. Possible values include: + "Undetermined", "TruePositive", "BenignPositive", "FalsePositive". + :type classification: str or ~security_insights.models.IncidentClassification + :param classification_comment: Describes the reason the incident was closed. + :type classification_comment: str + :param classification_reason: The classification reason the incident was closed with. Possible + values include: "SuspiciousActivity", "SuspiciousButExpected", "IncorrectAlertLogic", + "InaccurateData". + :type classification_reason: str or ~security_insights.models.IncidentClassificationReason + :ivar created_time_utc: The time the incident was created. + :vartype created_time_utc: ~datetime.datetime + :param description: The description of the incident. + :type description: str + :param first_activity_time_utc: The time of the first activity in the incident. + :type first_activity_time_utc: ~datetime.datetime + :ivar incident_url: The deep-link url to the incident in Azure portal. + :vartype incident_url: str + :ivar incident_number: A sequential number. + :vartype incident_number: int + :param labels: List of labels relevant to this incident. + :type labels: list[~security_insights.models.IncidentLabel] + :param last_activity_time_utc: The time of the last activity in the incident. + :type last_activity_time_utc: ~datetime.datetime :ivar last_modified_time_utc: The last time the incident was updated. :vartype last_modified_time_utc: ~datetime.datetime :param owner: Describes a user that the incident is assigned to. @@ -1341,6 +2207,7 @@ class Incident(ResourceWithEtag): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'additional_data': {'readonly': True}, 'created_time_utc': {'readonly': True}, 'incident_url': {'readonly': True}, @@ -1353,6 +2220,7 @@ class Incident(ResourceWithEtag): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'additional_data': {'key': 'properties.additionalData', 'type': 'IncidentAdditionalData'}, 'classification': {'key': 'properties.classification', 'type': 'str'}, @@ -1442,7 +2310,57 @@ def __init__( self.tactics = None -class IncidentComment(Resource): +class IncidentAlertList(msrest.serialization.Model): + """List of incident alerts. + + All required parameters must be populated in order to send to Azure. + + :param value: Required. Array of incident alerts. + :type value: list[~security_insights.models.SecurityAlert] + """ + + _validation = { + 'value': {'required': True}, + } + + _attribute_map = { + 'value': {'key': 'value', 'type': '[SecurityAlert]'}, + } + + def __init__( + self, + **kwargs + ): + super(IncidentAlertList, self).__init__(**kwargs) + self.value = kwargs['value'] + + +class IncidentBookmarkList(msrest.serialization.Model): + """List of incident bookmarks. + + All required parameters must be populated in order to send to Azure. + + :param value: Required. Array of incident bookmarks. + :type value: list[~security_insights.models.HuntingBookmark] + """ + + _validation = { + 'value': {'required': True}, + } + + _attribute_map = { + 'value': {'key': 'value', 'type': '[HuntingBookmark]'}, + } + + def __init__( + self, + **kwargs + ): + super(IncidentBookmarkList, self).__init__(**kwargs) + self.value = kwargs['value'] + + +class IncidentComment(ResourceWithEtag): """Represents an incident comment. Variables are only populated by the server, and will be ignored when sending a request. @@ -1453,8 +2371,15 @@ class IncidentComment(Resource): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str :ivar created_time_utc: The time the comment was created. :vartype created_time_utc: ~datetime.datetime + :ivar last_modified_time_utc: The time the comment was updated. + :vartype last_modified_time_utc: ~datetime.datetime :param message: The comment message. :type message: str :ivar author: Describes the client that created the comment. @@ -1465,7 +2390,9 @@ class IncidentComment(Resource): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'created_time_utc': {'readonly': True}, + 'last_modified_time_utc': {'readonly': True}, 'author': {'readonly': True}, } @@ -1473,7 +2400,10 @@ class IncidentComment(Resource): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'}, + 'last_modified_time_utc': {'key': 'properties.lastModifiedTimeUtc', 'type': 'iso-8601'}, 'message': {'key': 'properties.message', 'type': 'str'}, 'author': {'key': 'properties.author', 'type': 'ClientInfo'}, } @@ -1484,6 +2414,7 @@ def __init__( ): super(IncidentComment, self).__init__(**kwargs) self.created_time_utc = None + self.last_modified_time_utc = None self.message = kwargs.get('message', None) self.author = None @@ -1520,51 +2451,100 @@ def __init__( self.value = kwargs['value'] -class IncidentInfo(msrest.serialization.Model): - """Describes related incident information for the bookmark. - - All required parameters must be populated in order to send to Azure. +class IncidentEntitiesResponse(msrest.serialization.Model): + """The incident related entities response. - :param incident_id: Required. Incident Id. - :type incident_id: str - :param severity: Required. The severity of the incident. Possible values include: "Critical", - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.CaseSeverity - :param title: Required. The title of the incident. - :type title: str - :param relation_name: Required. Relation Name. - :type relation_name: str + :param entities: Array of the incident related entities. + :type entities: list[~security_insights.models.Entity] + :param meta_data: The metadata from the incident related entities results. + :type meta_data: list[~security_insights.models.IncidentEntitiesResultsMetadata] """ - _validation = { - 'incident_id': {'required': True}, - 'severity': {'required': True}, - 'title': {'required': True}, - 'relation_name': {'required': True}, - } - _attribute_map = { - 'incident_id': {'key': 'incidentId', 'type': 'str'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'title': {'key': 'title', 'type': 'str'}, - 'relation_name': {'key': 'relationName', 'type': 'str'}, + 'entities': {'key': 'entities', 'type': '[Entity]'}, + 'meta_data': {'key': 'metaData', 'type': '[IncidentEntitiesResultsMetadata]'}, } def __init__( self, **kwargs ): - super(IncidentInfo, self).__init__(**kwargs) - self.incident_id = kwargs['incident_id'] - self.severity = kwargs['severity'] - self.title = kwargs['title'] - self.relation_name = kwargs['relation_name'] + super(IncidentEntitiesResponse, self).__init__(**kwargs) + self.entities = kwargs.get('entities', None) + self.meta_data = kwargs.get('meta_data', None) -class IncidentLabel(msrest.serialization.Model): - """Represents an incident label. +class IncidentEntitiesResultsMetadata(msrest.serialization.Model): + """Information of a specific aggregation in the incident related entities result. - Variables are only populated by the server, and will be ignored when sending a request. + All required parameters must be populated in order to send to Azure. + + :param count: Required. Total number of aggregations of the given kind in the incident related + entities result. + :type count: int + :param entity_kind: Required. The kind of the aggregated entity. Possible values include: + "Account", "Host", "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", + "Ip", "Malware", "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", + "IoTDevice", "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", + "SubmissionMail". + :type entity_kind: str or ~security_insights.models.EntityKindEnum + """ + + _validation = { + 'count': {'required': True}, + 'entity_kind': {'required': True}, + } + + _attribute_map = { + 'count': {'key': 'count', 'type': 'int'}, + 'entity_kind': {'key': 'entityKind', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(IncidentEntitiesResultsMetadata, self).__init__(**kwargs) + self.count = kwargs['count'] + self.entity_kind = kwargs['entity_kind'] + + +class IncidentInfo(msrest.serialization.Model): + """Describes related incident information for the bookmark. + + :param incident_id: Incident Id. + :type incident_id: str + :param severity: The severity of the incident. Possible values include: "Critical", "High", + "Medium", "Low", "Informational". + :type severity: str or ~security_insights.models.CaseSeverity + :param title: The title of the incident. + :type title: str + :param relation_name: Relation Name. + :type relation_name: str + """ + + _attribute_map = { + 'incident_id': {'key': 'incidentId', 'type': 'str'}, + 'severity': {'key': 'severity', 'type': 'str'}, + 'title': {'key': 'title', 'type': 'str'}, + 'relation_name': {'key': 'relationName', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(IncidentInfo, self).__init__(**kwargs) + self.incident_id = kwargs.get('incident_id', None) + self.severity = kwargs.get('severity', None) + self.title = kwargs.get('title', None) + self.relation_name = kwargs.get('relation_name', None) + + +class IncidentLabel(msrest.serialization.Model): + """Represents an incident label. + + Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. @@ -1656,670 +2636,1218 @@ def __init__( self.user_principal_name = kwargs.get('user_principal_name', None) -class MCASDataConnector(DataConnector): - """Represents MCAS (Microsoft Cloud App Security) data connector. +class IoTDeviceEntity(Entity): + """Represents an IoT device entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state_data_types_alerts_state: Describe whether this data type connection is enabled or - not. Possible values include: "Enabled", "Disabled". - :type state_data_types_alerts_state: str or ~security_insights.models.DataTypeState - :param state_data_types_discovery_logs_state: Describe whether this data type connection is - enabled or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_discovery_logs_state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar device_id: The ID of the IoT Device in the IoT Hub. + :vartype device_id: str + :ivar device_name: The friendly name of the device. + :vartype device_name: str + :ivar source: The source of the device. + :vartype source: str + :ivar iot_security_agent_id: The ID of the security agent running on the device. + :vartype iot_security_agent_id: str + :ivar device_type: The type of the device. + :vartype device_type: str + :ivar vendor: The vendor of the device. + :vartype vendor: str + :ivar edge_id: The ID of the edge device. + :vartype edge_id: str + :ivar mac_address: The MAC address of the device. + :vartype mac_address: str + :ivar model: The model of the device. + :vartype model: str + :ivar serial_number: The serial number of the device. + :vartype serial_number: str + :ivar firmware_version: The firmware version of the device. + :vartype firmware_version: str + :ivar operating_system: The operating system of the device. + :vartype operating_system: str + :ivar iot_hub_entity_id: The AzureResource entity id of the IoT Hub. + :vartype iot_hub_entity_id: str + :ivar host_entity_id: The Host entity id of this device. + :vartype host_entity_id: str + :ivar ip_address_entity_id: The IP entity if of this device. + :vartype ip_address_entity_id: str + :ivar threat_intelligence: A list of TI contexts attached to the IoTDevice entity. + :vartype threat_intelligence: list[~security_insights.models.ThreatIntelligence] + :ivar protocols: A list of protocols of the IoTDevice entity. + :vartype protocols: list[str] """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'device_id': {'readonly': True}, + 'device_name': {'readonly': True}, + 'source': {'readonly': True}, + 'iot_security_agent_id': {'readonly': True}, + 'device_type': {'readonly': True}, + 'vendor': {'readonly': True}, + 'edge_id': {'readonly': True}, + 'mac_address': {'readonly': True}, + 'model': {'readonly': True}, + 'serial_number': {'readonly': True}, + 'firmware_version': {'readonly': True}, + 'operating_system': {'readonly': True}, + 'iot_hub_entity_id': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'ip_address_entity_id': {'readonly': True}, + 'threat_intelligence': {'readonly': True}, + 'protocols': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state_data_types_alerts_state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - 'state_data_types_discovery_logs_state': {'key': 'dataTypes.discoveryLogs.state', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'device_id': {'key': 'properties.deviceId', 'type': 'str'}, + 'device_name': {'key': 'properties.deviceName', 'type': 'str'}, + 'source': {'key': 'properties.source', 'type': 'str'}, + 'iot_security_agent_id': {'key': 'properties.iotSecurityAgentId', 'type': 'str'}, + 'device_type': {'key': 'properties.deviceType', 'type': 'str'}, + 'vendor': {'key': 'properties.vendor', 'type': 'str'}, + 'edge_id': {'key': 'properties.edgeId', 'type': 'str'}, + 'mac_address': {'key': 'properties.macAddress', 'type': 'str'}, + 'model': {'key': 'properties.model', 'type': 'str'}, + 'serial_number': {'key': 'properties.serialNumber', 'type': 'str'}, + 'firmware_version': {'key': 'properties.firmwareVersion', 'type': 'str'}, + 'operating_system': {'key': 'properties.operatingSystem', 'type': 'str'}, + 'iot_hub_entity_id': {'key': 'properties.iotHubEntityId', 'type': 'str'}, + 'host_entity_id': {'key': 'properties.hostEntityId', 'type': 'str'}, + 'ip_address_entity_id': {'key': 'properties.ipAddressEntityId', 'type': 'str'}, + 'threat_intelligence': {'key': 'properties.threatIntelligence', 'type': '[ThreatIntelligence]'}, + 'protocols': {'key': 'properties.protocols', 'type': '[str]'}, } def __init__( self, **kwargs ): - super(MCASDataConnector, self).__init__(**kwargs) - self.kind = 'MicrosoftCloudAppSecurity' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state_data_types_alerts_state = kwargs.get('state_data_types_alerts_state', None) - self.state_data_types_discovery_logs_state = kwargs.get('state_data_types_discovery_logs_state', None) - + super(IoTDeviceEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.device_id = None + self.device_name = None + self.source = None + self.iot_security_agent_id = None + self.device_type = None + self.vendor = None + self.edge_id = None + self.mac_address = None + self.model = None + self.serial_number = None + self.firmware_version = None + self.operating_system = None + self.iot_hub_entity_id = None + self.host_entity_id = None + self.ip_address_entity_id = None + self.threat_intelligence = None + self.protocols = None + + +class IoTDeviceEntityProperties(EntityCommonProperties): + """IoTDevice entity property bag. -class MCASDataConnectorDataTypes(AlertsDataTypeOfDataConnector): - """The available data types for MCAS (Microsoft Cloud App Security) data connector. + Variables are only populated by the server, and will be ignored when sending a request. - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - :param state_discovery_logs_state: Describe whether this data type connection is enabled or - not. Possible values include: "Enabled", "Disabled". - :type state_discovery_logs_state: str or ~security_insights.models.DataTypeState + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar device_id: The ID of the IoT Device in the IoT Hub. + :vartype device_id: str + :ivar device_name: The friendly name of the device. + :vartype device_name: str + :ivar source: The source of the device. + :vartype source: str + :ivar iot_security_agent_id: The ID of the security agent running on the device. + :vartype iot_security_agent_id: str + :ivar device_type: The type of the device. + :vartype device_type: str + :ivar vendor: The vendor of the device. + :vartype vendor: str + :ivar edge_id: The ID of the edge device. + :vartype edge_id: str + :ivar mac_address: The MAC address of the device. + :vartype mac_address: str + :ivar model: The model of the device. + :vartype model: str + :ivar serial_number: The serial number of the device. + :vartype serial_number: str + :ivar firmware_version: The firmware version of the device. + :vartype firmware_version: str + :ivar operating_system: The operating system of the device. + :vartype operating_system: str + :ivar iot_hub_entity_id: The AzureResource entity id of the IoT Hub. + :vartype iot_hub_entity_id: str + :ivar host_entity_id: The Host entity id of this device. + :vartype host_entity_id: str + :ivar ip_address_entity_id: The IP entity if of this device. + :vartype ip_address_entity_id: str + :ivar threat_intelligence: A list of TI contexts attached to the IoTDevice entity. + :vartype threat_intelligence: list[~security_insights.models.ThreatIntelligence] + :ivar protocols: A list of protocols of the IoTDevice entity. + :vartype protocols: list[str] """ + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'device_id': {'readonly': True}, + 'device_name': {'readonly': True}, + 'source': {'readonly': True}, + 'iot_security_agent_id': {'readonly': True}, + 'device_type': {'readonly': True}, + 'vendor': {'readonly': True}, + 'edge_id': {'readonly': True}, + 'mac_address': {'readonly': True}, + 'model': {'readonly': True}, + 'serial_number': {'readonly': True}, + 'firmware_version': {'readonly': True}, + 'operating_system': {'readonly': True}, + 'iot_hub_entity_id': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'ip_address_entity_id': {'readonly': True}, + 'threat_intelligence': {'readonly': True}, + 'protocols': {'readonly': True}, + } + _attribute_map = { - 'state': {'key': 'alerts.state', 'type': 'str'}, - 'state_discovery_logs_state': {'key': 'discoveryLogs.state', 'type': 'str'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'device_id': {'key': 'deviceId', 'type': 'str'}, + 'device_name': {'key': 'deviceName', 'type': 'str'}, + 'source': {'key': 'source', 'type': 'str'}, + 'iot_security_agent_id': {'key': 'iotSecurityAgentId', 'type': 'str'}, + 'device_type': {'key': 'deviceType', 'type': 'str'}, + 'vendor': {'key': 'vendor', 'type': 'str'}, + 'edge_id': {'key': 'edgeId', 'type': 'str'}, + 'mac_address': {'key': 'macAddress', 'type': 'str'}, + 'model': {'key': 'model', 'type': 'str'}, + 'serial_number': {'key': 'serialNumber', 'type': 'str'}, + 'firmware_version': {'key': 'firmwareVersion', 'type': 'str'}, + 'operating_system': {'key': 'operatingSystem', 'type': 'str'}, + 'iot_hub_entity_id': {'key': 'iotHubEntityId', 'type': 'str'}, + 'host_entity_id': {'key': 'hostEntityId', 'type': 'str'}, + 'ip_address_entity_id': {'key': 'ipAddressEntityId', 'type': 'str'}, + 'threat_intelligence': {'key': 'threatIntelligence', 'type': '[ThreatIntelligence]'}, + 'protocols': {'key': 'protocols', 'type': '[str]'}, } def __init__( self, **kwargs ): - super(MCASDataConnectorDataTypes, self).__init__(**kwargs) - self.state_discovery_logs_state = kwargs.get('state_discovery_logs_state', None) - - -class MDATPDataConnector(DataConnector): - """Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector. + super(IoTDeviceEntityProperties, self).__init__(**kwargs) + self.device_id = None + self.device_name = None + self.source = None + self.iot_security_agent_id = None + self.device_type = None + self.vendor = None + self.edge_id = None + self.mac_address = None + self.model = None + self.serial_number = None + self.firmware_version = None + self.operating_system = None + self.iot_hub_entity_id = None + self.host_entity_id = None + self.ip_address_entity_id = None + self.threat_intelligence = None + self.protocols = None + + +class IpEntity(Entity): + """Represents an ip entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar address: The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6). + :vartype address: str + :ivar location: The geo-location context attached to the ip entity. + :vartype location: ~security_insights.models.GeoLocation + :ivar threat_intelligence: A list of TI contexts attached to the ip entity. + :vartype threat_intelligence: list[~security_insights.models.ThreatIntelligence] """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'address': {'readonly': True}, + 'location': {'readonly': True}, + 'threat_intelligence': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'address': {'key': 'properties.address', 'type': 'str'}, + 'location': {'key': 'properties.location', 'type': 'GeoLocation'}, + 'threat_intelligence': {'key': 'properties.threatIntelligence', 'type': '[ThreatIntelligence]'}, } def __init__( self, **kwargs ): - super(MDATPDataConnector, self).__init__(**kwargs) - self.kind = 'MicrosoftDefenderAdvancedThreatProtection' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state = kwargs.get('state', None) + super(IpEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.address = None + self.location = None + self.threat_intelligence = None -class MicrosoftSecurityIncidentCreationAlertRule(AlertRule): - """Represents MicrosoftSecurityIncidentCreation rule. +class IpEntityProperties(EntityCommonProperties): + """Ip entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar address: The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6). + :vartype address: str + :ivar location: The geo-location context attached to the ip entity. + :vartype location: ~security_insights.models.GeoLocation + :ivar threat_intelligence: A list of TI contexts attached to the ip entity. + :vartype threat_intelligence: list[~security_insights.models.ThreatIntelligence] + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'address': {'readonly': True}, + 'location': {'readonly': True}, + 'threat_intelligence': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'address': {'key': 'address', 'type': 'str'}, + 'location': {'key': 'location', 'type': 'GeoLocation'}, + 'threat_intelligence': {'key': 'threatIntelligence', 'type': '[ThreatIntelligence]'}, + } + + def __init__( + self, + **kwargs + ): + super(IpEntityProperties, self).__init__(**kwargs) + self.address = None + self.location = None + self.threat_intelligence = None + + +class MailboxEntity(Entity): + """Represents a mailbox entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: The alerts' productName on which the cases will be generated. Possible - values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat - Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert has been modified. - :vartype last_modified_utc: ~datetime.datetime + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar mailbox_primary_address: The mailbox's primary address. + :vartype mailbox_primary_address: str + :ivar display_name: The mailbox's display name. + :vartype display_name: str + :ivar upn: The mailbox's UPN. + :vartype upn: str + :ivar external_directory_object_id: The AzureAD identifier of mailbox. Similar to AadUserId in + account entity but this property is specific to mailbox object on office side. + :vartype external_directory_object_id: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, - 'last_modified_utc': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'mailbox_primary_address': {'readonly': True}, + 'display_name': {'readonly': True}, + 'upn': {'readonly': True}, + 'external_directory_object_id': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, - 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'properties.description', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'mailbox_primary_address': {'key': 'properties.mailboxPrimaryAddress', 'type': 'str'}, 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, + 'upn': {'key': 'properties.upn', 'type': 'str'}, + 'external_directory_object_id': {'key': 'properties.externalDirectoryObjectId', 'type': 'str'}, } def __init__( self, **kwargs ): - super(MicrosoftSecurityIncidentCreationAlertRule, self).__init__(**kwargs) - self.kind = 'MicrosoftSecurityIncidentCreation' # type: str - self.display_names_filter = kwargs.get('display_names_filter', None) - self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None) - self.product_filter = kwargs.get('product_filter', None) - self.severities_filter = kwargs.get('severities_filter', None) - self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) - self.description = kwargs.get('description', None) - self.display_name = kwargs.get('display_name', None) - self.enabled = kwargs.get('enabled', None) - self.last_modified_utc = None + super(MailboxEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.mailbox_primary_address = None + self.display_name = None + self.upn = None + self.external_directory_object_id = None -class MicrosoftSecurityIncidentCreationAlertRuleCommonProperties(msrest.serialization.Model): - """MicrosoftSecurityIncidentCreation rule common property bag. +class MailboxEntityProperties(EntityCommonProperties): + """Mailbox entity property bag. - All required parameters must be populated in order to send to Azure. + Variables are only populated by the server, and will be ignored when sending a request. - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: Required. The alerts' productName on which the cases will be generated. - Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure - Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security - Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar mailbox_primary_address: The mailbox's primary address. + :vartype mailbox_primary_address: str + :ivar display_name: The mailbox's display name. + :vartype display_name: str + :ivar upn: The mailbox's UPN. + :vartype upn: str + :ivar external_directory_object_id: The AzureAD identifier of mailbox. Similar to AadUserId in + account entity but this property is specific to mailbox object on office side. + :vartype external_directory_object_id: str """ _validation = { - 'product_filter': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'mailbox_primary_address': {'readonly': True}, + 'display_name': {'readonly': True}, + 'upn': {'readonly': True}, + 'external_directory_object_id': {'readonly': True}, } _attribute_map = { - 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'mailbox_primary_address': {'key': 'mailboxPrimaryAddress', 'type': 'str'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'upn': {'key': 'upn', 'type': 'str'}, + 'external_directory_object_id': {'key': 'externalDirectoryObjectId', 'type': 'str'}, } def __init__( self, **kwargs ): - super(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties, self).__init__(**kwargs) - self.display_names_filter = kwargs.get('display_names_filter', None) - self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None) - self.product_filter = kwargs['product_filter'] - self.severities_filter = kwargs.get('severities_filter', None) + super(MailboxEntityProperties, self).__init__(**kwargs) + self.mailbox_primary_address = None + self.display_name = None + self.upn = None + self.external_directory_object_id = None -class MicrosoftSecurityIncidentCreationAlertRuleProperties(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties): - """MicrosoftSecurityIncidentCreation rule property bag. +class MailClusterEntity(Entity): + """Represents a mail cluster entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: Required. The alerts' productName on which the cases will be generated. - Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure - Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security - Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: Required. The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Required. Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert has been modified. - :vartype last_modified_utc: ~datetime.datetime + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar network_message_ids: The mail message IDs that are part of the mail cluster. + :vartype network_message_ids: list[str] + :ivar count_by_delivery_status: Count of mail messages by DeliveryStatus string representation. + :vartype count_by_delivery_status: object + :ivar count_by_threat_type: Count of mail messages by ThreatType string representation. + :vartype count_by_threat_type: object + :ivar count_by_protection_status: Count of mail messages by ProtectionStatus string + representation. + :vartype count_by_protection_status: object + :ivar threats: The threats of mail messages that are part of the mail cluster. + :vartype threats: list[str] + :ivar query: The query that was used to identify the messages of the mail cluster. + :vartype query: str + :ivar query_time: The query time. + :vartype query_time: ~datetime.datetime + :ivar mail_count: The number of mail messages that are part of the mail cluster. + :vartype mail_count: int + :ivar is_volume_anomaly: Is this a volume anomaly mail cluster. + :vartype is_volume_anomaly: bool + :ivar source: The source of the mail cluster (default is 'O365 ATP'). + :vartype source: str + :ivar cluster_source_identifier: The id of the cluster source. + :vartype cluster_source_identifier: str + :ivar cluster_source_type: The type of the cluster source. + :vartype cluster_source_type: str + :ivar cluster_query_start_time: The cluster query start time. + :vartype cluster_query_start_time: ~datetime.datetime + :ivar cluster_query_end_time: The cluster query end time. + :vartype cluster_query_end_time: ~datetime.datetime + :ivar cluster_group: The cluster group. + :vartype cluster_group: str """ _validation = { - 'product_filter': {'required': True}, - 'display_name': {'required': True}, - 'enabled': {'required': True}, - 'last_modified_utc': {'readonly': True}, + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'network_message_ids': {'readonly': True}, + 'count_by_delivery_status': {'readonly': True}, + 'count_by_threat_type': {'readonly': True}, + 'count_by_protection_status': {'readonly': True}, + 'threats': {'readonly': True}, + 'query': {'readonly': True}, + 'query_time': {'readonly': True}, + 'mail_count': {'readonly': True}, + 'is_volume_anomaly': {'readonly': True}, + 'source': {'readonly': True}, + 'cluster_source_identifier': {'readonly': True}, + 'cluster_source_type': {'readonly': True}, + 'cluster_query_start_time': {'readonly': True}, + 'cluster_query_end_time': {'readonly': True}, + 'cluster_group': {'readonly': True}, } _attribute_map = { - 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, - 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'description', 'type': 'str'}, - 'display_name': {'key': 'displayName', 'type': 'str'}, - 'enabled': {'key': 'enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'network_message_ids': {'key': 'properties.networkMessageIds', 'type': '[str]'}, + 'count_by_delivery_status': {'key': 'properties.countByDeliveryStatus', 'type': 'object'}, + 'count_by_threat_type': {'key': 'properties.countByThreatType', 'type': 'object'}, + 'count_by_protection_status': {'key': 'properties.countByProtectionStatus', 'type': 'object'}, + 'threats': {'key': 'properties.threats', 'type': '[str]'}, + 'query': {'key': 'properties.query', 'type': 'str'}, + 'query_time': {'key': 'properties.queryTime', 'type': 'iso-8601'}, + 'mail_count': {'key': 'properties.mailCount', 'type': 'int'}, + 'is_volume_anomaly': {'key': 'properties.isVolumeAnomaly', 'type': 'bool'}, + 'source': {'key': 'properties.source', 'type': 'str'}, + 'cluster_source_identifier': {'key': 'properties.clusterSourceIdentifier', 'type': 'str'}, + 'cluster_source_type': {'key': 'properties.clusterSourceType', 'type': 'str'}, + 'cluster_query_start_time': {'key': 'properties.clusterQueryStartTime', 'type': 'iso-8601'}, + 'cluster_query_end_time': {'key': 'properties.clusterQueryEndTime', 'type': 'iso-8601'}, + 'cluster_group': {'key': 'properties.clusterGroup', 'type': 'str'}, } def __init__( self, **kwargs ): - super(MicrosoftSecurityIncidentCreationAlertRuleProperties, self).__init__(**kwargs) - self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) - self.description = kwargs.get('description', None) - self.display_name = kwargs['display_name'] - self.enabled = kwargs['enabled'] - self.last_modified_utc = None - - -class MicrosoftSecurityIncidentCreationAlertRuleTemplate(AlertRuleTemplate): - """Represents MicrosoftSecurityIncidentCreation rule template. + super(MailClusterEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.network_message_ids = None + self.count_by_delivery_status = None + self.count_by_threat_type = None + self.count_by_protection_status = None + self.threats = None + self.query = None + self.query_time = None + self.mail_count = None + self.is_volume_anomaly = None + self.source = None + self.cluster_source_identifier = None + self.cluster_source_type = None + self.cluster_query_start_time = None + self.cluster_query_end_time = None + self.cluster_group = None + + +class MailClusterEntityProperties(EntityCommonProperties): + """Mail cluster entity property bag. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rules_created_by_template_count: the number of alert rules that were created by - this template. - :type alert_rules_created_by_template_count: int - :ivar created_date_utc: The time that this alert rule template has been added. - :vartype created_date_utc: ~datetime.datetime - :param description: The description of the alert rule template. - :type description: str - :param display_name: The display name for alert rule template. - :type display_name: str - :param required_data_connectors: The required data connectors for this template. - :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] - :param status: The alert rule template status. Possible values include: "Installed", - "Available", "NotAvailable". - :type status: str or ~security_insights.models.TemplateStatus - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: The alerts' productName on which the cases will be generated. Possible - values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat - Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - """ + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar network_message_ids: The mail message IDs that are part of the mail cluster. + :vartype network_message_ids: list[str] + :ivar count_by_delivery_status: Count of mail messages by DeliveryStatus string representation. + :vartype count_by_delivery_status: object + :ivar count_by_threat_type: Count of mail messages by ThreatType string representation. + :vartype count_by_threat_type: object + :ivar count_by_protection_status: Count of mail messages by ProtectionStatus string + representation. + :vartype count_by_protection_status: object + :ivar threats: The threats of mail messages that are part of the mail cluster. + :vartype threats: list[str] + :ivar query: The query that was used to identify the messages of the mail cluster. + :vartype query: str + :ivar query_time: The query time. + :vartype query_time: ~datetime.datetime + :ivar mail_count: The number of mail messages that are part of the mail cluster. + :vartype mail_count: int + :ivar is_volume_anomaly: Is this a volume anomaly mail cluster. + :vartype is_volume_anomaly: bool + :ivar source: The source of the mail cluster (default is 'O365 ATP'). + :vartype source: str + :ivar cluster_source_identifier: The id of the cluster source. + :vartype cluster_source_identifier: str + :ivar cluster_source_type: The type of the cluster source. + :vartype cluster_source_type: str + :ivar cluster_query_start_time: The cluster query start time. + :vartype cluster_query_start_time: ~datetime.datetime + :ivar cluster_query_end_time: The cluster query end time. + :vartype cluster_query_end_time: ~datetime.datetime + :ivar cluster_group: The cluster group. + :vartype cluster_group: str + """ _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'created_date_utc': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'network_message_ids': {'readonly': True}, + 'count_by_delivery_status': {'readonly': True}, + 'count_by_threat_type': {'readonly': True}, + 'count_by_protection_status': {'readonly': True}, + 'threats': {'readonly': True}, + 'query': {'readonly': True}, + 'query_time': {'readonly': True}, + 'mail_count': {'readonly': True}, + 'is_volume_anomaly': {'readonly': True}, + 'source': {'readonly': True}, + 'cluster_source_identifier': {'readonly': True}, + 'cluster_source_type': {'readonly': True}, + 'cluster_query_start_time': {'readonly': True}, + 'cluster_query_end_time': {'readonly': True}, + 'cluster_group': {'readonly': True}, } _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, - 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'network_message_ids': {'key': 'networkMessageIds', 'type': '[str]'}, + 'count_by_delivery_status': {'key': 'countByDeliveryStatus', 'type': 'object'}, + 'count_by_threat_type': {'key': 'countByThreatType', 'type': 'object'}, + 'count_by_protection_status': {'key': 'countByProtectionStatus', 'type': 'object'}, + 'threats': {'key': 'threats', 'type': '[str]'}, + 'query': {'key': 'query', 'type': 'str'}, + 'query_time': {'key': 'queryTime', 'type': 'iso-8601'}, + 'mail_count': {'key': 'mailCount', 'type': 'int'}, + 'is_volume_anomaly': {'key': 'isVolumeAnomaly', 'type': 'bool'}, + 'source': {'key': 'source', 'type': 'str'}, + 'cluster_source_identifier': {'key': 'clusterSourceIdentifier', 'type': 'str'}, + 'cluster_source_type': {'key': 'clusterSourceType', 'type': 'str'}, + 'cluster_query_start_time': {'key': 'clusterQueryStartTime', 'type': 'iso-8601'}, + 'cluster_query_end_time': {'key': 'clusterQueryEndTime', 'type': 'iso-8601'}, + 'cluster_group': {'key': 'clusterGroup', 'type': 'str'}, } def __init__( self, **kwargs ): - super(MicrosoftSecurityIncidentCreationAlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'MicrosoftSecurityIncidentCreation' # type: str - self.alert_rules_created_by_template_count = kwargs.get('alert_rules_created_by_template_count', None) - self.created_date_utc = None - self.description = kwargs.get('description', None) - self.display_name = kwargs.get('display_name', None) - self.required_data_connectors = kwargs.get('required_data_connectors', None) - self.status = kwargs.get('status', None) - self.display_names_filter = kwargs.get('display_names_filter', None) - self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None) - self.product_filter = kwargs.get('product_filter', None) - self.severities_filter = kwargs.get('severities_filter', None) - - -class OfficeConsent(Resource): - """Consent for Office365 tenant that already made. + super(MailClusterEntityProperties, self).__init__(**kwargs) + self.network_message_ids = None + self.count_by_delivery_status = None + self.count_by_threat_type = None + self.count_by_protection_status = None + self.threats = None + self.query = None + self.query_time = None + self.mail_count = None + self.is_volume_anomaly = None + self.source = None + self.cluster_source_identifier = None + self.cluster_source_type = None + self.cluster_query_start_time = None + self.cluster_query_end_time = None + self.cluster_group = None + + +class MailMessageEntity(Entity): + """Represents a mail message entity. Variables are only populated by the server, and will be ignored when sending a request. + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param tenant_id: The tenantId of the Office365 with the consent. - :type tenant_id: str - :ivar tenant_name: The tenant name of the Office365 with the consent. - :vartype tenant_name: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar file_entity_ids: The File entity ids of this mail message's attachments. + :vartype file_entity_ids: list[str] + :ivar recipient: The recipient of this mail message. Note that in case of multiple recipients + the mail message is forked and each copy has one recipient. + :vartype recipient: str + :ivar urls: The Urls contained in this mail message. + :vartype urls: list[str] + :ivar threats: The threats of this mail message. + :vartype threats: list[str] + :ivar p1_sender: The p1 sender's email address. + :vartype p1_sender: str + :ivar p1_sender_display_name: The p1 sender's display name. + :vartype p1_sender_display_name: str + :ivar p1_sender_domain: The p1 sender's domain. + :vartype p1_sender_domain: str + :ivar sender_ip: The sender's IP address. + :vartype sender_ip: str + :ivar p2_sender: The p2 sender's email address. + :vartype p2_sender: str + :ivar p2_sender_display_name: The p2 sender's display name. + :vartype p2_sender_display_name: str + :ivar p2_sender_domain: The p2 sender's domain. + :vartype p2_sender_domain: str + :ivar receive_date: The receive date of this message. + :vartype receive_date: ~datetime.datetime + :ivar network_message_id: The network message id of this mail message. + :vartype network_message_id: str + :ivar internet_message_id: The internet message id of this mail message. + :vartype internet_message_id: str + :ivar subject: The subject of this mail message. + :vartype subject: str + :ivar language: The language of this mail message. + :vartype language: str + :ivar threat_detection_methods: The threat detection methods. + :vartype threat_detection_methods: list[str] + :param body_fingerprint_bin1: The bodyFingerprintBin1. + :type body_fingerprint_bin1: int + :param body_fingerprint_bin2: The bodyFingerprintBin2. + :type body_fingerprint_bin2: int + :param body_fingerprint_bin3: The bodyFingerprintBin3. + :type body_fingerprint_bin3: int + :param body_fingerprint_bin4: The bodyFingerprintBin4. + :type body_fingerprint_bin4: int + :param body_fingerprint_bin5: The bodyFingerprintBin5. + :type body_fingerprint_bin5: int + :param antispam_direction: The directionality of this mail message. Possible values include: + "Unknown", "Inbound", "Outbound", "Intraorg". + :type antispam_direction: str or ~security_insights.models.AntispamMailDirection + :param delivery_action: The delivery action of this mail message like Delivered, Blocked, + Replaced etc. Possible values include: "Unknown", "DeliveredAsSpam", "Delivered", "Blocked", + "Replaced". + :type delivery_action: str or ~security_insights.models.DeliveryAction + :param delivery_location: The delivery location of this mail message like Inbox, JunkFolder + etc. Possible values include: "Unknown", "Inbox", "JunkFolder", "DeletedFolder", "Quarantine", + "External", "Failed", "Dropped", "Forwarded". + :type delivery_location: str or ~security_insights.models.DeliveryLocation """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'tenant_name': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'file_entity_ids': {'readonly': True}, + 'recipient': {'readonly': True}, + 'urls': {'readonly': True}, + 'threats': {'readonly': True}, + 'p1_sender': {'readonly': True}, + 'p1_sender_display_name': {'readonly': True}, + 'p1_sender_domain': {'readonly': True}, + 'sender_ip': {'readonly': True}, + 'p2_sender': {'readonly': True}, + 'p2_sender_display_name': {'readonly': True}, + 'p2_sender_domain': {'readonly': True}, + 'receive_date': {'readonly': True}, + 'network_message_id': {'readonly': True}, + 'internet_message_id': {'readonly': True}, + 'subject': {'readonly': True}, + 'language': {'readonly': True}, + 'threat_detection_methods': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'tenant_name': {'key': 'properties.tenantName', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'file_entity_ids': {'key': 'properties.fileEntityIds', 'type': '[str]'}, + 'recipient': {'key': 'properties.recipient', 'type': 'str'}, + 'urls': {'key': 'properties.urls', 'type': '[str]'}, + 'threats': {'key': 'properties.threats', 'type': '[str]'}, + 'p1_sender': {'key': 'properties.p1Sender', 'type': 'str'}, + 'p1_sender_display_name': {'key': 'properties.p1SenderDisplayName', 'type': 'str'}, + 'p1_sender_domain': {'key': 'properties.p1SenderDomain', 'type': 'str'}, + 'sender_ip': {'key': 'properties.senderIP', 'type': 'str'}, + 'p2_sender': {'key': 'properties.p2Sender', 'type': 'str'}, + 'p2_sender_display_name': {'key': 'properties.p2SenderDisplayName', 'type': 'str'}, + 'p2_sender_domain': {'key': 'properties.p2SenderDomain', 'type': 'str'}, + 'receive_date': {'key': 'properties.receiveDate', 'type': 'iso-8601'}, + 'network_message_id': {'key': 'properties.networkMessageId', 'type': 'str'}, + 'internet_message_id': {'key': 'properties.internetMessageId', 'type': 'str'}, + 'subject': {'key': 'properties.subject', 'type': 'str'}, + 'language': {'key': 'properties.language', 'type': 'str'}, + 'threat_detection_methods': {'key': 'properties.threatDetectionMethods', 'type': '[str]'}, + 'body_fingerprint_bin1': {'key': 'properties.bodyFingerprintBin1', 'type': 'int'}, + 'body_fingerprint_bin2': {'key': 'properties.bodyFingerprintBin2', 'type': 'int'}, + 'body_fingerprint_bin3': {'key': 'properties.bodyFingerprintBin3', 'type': 'int'}, + 'body_fingerprint_bin4': {'key': 'properties.bodyFingerprintBin4', 'type': 'int'}, + 'body_fingerprint_bin5': {'key': 'properties.bodyFingerprintBin5', 'type': 'int'}, + 'antispam_direction': {'key': 'properties.antispamDirection', 'type': 'str'}, + 'delivery_action': {'key': 'properties.deliveryAction', 'type': 'str'}, + 'delivery_location': {'key': 'properties.deliveryLocation', 'type': 'str'}, } def __init__( self, **kwargs ): - super(OfficeConsent, self).__init__(**kwargs) - self.tenant_id = kwargs.get('tenant_id', None) - self.tenant_name = None - - -class OfficeConsentList(msrest.serialization.Model): - """List of all the office365 consents. + super(MailMessageEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.file_entity_ids = None + self.recipient = None + self.urls = None + self.threats = None + self.p1_sender = None + self.p1_sender_display_name = None + self.p1_sender_domain = None + self.sender_ip = None + self.p2_sender = None + self.p2_sender_display_name = None + self.p2_sender_domain = None + self.receive_date = None + self.network_message_id = None + self.internet_message_id = None + self.subject = None + self.language = None + self.threat_detection_methods = None + self.body_fingerprint_bin1 = kwargs.get('body_fingerprint_bin1', None) + self.body_fingerprint_bin2 = kwargs.get('body_fingerprint_bin2', None) + self.body_fingerprint_bin3 = kwargs.get('body_fingerprint_bin3', None) + self.body_fingerprint_bin4 = kwargs.get('body_fingerprint_bin4', None) + self.body_fingerprint_bin5 = kwargs.get('body_fingerprint_bin5', None) + self.antispam_direction = kwargs.get('antispam_direction', None) + self.delivery_action = kwargs.get('delivery_action', None) + self.delivery_location = kwargs.get('delivery_location', None) + + +class MailMessageEntityProperties(EntityCommonProperties): + """Mail message entity property bag. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of office consents. - :vartype next_link: str - :param value: Required. Array of the consents. - :type value: list[~security_insights.models.OfficeConsent] + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar file_entity_ids: The File entity ids of this mail message's attachments. + :vartype file_entity_ids: list[str] + :ivar recipient: The recipient of this mail message. Note that in case of multiple recipients + the mail message is forked and each copy has one recipient. + :vartype recipient: str + :ivar urls: The Urls contained in this mail message. + :vartype urls: list[str] + :ivar threats: The threats of this mail message. + :vartype threats: list[str] + :ivar p1_sender: The p1 sender's email address. + :vartype p1_sender: str + :ivar p1_sender_display_name: The p1 sender's display name. + :vartype p1_sender_display_name: str + :ivar p1_sender_domain: The p1 sender's domain. + :vartype p1_sender_domain: str + :ivar sender_ip: The sender's IP address. + :vartype sender_ip: str + :ivar p2_sender: The p2 sender's email address. + :vartype p2_sender: str + :ivar p2_sender_display_name: The p2 sender's display name. + :vartype p2_sender_display_name: str + :ivar p2_sender_domain: The p2 sender's domain. + :vartype p2_sender_domain: str + :ivar receive_date: The receive date of this message. + :vartype receive_date: ~datetime.datetime + :ivar network_message_id: The network message id of this mail message. + :vartype network_message_id: str + :ivar internet_message_id: The internet message id of this mail message. + :vartype internet_message_id: str + :ivar subject: The subject of this mail message. + :vartype subject: str + :ivar language: The language of this mail message. + :vartype language: str + :ivar threat_detection_methods: The threat detection methods. + :vartype threat_detection_methods: list[str] + :param body_fingerprint_bin1: The bodyFingerprintBin1. + :type body_fingerprint_bin1: int + :param body_fingerprint_bin2: The bodyFingerprintBin2. + :type body_fingerprint_bin2: int + :param body_fingerprint_bin3: The bodyFingerprintBin3. + :type body_fingerprint_bin3: int + :param body_fingerprint_bin4: The bodyFingerprintBin4. + :type body_fingerprint_bin4: int + :param body_fingerprint_bin5: The bodyFingerprintBin5. + :type body_fingerprint_bin5: int + :param antispam_direction: The directionality of this mail message. Possible values include: + "Unknown", "Inbound", "Outbound", "Intraorg". + :type antispam_direction: str or ~security_insights.models.AntispamMailDirection + :param delivery_action: The delivery action of this mail message like Delivered, Blocked, + Replaced etc. Possible values include: "Unknown", "DeliveredAsSpam", "Delivered", "Blocked", + "Replaced". + :type delivery_action: str or ~security_insights.models.DeliveryAction + :param delivery_location: The delivery location of this mail message like Inbox, JunkFolder + etc. Possible values include: "Unknown", "Inbox", "JunkFolder", "DeletedFolder", "Quarantine", + "External", "Failed", "Dropped", "Forwarded". + :type delivery_location: str or ~security_insights.models.DeliveryLocation """ _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'file_entity_ids': {'readonly': True}, + 'recipient': {'readonly': True}, + 'urls': {'readonly': True}, + 'threats': {'readonly': True}, + 'p1_sender': {'readonly': True}, + 'p1_sender_display_name': {'readonly': True}, + 'p1_sender_domain': {'readonly': True}, + 'sender_ip': {'readonly': True}, + 'p2_sender': {'readonly': True}, + 'p2_sender_display_name': {'readonly': True}, + 'p2_sender_domain': {'readonly': True}, + 'receive_date': {'readonly': True}, + 'network_message_id': {'readonly': True}, + 'internet_message_id': {'readonly': True}, + 'subject': {'readonly': True}, + 'language': {'readonly': True}, + 'threat_detection_methods': {'readonly': True}, } _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[OfficeConsent]'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'file_entity_ids': {'key': 'fileEntityIds', 'type': '[str]'}, + 'recipient': {'key': 'recipient', 'type': 'str'}, + 'urls': {'key': 'urls', 'type': '[str]'}, + 'threats': {'key': 'threats', 'type': '[str]'}, + 'p1_sender': {'key': 'p1Sender', 'type': 'str'}, + 'p1_sender_display_name': {'key': 'p1SenderDisplayName', 'type': 'str'}, + 'p1_sender_domain': {'key': 'p1SenderDomain', 'type': 'str'}, + 'sender_ip': {'key': 'senderIP', 'type': 'str'}, + 'p2_sender': {'key': 'p2Sender', 'type': 'str'}, + 'p2_sender_display_name': {'key': 'p2SenderDisplayName', 'type': 'str'}, + 'p2_sender_domain': {'key': 'p2SenderDomain', 'type': 'str'}, + 'receive_date': {'key': 'receiveDate', 'type': 'iso-8601'}, + 'network_message_id': {'key': 'networkMessageId', 'type': 'str'}, + 'internet_message_id': {'key': 'internetMessageId', 'type': 'str'}, + 'subject': {'key': 'subject', 'type': 'str'}, + 'language': {'key': 'language', 'type': 'str'}, + 'threat_detection_methods': {'key': 'threatDetectionMethods', 'type': '[str]'}, + 'body_fingerprint_bin1': {'key': 'bodyFingerprintBin1', 'type': 'int'}, + 'body_fingerprint_bin2': {'key': 'bodyFingerprintBin2', 'type': 'int'}, + 'body_fingerprint_bin3': {'key': 'bodyFingerprintBin3', 'type': 'int'}, + 'body_fingerprint_bin4': {'key': 'bodyFingerprintBin4', 'type': 'int'}, + 'body_fingerprint_bin5': {'key': 'bodyFingerprintBin5', 'type': 'int'}, + 'antispam_direction': {'key': 'antispamDirection', 'type': 'str'}, + 'delivery_action': {'key': 'deliveryAction', 'type': 'str'}, + 'delivery_location': {'key': 'deliveryLocation', 'type': 'str'}, } def __init__( self, **kwargs ): - super(OfficeConsentList, self).__init__(**kwargs) - self.next_link = None - self.value = kwargs['value'] - - -class OfficeDataConnector(DataConnector): - """Represents office data connector. + super(MailMessageEntityProperties, self).__init__(**kwargs) + self.file_entity_ids = None + self.recipient = None + self.urls = None + self.threats = None + self.p1_sender = None + self.p1_sender_display_name = None + self.p1_sender_domain = None + self.sender_ip = None + self.p2_sender = None + self.p2_sender_display_name = None + self.p2_sender_domain = None + self.receive_date = None + self.network_message_id = None + self.internet_message_id = None + self.subject = None + self.language = None + self.threat_detection_methods = None + self.body_fingerprint_bin1 = kwargs.get('body_fingerprint_bin1', None) + self.body_fingerprint_bin2 = kwargs.get('body_fingerprint_bin2', None) + self.body_fingerprint_bin3 = kwargs.get('body_fingerprint_bin3', None) + self.body_fingerprint_bin4 = kwargs.get('body_fingerprint_bin4', None) + self.body_fingerprint_bin5 = kwargs.get('body_fingerprint_bin5', None) + self.antispam_direction = kwargs.get('antispam_direction', None) + self.delivery_action = kwargs.get('delivery_action', None) + self.delivery_location = kwargs.get('delivery_location', None) + + +class MalwareEntity(Entity): + """Represents a malware entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state_data_types_share_point_state: Describe whether this data type connection is - enabled or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_share_point_state: str or ~security_insights.models.DataTypeState - :param state_data_types_exchange_state: Describe whether this data type connection is enabled - or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_exchange_state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar category: The malware category by the vendor, e.g. Trojan. + :vartype category: str + :ivar file_entity_ids: List of linked file entity identifiers on which the malware was found. + :vartype file_entity_ids: list[str] + :ivar malware_name: The malware name by the vendor, e.g. Win32/Toga!rfn. + :vartype malware_name: str + :ivar process_entity_ids: List of linked process entity identifiers on which the malware was + found. + :vartype process_entity_ids: list[str] """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'category': {'readonly': True}, + 'file_entity_ids': {'readonly': True}, + 'malware_name': {'readonly': True}, + 'process_entity_ids': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state_data_types_share_point_state': {'key': 'dataTypes.sharePoint.state', 'type': 'str'}, - 'state_data_types_exchange_state': {'key': 'dataTypes.exchange.state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(OfficeDataConnector, self).__init__(**kwargs) - self.kind = 'Office365' # type: str - self.tenant_id = kwargs.get('tenant_id', None) - self.state_data_types_share_point_state = kwargs.get('state_data_types_share_point_state', None) - self.state_data_types_exchange_state = kwargs.get('state_data_types_exchange_state', None) - - -class OfficeDataConnectorDataTypesExchange(DataConnectorDataTypeCommon): - """Exchange data type connection. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(OfficeDataConnectorDataTypesExchange, self).__init__(**kwargs) - - -class OfficeDataConnectorDataTypesSharePoint(DataConnectorDataTypeCommon): - """SharePoint data type connection. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(OfficeDataConnectorDataTypesSharePoint, self).__init__(**kwargs) - - -class Operation(msrest.serialization.Model): - """Operation provided by provider. - - :param display: Properties of the operation. - :type display: ~security_insights.models.OperationDisplay - :param name: Name of the operation. - :type name: str - """ - - _attribute_map = { - 'display': {'key': 'display', 'type': 'OperationDisplay'}, - 'name': {'key': 'name', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(Operation, self).__init__(**kwargs) - self.display = kwargs.get('display', None) - self.name = kwargs.get('name', None) - - -class OperationDisplay(msrest.serialization.Model): - """Properties of the operation. - - :param description: Description of the operation. - :type description: str - :param operation: Operation name. - :type operation: str - :param provider: Provider name. - :type provider: str - :param resource: Resource name. - :type resource: str - """ - - _attribute_map = { - 'description': {'key': 'description', 'type': 'str'}, - 'operation': {'key': 'operation', 'type': 'str'}, - 'provider': {'key': 'provider', 'type': 'str'}, - 'resource': {'key': 'resource', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'category': {'key': 'properties.category', 'type': 'str'}, + 'file_entity_ids': {'key': 'properties.fileEntityIds', 'type': '[str]'}, + 'malware_name': {'key': 'properties.malwareName', 'type': 'str'}, + 'process_entity_ids': {'key': 'properties.processEntityIds', 'type': '[str]'}, } def __init__( self, **kwargs ): - super(OperationDisplay, self).__init__(**kwargs) - self.description = kwargs.get('description', None) - self.operation = kwargs.get('operation', None) - self.provider = kwargs.get('provider', None) - self.resource = kwargs.get('resource', None) + super(MalwareEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.category = None + self.file_entity_ids = None + self.malware_name = None + self.process_entity_ids = None -class OperationsList(msrest.serialization.Model): - """Lists the operations available in the SecurityInsights RP. +class MalwareEntityProperties(EntityCommonProperties): + """Malware entity property bag. - All required parameters must be populated in order to send to Azure. + Variables are only populated by the server, and will be ignored when sending a request. - :param next_link: URL to fetch the next set of operations. - :type next_link: str - :param value: Required. Array of operations. - :type value: list[~security_insights.models.Operation] + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar category: The malware category by the vendor, e.g. Trojan. + :vartype category: str + :ivar file_entity_ids: List of linked file entity identifiers on which the malware was found. + :vartype file_entity_ids: list[str] + :ivar malware_name: The malware name by the vendor, e.g. Win32/Toga!rfn. + :vartype malware_name: str + :ivar process_entity_ids: List of linked process entity identifiers on which the malware was + found. + :vartype process_entity_ids: list[str] """ _validation = { - 'value': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'category': {'readonly': True}, + 'file_entity_ids': {'readonly': True}, + 'malware_name': {'readonly': True}, + 'process_entity_ids': {'readonly': True}, } _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[Operation]'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'category': {'key': 'category', 'type': 'str'}, + 'file_entity_ids': {'key': 'fileEntityIds', 'type': '[str]'}, + 'malware_name': {'key': 'malwareName', 'type': 'str'}, + 'process_entity_ids': {'key': 'processEntityIds', 'type': '[str]'}, } def __init__( self, **kwargs ): - super(OperationsList, self).__init__(**kwargs) - self.next_link = kwargs.get('next_link', None) - self.value = kwargs['value'] + super(MalwareEntityProperties, self).__init__(**kwargs) + self.category = None + self.file_entity_ids = None + self.malware_name = None + self.process_entity_ids = None -class ScheduledAlertRule(AlertRule): - """Represents scheduled alert rule. +class MicrosoftSecurityIncidentCreationAlertRule(AlertRule): + """Represents MicrosoftSecurityIncidentCreation rule. Variables are only populated by the server, and will be ignored when sending a request. @@ -2331,25 +3859,25 @@ class ScheduledAlertRule(AlertRule): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". :type kind: str or ~security_insights.models.AlertRuleKind - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int + :param display_names_filter: the alerts' displayNames on which the cases will be generated. + :type display_names_filter: list[str] + :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be + generated. + :type display_names_exclude_filter: list[str] + :param product_filter: The alerts' productName on which the cases will be generated. Possible + values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat + Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". + :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName + :param severities_filter: the alerts' severities on which the cases will be generated. + :type severities_filter: list[str or ~security_insights.models.AlertSeverity] :param alert_rule_template_name: The Name of the alert rule template used to create this rule. :type alert_rule_template_name: str :param description: The description of the alert rule. @@ -2358,22 +3886,15 @@ class ScheduledAlertRule(AlertRule): :type display_name: str :param enabled: Determines whether this alert rule is enabled or disabled. :type enabled: bool - :ivar last_modified_utc: The last time that this alert rule has been modified. + :ivar last_modified_utc: The last time that this alert has been modified. :vartype last_modified_utc: ~datetime.datetime - :param suppression_duration: The suppression (in ISO 8601 duration format) to wait since last - time this alert rule been triggered. - :type suppression_duration: ~datetime.timedelta - :param suppression_enabled: Determines whether the suppression for this alert rule is enabled - or disabled. - :type suppression_enabled: bool - :param tactics: The tactics of the alert rule. - :type tactics: list[str or ~security_insights.models.AttackTactic] """ _validation = { 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'kind': {'required': True}, 'last_modified_utc': {'readonly': True}, } @@ -2382,108 +3903,97 @@ class ScheduledAlertRule(AlertRule): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'kind': {'key': 'kind', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, + 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, + 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, + 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, + 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, 'description': {'key': 'properties.description', 'type': 'str'}, 'display_name': {'key': 'properties.displayName', 'type': 'str'}, 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, - 'suppression_duration': {'key': 'properties.suppressionDuration', 'type': 'duration'}, - 'suppression_enabled': {'key': 'properties.suppressionEnabled', 'type': 'bool'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, } def __init__( self, **kwargs ): - super(ScheduledAlertRule, self).__init__(**kwargs) - self.kind = 'Scheduled' # type: str - self.query = kwargs.get('query', None) - self.query_frequency = kwargs.get('query_frequency', None) - self.query_period = kwargs.get('query_period', None) - self.severity = kwargs.get('severity', None) - self.trigger_operator = kwargs.get('trigger_operator', None) - self.trigger_threshold = kwargs.get('trigger_threshold', None) - self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) - self.description = kwargs.get('description', None) - self.display_name = kwargs.get('display_name', None) - self.enabled = kwargs.get('enabled', None) + super(MicrosoftSecurityIncidentCreationAlertRule, self).__init__(**kwargs) + self.kind = 'MicrosoftSecurityIncidentCreation' # type: str + self.display_names_filter = kwargs.get('display_names_filter', None) + self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None) + self.product_filter = kwargs.get('product_filter', None) + self.severities_filter = kwargs.get('severities_filter', None) + self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) + self.description = kwargs.get('description', None) + self.display_name = kwargs.get('display_name', None) + self.enabled = kwargs.get('enabled', None) self.last_modified_utc = None - self.suppression_duration = kwargs.get('suppression_duration', None) - self.suppression_enabled = kwargs.get('suppression_enabled', None) - self.tactics = kwargs.get('tactics', None) -class ScheduledAlertRuleCommonProperties(msrest.serialization.Model): - """Schedule alert rule template property bag. +class MicrosoftSecurityIncidentCreationAlertRuleCommonProperties(msrest.serialization.Model): + """MicrosoftSecurityIncidentCreation rule common property bag. - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int + All required parameters must be populated in order to send to Azure. + + :param display_names_filter: the alerts' displayNames on which the cases will be generated. + :type display_names_filter: list[str] + :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be + generated. + :type display_names_exclude_filter: list[str] + :param product_filter: Required. The alerts' productName on which the cases will be generated. + Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure + Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security + Center for IoT". + :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName + :param severities_filter: the alerts' severities on which the cases will be generated. + :type severities_filter: list[str or ~security_insights.models.AlertSeverity] """ + _validation = { + 'product_filter': {'required': True}, + } + _attribute_map = { - 'query': {'key': 'query', 'type': 'str'}, - 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, + 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, + 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, + 'product_filter': {'key': 'productFilter', 'type': 'str'}, + 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, } def __init__( self, **kwargs ): - super(ScheduledAlertRuleCommonProperties, self).__init__(**kwargs) - self.query = kwargs.get('query', None) - self.query_frequency = kwargs.get('query_frequency', None) - self.query_period = kwargs.get('query_period', None) - self.severity = kwargs.get('severity', None) - self.trigger_operator = kwargs.get('trigger_operator', None) - self.trigger_threshold = kwargs.get('trigger_threshold', None) + super(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties, self).__init__(**kwargs) + self.display_names_filter = kwargs.get('display_names_filter', None) + self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None) + self.product_filter = kwargs['product_filter'] + self.severities_filter = kwargs.get('severities_filter', None) -class ScheduledAlertRuleProperties(ScheduledAlertRuleCommonProperties): - """Scheduled alert rule base property bag. +class MicrosoftSecurityIncidentCreationAlertRuleProperties(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties): + """MicrosoftSecurityIncidentCreation rule property bag. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int + :param display_names_filter: the alerts' displayNames on which the cases will be generated. + :type display_names_filter: list[str] + :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be + generated. + :type display_names_exclude_filter: list[str] + :param product_filter: Required. The alerts' productName on which the cases will be generated. + Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure + Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security + Center for IoT". + :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName + :param severities_filter: the alerts' severities on which the cases will be generated. + :type severities_filter: list[str or ~security_insights.models.AlertSeverity] :param alert_rule_template_name: The Name of the alert rule template used to create this rule. :type alert_rule_template_name: str :param description: The description of the alert rule. @@ -2492,431 +4002,3180 @@ class ScheduledAlertRuleProperties(ScheduledAlertRuleCommonProperties): :type display_name: str :param enabled: Required. Determines whether this alert rule is enabled or disabled. :type enabled: bool - :ivar last_modified_utc: The last time that this alert rule has been modified. + :ivar last_modified_utc: The last time that this alert has been modified. :vartype last_modified_utc: ~datetime.datetime - :param suppression_duration: Required. The suppression (in ISO 8601 duration format) to wait - since last time this alert rule been triggered. - :type suppression_duration: ~datetime.timedelta - :param suppression_enabled: Required. Determines whether the suppression for this alert rule is - enabled or disabled. - :type suppression_enabled: bool - :param tactics: The tactics of the alert rule. - :type tactics: list[str or ~security_insights.models.AttackTactic] """ _validation = { + 'product_filter': {'required': True}, 'display_name': {'required': True}, 'enabled': {'required': True}, 'last_modified_utc': {'readonly': True}, - 'suppression_duration': {'required': True}, - 'suppression_enabled': {'required': True}, } _attribute_map = { - 'query': {'key': 'query', 'type': 'str'}, - 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, - 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'description', 'type': 'str'}, - 'display_name': {'key': 'displayName', 'type': 'str'}, - 'enabled': {'key': 'enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, - 'suppression_duration': {'key': 'suppressionDuration', 'type': 'duration'}, - 'suppression_enabled': {'key': 'suppressionEnabled', 'type': 'bool'}, - 'tactics': {'key': 'tactics', 'type': '[str]'}, + 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, + 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, + 'product_filter': {'key': 'productFilter', 'type': 'str'}, + 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, + 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, + 'description': {'key': 'description', 'type': 'str'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'enabled': {'key': 'enabled', 'type': 'bool'}, + 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, + } + + def __init__( + self, + **kwargs + ): + super(MicrosoftSecurityIncidentCreationAlertRuleProperties, self).__init__(**kwargs) + self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) + self.description = kwargs.get('description', None) + self.display_name = kwargs['display_name'] + self.enabled = kwargs['enabled'] + self.last_modified_utc = None + + +class MicrosoftSecurityIncidentCreationAlertRuleTemplate(AlertRuleTemplate): + """Represents MicrosoftSecurityIncidentCreation rule template. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: + "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". + :type kind: str or ~security_insights.models.AlertRuleKind + :param alert_rules_created_by_template_count: the number of alert rules that were created by + this template. + :type alert_rules_created_by_template_count: int + :ivar created_date_utc: The time that this alert rule template has been added. + :vartype created_date_utc: ~datetime.datetime + :param description: The description of the alert rule template. + :type description: str + :param display_name: The display name for alert rule template. + :type display_name: str + :param required_data_connectors: The required data connectors for this template. + :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] + :param status: The alert rule template status. Possible values include: "Installed", + "Available", "NotAvailable". + :type status: str or ~security_insights.models.TemplateStatus + :param display_names_filter: the alerts' displayNames on which the cases will be generated. + :type display_names_filter: list[str] + :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be + generated. + :type display_names_exclude_filter: list[str] + :param product_filter: The alerts' productName on which the cases will be generated. Possible + values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat + Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". + :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName + :param severities_filter: the alerts' severities on which the cases will be generated. + :type severities_filter: list[str or ~security_insights.models.AlertSeverity] + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'kind': {'required': True}, + 'created_date_utc': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'kind': {'key': 'kind', 'type': 'str'}, + 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, + 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, + 'status': {'key': 'properties.status', 'type': 'str'}, + 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, + 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, + 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, + 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, + } + + def __init__( + self, + **kwargs + ): + super(MicrosoftSecurityIncidentCreationAlertRuleTemplate, self).__init__(**kwargs) + self.kind = 'MicrosoftSecurityIncidentCreation' # type: str + self.alert_rules_created_by_template_count = kwargs.get('alert_rules_created_by_template_count', None) + self.created_date_utc = None + self.description = kwargs.get('description', None) + self.display_name = kwargs.get('display_name', None) + self.required_data_connectors = kwargs.get('required_data_connectors', None) + self.status = kwargs.get('status', None) + self.display_names_filter = kwargs.get('display_names_filter', None) + self.display_names_exclude_filter = kwargs.get('display_names_exclude_filter', None) + self.product_filter = kwargs.get('product_filter', None) + self.severities_filter = kwargs.get('severities_filter', None) + + +class Operation(msrest.serialization.Model): + """Operation provided by provider. + + :param display: Properties of the operation. + :type display: ~security_insights.models.OperationDisplay + :param name: Name of the operation. + :type name: str + :param origin: The origin of the operation. + :type origin: str + """ + + _attribute_map = { + 'display': {'key': 'display', 'type': 'OperationDisplay'}, + 'name': {'key': 'name', 'type': 'str'}, + 'origin': {'key': 'origin', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(Operation, self).__init__(**kwargs) + self.display = kwargs.get('display', None) + self.name = kwargs.get('name', None) + self.origin = kwargs.get('origin', None) + + +class OperationDisplay(msrest.serialization.Model): + """Properties of the operation. + + :param description: Description of the operation. + :type description: str + :param operation: Operation name. + :type operation: str + :param provider: Provider name. + :type provider: str + :param resource: Resource name. + :type resource: str + """ + + _attribute_map = { + 'description': {'key': 'description', 'type': 'str'}, + 'operation': {'key': 'operation', 'type': 'str'}, + 'provider': {'key': 'provider', 'type': 'str'}, + 'resource': {'key': 'resource', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(OperationDisplay, self).__init__(**kwargs) + self.description = kwargs.get('description', None) + self.operation = kwargs.get('operation', None) + self.provider = kwargs.get('provider', None) + self.resource = kwargs.get('resource', None) + + +class OperationsList(msrest.serialization.Model): + """Lists the operations available in the SecurityInsights RP. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar next_link: URL to fetch the next set of operations. + :vartype next_link: str + :param value: Required. Array of operations. + :type value: list[~security_insights.models.Operation] + """ + + _validation = { + 'next_link': {'readonly': True}, + 'value': {'required': True}, + } + + _attribute_map = { + 'next_link': {'key': 'nextLink', 'type': 'str'}, + 'value': {'key': 'value', 'type': '[Operation]'}, + } + + def __init__( + self, + **kwargs + ): + super(OperationsList, self).__init__(**kwargs) + self.next_link = None + self.value = kwargs['value'] + + +class ProcessEntity(Entity): + """Represents a process entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar account_entity_id: The account entity id running the processes. + :vartype account_entity_id: str + :ivar command_line: The command line used to create the process. + :vartype command_line: str + :ivar creation_time_utc: The time when the process started to run. + :vartype creation_time_utc: ~datetime.datetime + :param elevation_token: The elevation token associated with the process. Possible values + include: "Default", "Full", "Limited". + :type elevation_token: str or ~security_insights.models.ElevationToken + :ivar host_entity_id: The host entity id on which the process was running. + :vartype host_entity_id: str + :ivar host_logon_session_entity_id: The session entity id in which the process was running. + :vartype host_logon_session_entity_id: str + :ivar image_file_entity_id: Image file entity id. + :vartype image_file_entity_id: str + :ivar parent_process_entity_id: The parent process entity id. + :vartype parent_process_entity_id: str + :ivar process_id: The process ID. + :vartype process_id: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'account_entity_id': {'readonly': True}, + 'command_line': {'readonly': True}, + 'creation_time_utc': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'host_logon_session_entity_id': {'readonly': True}, + 'image_file_entity_id': {'readonly': True}, + 'parent_process_entity_id': {'readonly': True}, + 'process_id': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'account_entity_id': {'key': 'properties.accountEntityId', 'type': 'str'}, + 'command_line': {'key': 'properties.commandLine', 'type': 'str'}, + 'creation_time_utc': {'key': 'properties.creationTimeUtc', 'type': 'iso-8601'}, + 'elevation_token': {'key': 'properties.elevationToken', 'type': 'str'}, + 'host_entity_id': {'key': 'properties.hostEntityId', 'type': 'str'}, + 'host_logon_session_entity_id': {'key': 'properties.hostLogonSessionEntityId', 'type': 'str'}, + 'image_file_entity_id': {'key': 'properties.imageFileEntityId', 'type': 'str'}, + 'parent_process_entity_id': {'key': 'properties.parentProcessEntityId', 'type': 'str'}, + 'process_id': {'key': 'properties.processId', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(ProcessEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.account_entity_id = None + self.command_line = None + self.creation_time_utc = None + self.elevation_token = kwargs.get('elevation_token', None) + self.host_entity_id = None + self.host_logon_session_entity_id = None + self.image_file_entity_id = None + self.parent_process_entity_id = None + self.process_id = None + + +class ProcessEntityProperties(EntityCommonProperties): + """Process entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar account_entity_id: The account entity id running the processes. + :vartype account_entity_id: str + :ivar command_line: The command line used to create the process. + :vartype command_line: str + :ivar creation_time_utc: The time when the process started to run. + :vartype creation_time_utc: ~datetime.datetime + :param elevation_token: The elevation token associated with the process. Possible values + include: "Default", "Full", "Limited". + :type elevation_token: str or ~security_insights.models.ElevationToken + :ivar host_entity_id: The host entity id on which the process was running. + :vartype host_entity_id: str + :ivar host_logon_session_entity_id: The session entity id in which the process was running. + :vartype host_logon_session_entity_id: str + :ivar image_file_entity_id: Image file entity id. + :vartype image_file_entity_id: str + :ivar parent_process_entity_id: The parent process entity id. + :vartype parent_process_entity_id: str + :ivar process_id: The process ID. + :vartype process_id: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'account_entity_id': {'readonly': True}, + 'command_line': {'readonly': True}, + 'creation_time_utc': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'host_logon_session_entity_id': {'readonly': True}, + 'image_file_entity_id': {'readonly': True}, + 'parent_process_entity_id': {'readonly': True}, + 'process_id': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'account_entity_id': {'key': 'accountEntityId', 'type': 'str'}, + 'command_line': {'key': 'commandLine', 'type': 'str'}, + 'creation_time_utc': {'key': 'creationTimeUtc', 'type': 'iso-8601'}, + 'elevation_token': {'key': 'elevationToken', 'type': 'str'}, + 'host_entity_id': {'key': 'hostEntityId', 'type': 'str'}, + 'host_logon_session_entity_id': {'key': 'hostLogonSessionEntityId', 'type': 'str'}, + 'image_file_entity_id': {'key': 'imageFileEntityId', 'type': 'str'}, + 'parent_process_entity_id': {'key': 'parentProcessEntityId', 'type': 'str'}, + 'process_id': {'key': 'processId', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(ProcessEntityProperties, self).__init__(**kwargs) + self.account_entity_id = None + self.command_line = None + self.creation_time_utc = None + self.elevation_token = kwargs.get('elevation_token', None) + self.host_entity_id = None + self.host_logon_session_entity_id = None + self.image_file_entity_id = None + self.parent_process_entity_id = None + self.process_id = None + + +class RegistryKeyEntity(Entity): + """Represents a registry key entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar hive: the hive that holds the registry key. Possible values include: + "HKEY_LOCAL_MACHINE", "HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_USERS", + "HKEY_CURRENT_USER_LOCAL_SETTINGS", "HKEY_PERFORMANCE_DATA", "HKEY_PERFORMANCE_NLSTEXT", + "HKEY_PERFORMANCE_TEXT", "HKEY_A", "HKEY_CURRENT_USER". + :vartype hive: str or ~security_insights.models.RegistryHive + :ivar key: The registry key path. + :vartype key: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'hive': {'readonly': True}, + 'key': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'hive': {'key': 'properties.hive', 'type': 'str'}, + 'key': {'key': 'properties.key', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(RegistryKeyEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.hive = None + self.key = None + + +class RegistryKeyEntityProperties(EntityCommonProperties): + """RegistryKey entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar hive: the hive that holds the registry key. Possible values include: + "HKEY_LOCAL_MACHINE", "HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_USERS", + "HKEY_CURRENT_USER_LOCAL_SETTINGS", "HKEY_PERFORMANCE_DATA", "HKEY_PERFORMANCE_NLSTEXT", + "HKEY_PERFORMANCE_TEXT", "HKEY_A", "HKEY_CURRENT_USER". + :vartype hive: str or ~security_insights.models.RegistryHive + :ivar key: The registry key path. + :vartype key: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'hive': {'readonly': True}, + 'key': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'hive': {'key': 'hive', 'type': 'str'}, + 'key': {'key': 'key', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(RegistryKeyEntityProperties, self).__init__(**kwargs) + self.hive = None + self.key = None + + +class RegistryValueEntity(Entity): + """Represents a registry value entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar key_entity_id: The registry key entity id. + :vartype key_entity_id: str + :ivar value_data: String formatted representation of the value data. + :vartype value_data: str + :ivar value_name: The registry value name. + :vartype value_name: str + :ivar value_type: Specifies the data types to use when storing values in the registry, or + identifies the data type of a value in the registry. Possible values include: "None", + "Unknown", "String", "ExpandString", "Binary", "DWord", "MultiString", "QWord". + :vartype value_type: str or ~security_insights.models.RegistryValueKind + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'key_entity_id': {'readonly': True}, + 'value_data': {'readonly': True}, + 'value_name': {'readonly': True}, + 'value_type': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'key_entity_id': {'key': 'properties.keyEntityId', 'type': 'str'}, + 'value_data': {'key': 'properties.valueData', 'type': 'str'}, + 'value_name': {'key': 'properties.valueName', 'type': 'str'}, + 'value_type': {'key': 'properties.valueType', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(RegistryValueEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.key_entity_id = None + self.value_data = None + self.value_name = None + self.value_type = None + + +class RegistryValueEntityProperties(EntityCommonProperties): + """RegistryValue entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar key_entity_id: The registry key entity id. + :vartype key_entity_id: str + :ivar value_data: String formatted representation of the value data. + :vartype value_data: str + :ivar value_name: The registry value name. + :vartype value_name: str + :ivar value_type: Specifies the data types to use when storing values in the registry, or + identifies the data type of a value in the registry. Possible values include: "None", + "Unknown", "String", "ExpandString", "Binary", "DWord", "MultiString", "QWord". + :vartype value_type: str or ~security_insights.models.RegistryValueKind + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'key_entity_id': {'readonly': True}, + 'value_data': {'readonly': True}, + 'value_name': {'readonly': True}, + 'value_type': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'key_entity_id': {'key': 'keyEntityId', 'type': 'str'}, + 'value_data': {'key': 'valueData', 'type': 'str'}, + 'value_name': {'key': 'valueName', 'type': 'str'}, + 'value_type': {'key': 'valueType', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(RegistryValueEntityProperties, self).__init__(**kwargs) + self.key_entity_id = None + self.value_data = None + self.value_name = None + self.value_type = None + + +class Relation(ResourceWithEtag): + """Represents a relation between two resources. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + :param related_resource_id: The resource ID of the related resource. + :type related_resource_id: str + :ivar related_resource_name: The name of the related resource. + :vartype related_resource_name: str + :ivar related_resource_type: The resource type of the related resource. + :vartype related_resource_type: str + :ivar related_resource_kind: The resource kind of the related resource. + :vartype related_resource_kind: str + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'related_resource_name': {'readonly': True}, + 'related_resource_type': {'readonly': True}, + 'related_resource_kind': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + 'related_resource_id': {'key': 'properties.relatedResourceId', 'type': 'str'}, + 'related_resource_name': {'key': 'properties.relatedResourceName', 'type': 'str'}, + 'related_resource_type': {'key': 'properties.relatedResourceType', 'type': 'str'}, + 'related_resource_kind': {'key': 'properties.relatedResourceKind', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(Relation, self).__init__(**kwargs) + self.related_resource_id = kwargs.get('related_resource_id', None) + self.related_resource_name = None + self.related_resource_type = None + self.related_resource_kind = None + + +class RelationList(msrest.serialization.Model): + """List of relations. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar next_link: URL to fetch the next set of relations. + :vartype next_link: str + :param value: Required. Array of relations. + :type value: list[~security_insights.models.Relation] + """ + + _validation = { + 'next_link': {'readonly': True}, + 'value': {'required': True}, + } + + _attribute_map = { + 'next_link': {'key': 'nextLink', 'type': 'str'}, + 'value': {'key': 'value', 'type': '[Relation]'}, + } + + def __init__( + self, + **kwargs + ): + super(RelationList, self).__init__(**kwargs) + self.next_link = None + self.value = kwargs['value'] + + +class ScheduledAlertRule(AlertRule): + """Represents scheduled alert rule. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: + "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". + :type kind: str or ~security_insights.models.AlertRuleKind + :param query: The query that creates alerts for this rule. + :type query: str + :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. + :type query_frequency: ~datetime.timedelta + :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. + :type query_period: ~datetime.timedelta + :param severity: The severity for alerts created by this alert rule. Possible values include: + "High", "Medium", "Low", "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :param trigger_operator: The operation against the threshold that triggers alert rule. Possible + values include: "GreaterThan", "LessThan", "Equal", "NotEqual". + :type trigger_operator: str or ~security_insights.models.TriggerOperator + :param trigger_threshold: The threshold triggers this alert rule. + :type trigger_threshold: int + :param alert_rule_template_name: The Name of the alert rule template used to create this rule. + :type alert_rule_template_name: str + :param description: The description of the alert rule. + :type description: str + :param display_name: The display name for alerts created by this alert rule. + :type display_name: str + :param enabled: Determines whether this alert rule is enabled or disabled. + :type enabled: bool + :ivar last_modified_utc: The last time that this alert rule has been modified. + :vartype last_modified_utc: ~datetime.datetime + :param suppression_duration: The suppression (in ISO 8601 duration format) to wait since last + time this alert rule been triggered. + :type suppression_duration: ~datetime.timedelta + :param suppression_enabled: Determines whether the suppression for this alert rule is enabled + or disabled. + :type suppression_enabled: bool + :param tactics: The tactics of the alert rule. + :type tactics: list[str or ~security_insights.models.AttackTactic] + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'kind': {'required': True}, + 'last_modified_utc': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + 'kind': {'key': 'kind', 'type': 'str'}, + 'query': {'key': 'properties.query', 'type': 'str'}, + 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, + 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, + 'severity': {'key': 'properties.severity', 'type': 'str'}, + 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, + 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, + 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, + 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, + 'suppression_duration': {'key': 'properties.suppressionDuration', 'type': 'duration'}, + 'suppression_enabled': {'key': 'properties.suppressionEnabled', 'type': 'bool'}, + 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, + } + + def __init__( + self, + **kwargs + ): + super(ScheduledAlertRule, self).__init__(**kwargs) + self.kind = 'Scheduled' # type: str + self.query = kwargs.get('query', None) + self.query_frequency = kwargs.get('query_frequency', None) + self.query_period = kwargs.get('query_period', None) + self.severity = kwargs.get('severity', None) + self.trigger_operator = kwargs.get('trigger_operator', None) + self.trigger_threshold = kwargs.get('trigger_threshold', None) + self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) + self.description = kwargs.get('description', None) + self.display_name = kwargs.get('display_name', None) + self.enabled = kwargs.get('enabled', None) + self.last_modified_utc = None + self.suppression_duration = kwargs.get('suppression_duration', None) + self.suppression_enabled = kwargs.get('suppression_enabled', None) + self.tactics = kwargs.get('tactics', None) + + +class ScheduledAlertRuleCommonProperties(msrest.serialization.Model): + """Schedule alert rule template property bag. + + :param query: The query that creates alerts for this rule. + :type query: str + :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. + :type query_frequency: ~datetime.timedelta + :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. + :type query_period: ~datetime.timedelta + :param severity: The severity for alerts created by this alert rule. Possible values include: + "High", "Medium", "Low", "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :param trigger_operator: The operation against the threshold that triggers alert rule. Possible + values include: "GreaterThan", "LessThan", "Equal", "NotEqual". + :type trigger_operator: str or ~security_insights.models.TriggerOperator + :param trigger_threshold: The threshold triggers this alert rule. + :type trigger_threshold: int + """ + + _attribute_map = { + 'query': {'key': 'query', 'type': 'str'}, + 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, + 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, + 'severity': {'key': 'severity', 'type': 'str'}, + 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, + 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, + } + + def __init__( + self, + **kwargs + ): + super(ScheduledAlertRuleCommonProperties, self).__init__(**kwargs) + self.query = kwargs.get('query', None) + self.query_frequency = kwargs.get('query_frequency', None) + self.query_period = kwargs.get('query_period', None) + self.severity = kwargs.get('severity', None) + self.trigger_operator = kwargs.get('trigger_operator', None) + self.trigger_threshold = kwargs.get('trigger_threshold', None) + + +class ScheduledAlertRuleProperties(ScheduledAlertRuleCommonProperties): + """Scheduled alert rule base property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param query: The query that creates alerts for this rule. + :type query: str + :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. + :type query_frequency: ~datetime.timedelta + :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. + :type query_period: ~datetime.timedelta + :param severity: The severity for alerts created by this alert rule. Possible values include: + "High", "Medium", "Low", "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :param trigger_operator: The operation against the threshold that triggers alert rule. Possible + values include: "GreaterThan", "LessThan", "Equal", "NotEqual". + :type trigger_operator: str or ~security_insights.models.TriggerOperator + :param trigger_threshold: The threshold triggers this alert rule. + :type trigger_threshold: int + :param alert_rule_template_name: The Name of the alert rule template used to create this rule. + :type alert_rule_template_name: str + :param description: The description of the alert rule. + :type description: str + :param display_name: Required. The display name for alerts created by this alert rule. + :type display_name: str + :param enabled: Required. Determines whether this alert rule is enabled or disabled. + :type enabled: bool + :ivar last_modified_utc: The last time that this alert rule has been modified. + :vartype last_modified_utc: ~datetime.datetime + :param suppression_duration: Required. The suppression (in ISO 8601 duration format) to wait + since last time this alert rule been triggered. + :type suppression_duration: ~datetime.timedelta + :param suppression_enabled: Required. Determines whether the suppression for this alert rule is + enabled or disabled. + :type suppression_enabled: bool + :param tactics: The tactics of the alert rule. + :type tactics: list[str or ~security_insights.models.AttackTactic] + """ + + _validation = { + 'display_name': {'required': True}, + 'enabled': {'required': True}, + 'last_modified_utc': {'readonly': True}, + 'suppression_duration': {'required': True}, + 'suppression_enabled': {'required': True}, + } + + _attribute_map = { + 'query': {'key': 'query', 'type': 'str'}, + 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, + 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, + 'severity': {'key': 'severity', 'type': 'str'}, + 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, + 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, + 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, + 'description': {'key': 'description', 'type': 'str'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'enabled': {'key': 'enabled', 'type': 'bool'}, + 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, + 'suppression_duration': {'key': 'suppressionDuration', 'type': 'duration'}, + 'suppression_enabled': {'key': 'suppressionEnabled', 'type': 'bool'}, + 'tactics': {'key': 'tactics', 'type': '[str]'}, + } + + def __init__( + self, + **kwargs + ): + super(ScheduledAlertRuleProperties, self).__init__(**kwargs) + self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) + self.description = kwargs.get('description', None) + self.display_name = kwargs['display_name'] + self.enabled = kwargs['enabled'] + self.last_modified_utc = None + self.suppression_duration = kwargs['suppression_duration'] + self.suppression_enabled = kwargs['suppression_enabled'] + self.tactics = kwargs.get('tactics', None) + + +class ScheduledAlertRuleTemplate(AlertRuleTemplate): + """Represents scheduled alert rule template. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: + "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". + :type kind: str or ~security_insights.models.AlertRuleKind + :param alert_rules_created_by_template_count: the number of alert rules that were created by + this template. + :type alert_rules_created_by_template_count: int + :ivar created_date_utc: The time that this alert rule template has been added. + :vartype created_date_utc: ~datetime.datetime + :param description: The description of the alert rule template. + :type description: str + :param display_name: The display name for alert rule template. + :type display_name: str + :param required_data_connectors: The required data connectors for this template. + :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] + :param status: The alert rule template status. Possible values include: "Installed", + "Available", "NotAvailable". + :type status: str or ~security_insights.models.TemplateStatus + :param query: The query that creates alerts for this rule. + :type query: str + :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. + :type query_frequency: ~datetime.timedelta + :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. + :type query_period: ~datetime.timedelta + :param severity: The severity for alerts created by this alert rule. Possible values include: + "High", "Medium", "Low", "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :param trigger_operator: The operation against the threshold that triggers alert rule. Possible + values include: "GreaterThan", "LessThan", "Equal", "NotEqual". + :type trigger_operator: str or ~security_insights.models.TriggerOperator + :param trigger_threshold: The threshold triggers this alert rule. + :type trigger_threshold: int + :param tactics: The tactics of the alert rule template. + :type tactics: list[str or ~security_insights.models.AttackTactic] + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'kind': {'required': True}, + 'created_date_utc': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'kind': {'key': 'kind', 'type': 'str'}, + 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, + 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, + 'status': {'key': 'properties.status', 'type': 'str'}, + 'query': {'key': 'properties.query', 'type': 'str'}, + 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, + 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, + 'severity': {'key': 'properties.severity', 'type': 'str'}, + 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, + 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, + 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, + } + + def __init__( + self, + **kwargs + ): + super(ScheduledAlertRuleTemplate, self).__init__(**kwargs) + self.kind = 'Scheduled' # type: str + self.alert_rules_created_by_template_count = kwargs.get('alert_rules_created_by_template_count', None) + self.created_date_utc = None + self.description = kwargs.get('description', None) + self.display_name = kwargs.get('display_name', None) + self.required_data_connectors = kwargs.get('required_data_connectors', None) + self.status = kwargs.get('status', None) + self.query = kwargs.get('query', None) + self.query_frequency = kwargs.get('query_frequency', None) + self.query_period = kwargs.get('query_period', None) + self.severity = kwargs.get('severity', None) + self.trigger_operator = kwargs.get('trigger_operator', None) + self.trigger_threshold = kwargs.get('trigger_threshold', None) + self.tactics = kwargs.get('tactics', None) + + +class SecurityAlert(Entity): + """Represents a security alert entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar alert_display_name: The display name of the alert. + :vartype alert_display_name: str + :ivar alert_type: The type name of the alert. + :vartype alert_type: str + :ivar compromised_entity: Display name of the main entity being reported on. + :vartype compromised_entity: str + :ivar confidence_level: The confidence level of this alert. Possible values include: "Unknown", + "Low", "High". + :vartype confidence_level: str or ~security_insights.models.ConfidenceLevel + :ivar confidence_reasons: The confidence reasons. + :vartype confidence_reasons: + list[~security_insights.models.SecurityAlertPropertiesConfidenceReasonsItem] + :ivar confidence_score: The confidence score of the alert. + :vartype confidence_score: float + :ivar confidence_score_status: The confidence score calculation status, i.e. indicating if + score calculation is pending for this alert, not applicable or final. Possible values include: + "NotApplicable", "InProcess", "NotFinal", "Final". + :vartype confidence_score_status: str or ~security_insights.models.ConfidenceScoreStatus + :ivar description: Alert description. + :vartype description: str + :ivar end_time_utc: The impact end time of the alert (the time of the last event contributing + to the alert). + :vartype end_time_utc: ~datetime.datetime + :ivar intent: Holds the alert intent stage(s) mapping for this alert. Possible values include: + "Unknown", "Probing", "Exploitation", "Persistence", "PrivilegeEscalation", "DefenseEvasion", + "CredentialAccess", "Discovery", "LateralMovement", "Execution", "Collection", "Exfiltration", + "CommandAndControl", "Impact". + :vartype intent: str or ~security_insights.models.KillChainIntent + :ivar provider_alert_id: The identifier of the alert inside the product which generated the + alert. + :vartype provider_alert_id: str + :ivar processing_end_time: The time the alert was made available for consumption. + :vartype processing_end_time: ~datetime.datetime + :ivar product_component_name: The name of a component inside the product which generated the + alert. + :vartype product_component_name: str + :ivar product_name: The name of the product which published this alert. + :vartype product_name: str + :ivar product_version: The version of the product generating the alert. + :vartype product_version: str + :ivar remediation_steps: Manual action items to take to remediate the alert. + :vartype remediation_steps: list[str] + :param severity: The severity of the alert. Possible values include: "High", "Medium", "Low", + "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :ivar start_time_utc: The impact start time of the alert (the time of the first event + contributing to the alert). + :vartype start_time_utc: ~datetime.datetime + :ivar status: The lifecycle status of the alert. Possible values include: "Unknown", "New", + "Resolved", "Dismissed", "InProgress". + :vartype status: str or ~security_insights.models.AlertStatus + :ivar system_alert_id: Holds the product identifier of the alert for the product. + :vartype system_alert_id: str + :ivar tactics: The tactics of the alert. + :vartype tactics: list[str or ~security_insights.models.AttackTactic] + :ivar time_generated: The time the alert was generated. + :vartype time_generated: ~datetime.datetime + :ivar vendor_name: The name of the vendor that raise the alert. + :vartype vendor_name: str + :ivar alert_link: The uri link of the alert. + :vartype alert_link: str + :ivar resource_identifiers: The list of resource identifiers of the alert. + :vartype resource_identifiers: list[object] + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'alert_display_name': {'readonly': True}, + 'alert_type': {'readonly': True}, + 'compromised_entity': {'readonly': True}, + 'confidence_level': {'readonly': True}, + 'confidence_reasons': {'readonly': True}, + 'confidence_score': {'readonly': True}, + 'confidence_score_status': {'readonly': True}, + 'description': {'readonly': True}, + 'end_time_utc': {'readonly': True}, + 'intent': {'readonly': True}, + 'provider_alert_id': {'readonly': True}, + 'processing_end_time': {'readonly': True}, + 'product_component_name': {'readonly': True}, + 'product_name': {'readonly': True}, + 'product_version': {'readonly': True}, + 'remediation_steps': {'readonly': True}, + 'start_time_utc': {'readonly': True}, + 'status': {'readonly': True}, + 'system_alert_id': {'readonly': True}, + 'tactics': {'readonly': True}, + 'time_generated': {'readonly': True}, + 'vendor_name': {'readonly': True}, + 'alert_link': {'readonly': True}, + 'resource_identifiers': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'alert_display_name': {'key': 'properties.alertDisplayName', 'type': 'str'}, + 'alert_type': {'key': 'properties.alertType', 'type': 'str'}, + 'compromised_entity': {'key': 'properties.compromisedEntity', 'type': 'str'}, + 'confidence_level': {'key': 'properties.confidenceLevel', 'type': 'str'}, + 'confidence_reasons': {'key': 'properties.confidenceReasons', 'type': '[SecurityAlertPropertiesConfidenceReasonsItem]'}, + 'confidence_score': {'key': 'properties.confidenceScore', 'type': 'float'}, + 'confidence_score_status': {'key': 'properties.confidenceScoreStatus', 'type': 'str'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'end_time_utc': {'key': 'properties.endTimeUtc', 'type': 'iso-8601'}, + 'intent': {'key': 'properties.intent', 'type': 'str'}, + 'provider_alert_id': {'key': 'properties.providerAlertId', 'type': 'str'}, + 'processing_end_time': {'key': 'properties.processingEndTime', 'type': 'iso-8601'}, + 'product_component_name': {'key': 'properties.productComponentName', 'type': 'str'}, + 'product_name': {'key': 'properties.productName', 'type': 'str'}, + 'product_version': {'key': 'properties.productVersion', 'type': 'str'}, + 'remediation_steps': {'key': 'properties.remediationSteps', 'type': '[str]'}, + 'severity': {'key': 'properties.severity', 'type': 'str'}, + 'start_time_utc': {'key': 'properties.startTimeUtc', 'type': 'iso-8601'}, + 'status': {'key': 'properties.status', 'type': 'str'}, + 'system_alert_id': {'key': 'properties.systemAlertId', 'type': 'str'}, + 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, + 'time_generated': {'key': 'properties.timeGenerated', 'type': 'iso-8601'}, + 'vendor_name': {'key': 'properties.vendorName', 'type': 'str'}, + 'alert_link': {'key': 'properties.alertLink', 'type': 'str'}, + 'resource_identifiers': {'key': 'properties.resourceIdentifiers', 'type': '[object]'}, + } + + def __init__( + self, + **kwargs + ): + super(SecurityAlert, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.alert_display_name = None + self.alert_type = None + self.compromised_entity = None + self.confidence_level = None + self.confidence_reasons = None + self.confidence_score = None + self.confidence_score_status = None + self.description = None + self.end_time_utc = None + self.intent = None + self.provider_alert_id = None + self.processing_end_time = None + self.product_component_name = None + self.product_name = None + self.product_version = None + self.remediation_steps = None + self.severity = kwargs.get('severity', None) + self.start_time_utc = None + self.status = None + self.system_alert_id = None + self.tactics = None + self.time_generated = None + self.vendor_name = None + self.alert_link = None + self.resource_identifiers = None + + +class SecurityAlertProperties(EntityCommonProperties): + """SecurityAlert entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar alert_display_name: The display name of the alert. + :vartype alert_display_name: str + :ivar alert_type: The type name of the alert. + :vartype alert_type: str + :ivar compromised_entity: Display name of the main entity being reported on. + :vartype compromised_entity: str + :ivar confidence_level: The confidence level of this alert. Possible values include: "Unknown", + "Low", "High". + :vartype confidence_level: str or ~security_insights.models.ConfidenceLevel + :ivar confidence_reasons: The confidence reasons. + :vartype confidence_reasons: + list[~security_insights.models.SecurityAlertPropertiesConfidenceReasonsItem] + :ivar confidence_score: The confidence score of the alert. + :vartype confidence_score: float + :ivar confidence_score_status: The confidence score calculation status, i.e. indicating if + score calculation is pending for this alert, not applicable or final. Possible values include: + "NotApplicable", "InProcess", "NotFinal", "Final". + :vartype confidence_score_status: str or ~security_insights.models.ConfidenceScoreStatus + :ivar description: Alert description. + :vartype description: str + :ivar end_time_utc: The impact end time of the alert (the time of the last event contributing + to the alert). + :vartype end_time_utc: ~datetime.datetime + :ivar intent: Holds the alert intent stage(s) mapping for this alert. Possible values include: + "Unknown", "Probing", "Exploitation", "Persistence", "PrivilegeEscalation", "DefenseEvasion", + "CredentialAccess", "Discovery", "LateralMovement", "Execution", "Collection", "Exfiltration", + "CommandAndControl", "Impact". + :vartype intent: str or ~security_insights.models.KillChainIntent + :ivar provider_alert_id: The identifier of the alert inside the product which generated the + alert. + :vartype provider_alert_id: str + :ivar processing_end_time: The time the alert was made available for consumption. + :vartype processing_end_time: ~datetime.datetime + :ivar product_component_name: The name of a component inside the product which generated the + alert. + :vartype product_component_name: str + :ivar product_name: The name of the product which published this alert. + :vartype product_name: str + :ivar product_version: The version of the product generating the alert. + :vartype product_version: str + :ivar remediation_steps: Manual action items to take to remediate the alert. + :vartype remediation_steps: list[str] + :param severity: The severity of the alert. Possible values include: "High", "Medium", "Low", + "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :ivar start_time_utc: The impact start time of the alert (the time of the first event + contributing to the alert). + :vartype start_time_utc: ~datetime.datetime + :ivar status: The lifecycle status of the alert. Possible values include: "Unknown", "New", + "Resolved", "Dismissed", "InProgress". + :vartype status: str or ~security_insights.models.AlertStatus + :ivar system_alert_id: Holds the product identifier of the alert for the product. + :vartype system_alert_id: str + :ivar tactics: The tactics of the alert. + :vartype tactics: list[str or ~security_insights.models.AttackTactic] + :ivar time_generated: The time the alert was generated. + :vartype time_generated: ~datetime.datetime + :ivar vendor_name: The name of the vendor that raise the alert. + :vartype vendor_name: str + :ivar alert_link: The uri link of the alert. + :vartype alert_link: str + :ivar resource_identifiers: The list of resource identifiers of the alert. + :vartype resource_identifiers: list[object] + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'alert_display_name': {'readonly': True}, + 'alert_type': {'readonly': True}, + 'compromised_entity': {'readonly': True}, + 'confidence_level': {'readonly': True}, + 'confidence_reasons': {'readonly': True}, + 'confidence_score': {'readonly': True}, + 'confidence_score_status': {'readonly': True}, + 'description': {'readonly': True}, + 'end_time_utc': {'readonly': True}, + 'intent': {'readonly': True}, + 'provider_alert_id': {'readonly': True}, + 'processing_end_time': {'readonly': True}, + 'product_component_name': {'readonly': True}, + 'product_name': {'readonly': True}, + 'product_version': {'readonly': True}, + 'remediation_steps': {'readonly': True}, + 'start_time_utc': {'readonly': True}, + 'status': {'readonly': True}, + 'system_alert_id': {'readonly': True}, + 'tactics': {'readonly': True}, + 'time_generated': {'readonly': True}, + 'vendor_name': {'readonly': True}, + 'alert_link': {'readonly': True}, + 'resource_identifiers': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'alert_display_name': {'key': 'alertDisplayName', 'type': 'str'}, + 'alert_type': {'key': 'alertType', 'type': 'str'}, + 'compromised_entity': {'key': 'compromisedEntity', 'type': 'str'}, + 'confidence_level': {'key': 'confidenceLevel', 'type': 'str'}, + 'confidence_reasons': {'key': 'confidenceReasons', 'type': '[SecurityAlertPropertiesConfidenceReasonsItem]'}, + 'confidence_score': {'key': 'confidenceScore', 'type': 'float'}, + 'confidence_score_status': {'key': 'confidenceScoreStatus', 'type': 'str'}, + 'description': {'key': 'description', 'type': 'str'}, + 'end_time_utc': {'key': 'endTimeUtc', 'type': 'iso-8601'}, + 'intent': {'key': 'intent', 'type': 'str'}, + 'provider_alert_id': {'key': 'providerAlertId', 'type': 'str'}, + 'processing_end_time': {'key': 'processingEndTime', 'type': 'iso-8601'}, + 'product_component_name': {'key': 'productComponentName', 'type': 'str'}, + 'product_name': {'key': 'productName', 'type': 'str'}, + 'product_version': {'key': 'productVersion', 'type': 'str'}, + 'remediation_steps': {'key': 'remediationSteps', 'type': '[str]'}, + 'severity': {'key': 'severity', 'type': 'str'}, + 'start_time_utc': {'key': 'startTimeUtc', 'type': 'iso-8601'}, + 'status': {'key': 'status', 'type': 'str'}, + 'system_alert_id': {'key': 'systemAlertId', 'type': 'str'}, + 'tactics': {'key': 'tactics', 'type': '[str]'}, + 'time_generated': {'key': 'timeGenerated', 'type': 'iso-8601'}, + 'vendor_name': {'key': 'vendorName', 'type': 'str'}, + 'alert_link': {'key': 'alertLink', 'type': 'str'}, + 'resource_identifiers': {'key': 'resourceIdentifiers', 'type': '[object]'}, + } + + def __init__( + self, + **kwargs + ): + super(SecurityAlertProperties, self).__init__(**kwargs) + self.alert_display_name = None + self.alert_type = None + self.compromised_entity = None + self.confidence_level = None + self.confidence_reasons = None + self.confidence_score = None + self.confidence_score_status = None + self.description = None + self.end_time_utc = None + self.intent = None + self.provider_alert_id = None + self.processing_end_time = None + self.product_component_name = None + self.product_name = None + self.product_version = None + self.remediation_steps = None + self.severity = kwargs.get('severity', None) + self.start_time_utc = None + self.status = None + self.system_alert_id = None + self.tactics = None + self.time_generated = None + self.vendor_name = None + self.alert_link = None + self.resource_identifiers = None + + +class SecurityAlertPropertiesConfidenceReasonsItem(msrest.serialization.Model): + """confidence reason item. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar reason: The reason's description. + :vartype reason: str + :ivar reason_type: The type (category) of the reason. + :vartype reason_type: str + """ + + _validation = { + 'reason': {'readonly': True}, + 'reason_type': {'readonly': True}, + } + + _attribute_map = { + 'reason': {'key': 'reason', 'type': 'str'}, + 'reason_type': {'key': 'reasonType', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(SecurityAlertPropertiesConfidenceReasonsItem, self).__init__(**kwargs) + self.reason = None + self.reason_type = None + + +class SecurityGroupEntity(Entity): + """Represents a security group entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar distinguished_name: The group distinguished name. + :vartype distinguished_name: str + :ivar object_guid: A single-value attribute that is the unique identifier for the object, + assigned by active directory. + :vartype object_guid: str + :ivar sid: The SID attribute is a single-value attribute that specifies the security identifier + (SID) of the group. + :vartype sid: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'distinguished_name': {'readonly': True}, + 'object_guid': {'readonly': True}, + 'sid': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'distinguished_name': {'key': 'properties.distinguishedName', 'type': 'str'}, + 'object_guid': {'key': 'properties.objectGuid', 'type': 'str'}, + 'sid': {'key': 'properties.sid', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(SecurityGroupEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.distinguished_name = None + self.object_guid = None + self.sid = None + + +class SecurityGroupEntityProperties(EntityCommonProperties): + """SecurityGroup entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar distinguished_name: The group distinguished name. + :vartype distinguished_name: str + :ivar object_guid: A single-value attribute that is the unique identifier for the object, + assigned by active directory. + :vartype object_guid: str + :ivar sid: The SID attribute is a single-value attribute that specifies the security identifier + (SID) of the group. + :vartype sid: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'distinguished_name': {'readonly': True}, + 'object_guid': {'readonly': True}, + 'sid': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'distinguished_name': {'key': 'distinguishedName', 'type': 'str'}, + 'object_guid': {'key': 'objectGuid', 'type': 'str'}, + 'sid': {'key': 'sid', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(SecurityGroupEntityProperties, self).__init__(**kwargs) + self.distinguished_name = None + self.object_guid = None + self.sid = None + + +class SubmissionMailEntity(Entity): + """Represents a submission mail entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar network_message_id: The network message id of email to which submission belongs. + :vartype network_message_id: str + :ivar submission_id: The submission id. + :vartype submission_id: str + :ivar submitter: The submitter. + :vartype submitter: str + :ivar submission_date: The submission date. + :vartype submission_date: ~datetime.datetime + :ivar timestamp: The Time stamp when the message is received (Mail). + :vartype timestamp: ~datetime.datetime + :ivar recipient: The recipient of the mail. + :vartype recipient: str + :ivar sender: The sender of the mail. + :vartype sender: str + :ivar sender_ip: The sender's IP. + :vartype sender_ip: str + :ivar subject: The subject of submission mail. + :vartype subject: str + :ivar report_type: The submission type for the given instance. This maps to Junk, Phish, + Malware or NotJunk. + :vartype report_type: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'network_message_id': {'readonly': True}, + 'submission_id': {'readonly': True}, + 'submitter': {'readonly': True}, + 'submission_date': {'readonly': True}, + 'timestamp': {'readonly': True}, + 'recipient': {'readonly': True}, + 'sender': {'readonly': True}, + 'sender_ip': {'readonly': True}, + 'subject': {'readonly': True}, + 'report_type': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'network_message_id': {'key': 'properties.networkMessageId', 'type': 'str'}, + 'submission_id': {'key': 'properties.submissionId', 'type': 'str'}, + 'submitter': {'key': 'properties.submitter', 'type': 'str'}, + 'submission_date': {'key': 'properties.submissionDate', 'type': 'iso-8601'}, + 'timestamp': {'key': 'properties.timestamp', 'type': 'iso-8601'}, + 'recipient': {'key': 'properties.recipient', 'type': 'str'}, + 'sender': {'key': 'properties.sender', 'type': 'str'}, + 'sender_ip': {'key': 'properties.senderIp', 'type': 'str'}, + 'subject': {'key': 'properties.subject', 'type': 'str'}, + 'report_type': {'key': 'properties.reportType', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(SubmissionMailEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.network_message_id = None + self.submission_id = None + self.submitter = None + self.submission_date = None + self.timestamp = None + self.recipient = None + self.sender = None + self.sender_ip = None + self.subject = None + self.report_type = None + + +class SubmissionMailEntityProperties(EntityCommonProperties): + """Submission mail entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar network_message_id: The network message id of email to which submission belongs. + :vartype network_message_id: str + :ivar submission_id: The submission id. + :vartype submission_id: str + :ivar submitter: The submitter. + :vartype submitter: str + :ivar submission_date: The submission date. + :vartype submission_date: ~datetime.datetime + :ivar timestamp: The Time stamp when the message is received (Mail). + :vartype timestamp: ~datetime.datetime + :ivar recipient: The recipient of the mail. + :vartype recipient: str + :ivar sender: The sender of the mail. + :vartype sender: str + :ivar sender_ip: The sender's IP. + :vartype sender_ip: str + :ivar subject: The subject of submission mail. + :vartype subject: str + :ivar report_type: The submission type for the given instance. This maps to Junk, Phish, + Malware or NotJunk. + :vartype report_type: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'network_message_id': {'readonly': True}, + 'submission_id': {'readonly': True}, + 'submitter': {'readonly': True}, + 'submission_date': {'readonly': True}, + 'timestamp': {'readonly': True}, + 'recipient': {'readonly': True}, + 'sender': {'readonly': True}, + 'sender_ip': {'readonly': True}, + 'subject': {'readonly': True}, + 'report_type': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'network_message_id': {'key': 'networkMessageId', 'type': 'str'}, + 'submission_id': {'key': 'submissionId', 'type': 'str'}, + 'submitter': {'key': 'submitter', 'type': 'str'}, + 'submission_date': {'key': 'submissionDate', 'type': 'iso-8601'}, + 'timestamp': {'key': 'timestamp', 'type': 'iso-8601'}, + 'recipient': {'key': 'recipient', 'type': 'str'}, + 'sender': {'key': 'sender', 'type': 'str'}, + 'sender_ip': {'key': 'senderIp', 'type': 'str'}, + 'subject': {'key': 'subject', 'type': 'str'}, + 'report_type': {'key': 'reportType', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(SubmissionMailEntityProperties, self).__init__(**kwargs) + self.network_message_id = None + self.submission_id = None + self.submitter = None + self.submission_date = None + self.timestamp = None + self.recipient = None + self.sender = None + self.sender_ip = None + self.subject = None + self.report_type = None + + +class SystemData(msrest.serialization.Model): + """Metadata pertaining to creation and last modification of the resource. + + :param created_by: The identity that created the resource. + :type created_by: str + :param created_by_type: The type of identity that created the resource. Possible values + include: "User", "Application", "ManagedIdentity", "Key". + :type created_by_type: str or ~security_insights.models.CreatedByType + :param created_at: The timestamp of resource creation (UTC). + :type created_at: ~datetime.datetime + :param last_modified_by: The identity that last modified the resource. + :type last_modified_by: str + :param last_modified_by_type: The type of identity that last modified the resource. Possible + values include: "User", "Application", "ManagedIdentity", "Key". + :type last_modified_by_type: str or ~security_insights.models.CreatedByType + :param last_modified_at: The timestamp of resource last modification (UTC). + :type last_modified_at: ~datetime.datetime + """ + + _attribute_map = { + 'created_by': {'key': 'createdBy', 'type': 'str'}, + 'created_by_type': {'key': 'createdByType', 'type': 'str'}, + 'created_at': {'key': 'createdAt', 'type': 'iso-8601'}, + 'last_modified_by': {'key': 'lastModifiedBy', 'type': 'str'}, + 'last_modified_by_type': {'key': 'lastModifiedByType', 'type': 'str'}, + 'last_modified_at': {'key': 'lastModifiedAt', 'type': 'iso-8601'}, + } + + def __init__( + self, + **kwargs + ): + super(SystemData, self).__init__(**kwargs) + self.created_by = kwargs.get('created_by', None) + self.created_by_type = kwargs.get('created_by_type', None) + self.created_at = kwargs.get('created_at', None) + self.last_modified_by = kwargs.get('last_modified_by', None) + self.last_modified_by_type = kwargs.get('last_modified_by_type', None) + self.last_modified_at = kwargs.get('last_modified_at', None) + + +class ThreatIntelligence(msrest.serialization.Model): + """ThreatIntelligence property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar confidence: Confidence (must be between 0 and 1). + :vartype confidence: float + :ivar provider_name: Name of the provider from whom this Threat Intelligence information was + received. + :vartype provider_name: str + :ivar report_link: Report link. + :vartype report_link: str + :ivar threat_description: Threat description (free text). + :vartype threat_description: str + :ivar threat_name: Threat name (e.g. "Jedobot malware"). + :vartype threat_name: str + :ivar threat_type: Threat type (e.g. "Botnet"). + :vartype threat_type: str + """ + + _validation = { + 'confidence': {'readonly': True}, + 'provider_name': {'readonly': True}, + 'report_link': {'readonly': True}, + 'threat_description': {'readonly': True}, + 'threat_name': {'readonly': True}, + 'threat_type': {'readonly': True}, + } + + _attribute_map = { + 'confidence': {'key': 'confidence', 'type': 'float'}, + 'provider_name': {'key': 'providerName', 'type': 'str'}, + 'report_link': {'key': 'reportLink', 'type': 'str'}, + 'threat_description': {'key': 'threatDescription', 'type': 'str'}, + 'threat_name': {'key': 'threatName', 'type': 'str'}, + 'threat_type': {'key': 'threatType', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligence, self).__init__(**kwargs) + self.confidence = None + self.provider_name = None + self.report_link = None + self.threat_description = None + self.threat_name = None + self.threat_type = None + + +class ThreatIntelligenceAppendTags(msrest.serialization.Model): + """Array of tags to be appended to the threat intelligence indicator. + + :param threat_intelligence_tags: List of tags to be appended. + :type threat_intelligence_tags: list[str] + """ + + _attribute_map = { + 'threat_intelligence_tags': {'key': 'threatIntelligenceTags', 'type': '[str]'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceAppendTags, self).__init__(**kwargs) + self.threat_intelligence_tags = kwargs.get('threat_intelligence_tags', None) + + +class ThreatIntelligenceExternalReference(msrest.serialization.Model): + """Describes external reference. + + :param description: External reference description. + :type description: str + :param external_id: External reference ID. + :type external_id: str + :param source_name: External reference source name. + :type source_name: str + :param url: External reference URL. + :type url: str + :param hashes: External reference hashes. + :type hashes: dict[str, str] + """ + + _attribute_map = { + 'description': {'key': 'description', 'type': 'str'}, + 'external_id': {'key': 'externalId', 'type': 'str'}, + 'source_name': {'key': 'sourceName', 'type': 'str'}, + 'url': {'key': 'url', 'type': 'str'}, + 'hashes': {'key': 'hashes', 'type': '{str}'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceExternalReference, self).__init__(**kwargs) + self.description = kwargs.get('description', None) + self.external_id = kwargs.get('external_id', None) + self.source_name = kwargs.get('source_name', None) + self.url = kwargs.get('url', None) + self.hashes = kwargs.get('hashes', None) + + +class ThreatIntelligenceFilteringCriteria(msrest.serialization.Model): + """Filtering criteria for querying threat intelligence indicators. + + :param page_size: Page size. + :type page_size: int + :param min_confidence: Minimum confidence. + :type min_confidence: int + :param max_confidence: Maximum confidence. + :type max_confidence: int + :param min_valid_until: Start time for ValidUntil filter. + :type min_valid_until: str + :param max_valid_until: End time for ValidUntil filter. + :type max_valid_until: str + :param include_disabled: Parameter to include/exclude disabled indicators. + :type include_disabled: bool + :param sort_by: Columns to sort by and sorting order. + :type sort_by: list[~security_insights.models.ThreatIntelligenceSortingCriteria] + :param sources: Sources of threat intelligence indicators. + :type sources: list[str] + :param pattern_types: Pattern types. + :type pattern_types: list[str] + :param threat_types: Threat types of threat intelligence indicators. + :type threat_types: list[str] + :param ids: Ids of threat intelligence indicators. + :type ids: list[str] + :param keywords: Keywords for searching threat intelligence indicators. + :type keywords: list[str] + :param skip_token: Skip token. + :type skip_token: str + """ + + _attribute_map = { + 'page_size': {'key': 'pageSize', 'type': 'int'}, + 'min_confidence': {'key': 'minConfidence', 'type': 'int'}, + 'max_confidence': {'key': 'maxConfidence', 'type': 'int'}, + 'min_valid_until': {'key': 'minValidUntil', 'type': 'str'}, + 'max_valid_until': {'key': 'maxValidUntil', 'type': 'str'}, + 'include_disabled': {'key': 'includeDisabled', 'type': 'bool'}, + 'sort_by': {'key': 'sortBy', 'type': '[ThreatIntelligenceSortingCriteria]'}, + 'sources': {'key': 'sources', 'type': '[str]'}, + 'pattern_types': {'key': 'patternTypes', 'type': '[str]'}, + 'threat_types': {'key': 'threatTypes', 'type': '[str]'}, + 'ids': {'key': 'ids', 'type': '[str]'}, + 'keywords': {'key': 'keywords', 'type': '[str]'}, + 'skip_token': {'key': 'skipToken', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceFilteringCriteria, self).__init__(**kwargs) + self.page_size = kwargs.get('page_size', None) + self.min_confidence = kwargs.get('min_confidence', None) + self.max_confidence = kwargs.get('max_confidence', None) + self.min_valid_until = kwargs.get('min_valid_until', None) + self.max_valid_until = kwargs.get('max_valid_until', None) + self.include_disabled = kwargs.get('include_disabled', None) + self.sort_by = kwargs.get('sort_by', None) + self.sources = kwargs.get('sources', None) + self.pattern_types = kwargs.get('pattern_types', None) + self.threat_types = kwargs.get('threat_types', None) + self.ids = kwargs.get('ids', None) + self.keywords = kwargs.get('keywords', None) + self.skip_token = kwargs.get('skip_token', None) + + +class ThreatIntelligenceGranularMarkingModel(msrest.serialization.Model): + """Describes threat granular marking model entity. + + :param language: Language granular marking model. + :type language: str + :param marking_ref: marking reference granular marking model. + :type marking_ref: int + :param selectors: granular marking model selectors. + :type selectors: list[str] + """ + + _attribute_map = { + 'language': {'key': 'language', 'type': 'str'}, + 'marking_ref': {'key': 'markingRef', 'type': 'int'}, + 'selectors': {'key': 'selectors', 'type': '[str]'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceGranularMarkingModel, self).__init__(**kwargs) + self.language = kwargs.get('language', None) + self.marking_ref = kwargs.get('marking_ref', None) + self.selectors = kwargs.get('selectors', None) + + +class ThreatIntelligenceResourceKind(msrest.serialization.Model): + """Describes an entity with kind. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "indicator". + :type kind: str or ~security_insights.models.ThreatIntelligenceResourceInnerKind + """ + + _validation = { + 'kind': {'required': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceResourceKind, self).__init__(**kwargs) + self.kind = kwargs['kind'] + + +class ThreatIntelligenceInformation(ResourceWithEtag, ThreatIntelligenceResourceKind): + """Threat intelligence information object. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "indicator". + :type kind: str or ~security_insights.models.ThreatIntelligenceResourceInnerKind + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceInformation, self).__init__(**kwargs) + self.kind = kwargs['kind'] + self.id = None + self.name = None + self.type = None + self.system_data = None + self.etag = kwargs.get('etag', None) + + +class ThreatIntelligenceIndicatorModel(ThreatIntelligenceInformation): + """Threat intelligence indicator entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "indicator". + :type kind: str or ~security_insights.models.ThreatIntelligenceResourceInnerKind + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :param threat_intelligence_tags: List of tags. + :type threat_intelligence_tags: list[str] + :param last_updated_time_utc: Last updated time in UTC. + :type last_updated_time_utc: str + :param source: Source of a threat intelligence entity. + :type source: str + :param display_name: Display name of a threat intelligence entity. + :type display_name: str + :param description: Description of a threat intelligence entity. + :type description: str + :param indicator_types: Indicator types of threat intelligence entities. + :type indicator_types: list[str] + :param pattern: Pattern of a threat intelligence entity. + :type pattern: str + :param pattern_type: Pattern type of a threat intelligence entity. + :type pattern_type: str + :param pattern_version: Pattern version of a threat intelligence entity. + :type pattern_version: str + :param kill_chain_phases: Kill chain phases. + :type kill_chain_phases: list[~security_insights.models.ThreatIntelligenceKillChainPhase] + :param parsed_pattern: Parsed patterns. + :type parsed_pattern: list[~security_insights.models.ThreatIntelligenceParsedPattern] + :param external_id: External ID of threat intelligence entity. + :type external_id: str + :param created_by_ref: Created by reference of threat intelligence entity. + :type created_by_ref: str + :param defanged: Is threat intelligence entity defanged. + :type defanged: bool + :param external_last_updated_time_utc: External last updated time in UTC. + :type external_last_updated_time_utc: str + :param external_references: External References. + :type external_references: list[~security_insights.models.ThreatIntelligenceExternalReference] + :param granular_markings: Granular Markings. + :type granular_markings: list[~security_insights.models.ThreatIntelligenceGranularMarkingModel] + :param labels: Labels of threat intelligence entity. + :type labels: list[str] + :param revoked: Is threat intelligence entity revoked. + :type revoked: bool + :param confidence: Confidence of threat intelligence entity. + :type confidence: int + :param object_marking_refs: Threat intelligence entity object marking references. + :type object_marking_refs: list[str] + :param language: Language of threat intelligence entity. + :type language: str + :param threat_types: Threat types. + :type threat_types: list[str] + :param valid_from: Valid from. + :type valid_from: str + :param valid_until: Valid until. + :type valid_until: str + :param created: Created by. + :type created: str + :param modified: Modified by. + :type modified: str + :param extensions: Extensions map. + :type extensions: dict[str, object] + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'threat_intelligence_tags': {'key': 'properties.threatIntelligenceTags', 'type': '[str]'}, + 'last_updated_time_utc': {'key': 'properties.lastUpdatedTimeUtc', 'type': 'str'}, + 'source': {'key': 'properties.source', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'indicator_types': {'key': 'properties.indicatorTypes', 'type': '[str]'}, + 'pattern': {'key': 'properties.pattern', 'type': 'str'}, + 'pattern_type': {'key': 'properties.patternType', 'type': 'str'}, + 'pattern_version': {'key': 'properties.patternVersion', 'type': 'str'}, + 'kill_chain_phases': {'key': 'properties.killChainPhases', 'type': '[ThreatIntelligenceKillChainPhase]'}, + 'parsed_pattern': {'key': 'properties.parsedPattern', 'type': '[ThreatIntelligenceParsedPattern]'}, + 'external_id': {'key': 'properties.externalId', 'type': 'str'}, + 'created_by_ref': {'key': 'properties.createdByRef', 'type': 'str'}, + 'defanged': {'key': 'properties.defanged', 'type': 'bool'}, + 'external_last_updated_time_utc': {'key': 'properties.externalLastUpdatedTimeUtc', 'type': 'str'}, + 'external_references': {'key': 'properties.externalReferences', 'type': '[ThreatIntelligenceExternalReference]'}, + 'granular_markings': {'key': 'properties.granularMarkings', 'type': '[ThreatIntelligenceGranularMarkingModel]'}, + 'labels': {'key': 'properties.labels', 'type': '[str]'}, + 'revoked': {'key': 'properties.revoked', 'type': 'bool'}, + 'confidence': {'key': 'properties.confidence', 'type': 'int'}, + 'object_marking_refs': {'key': 'properties.objectMarkingRefs', 'type': '[str]'}, + 'language': {'key': 'properties.language', 'type': 'str'}, + 'threat_types': {'key': 'properties.threatTypes', 'type': '[str]'}, + 'valid_from': {'key': 'properties.validFrom', 'type': 'str'}, + 'valid_until': {'key': 'properties.validUntil', 'type': 'str'}, + 'created': {'key': 'properties.created', 'type': 'str'}, + 'modified': {'key': 'properties.modified', 'type': 'str'}, + 'extensions': {'key': 'properties.extensions', 'type': '{object}'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceIndicatorModel, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.threat_intelligence_tags = kwargs.get('threat_intelligence_tags', None) + self.last_updated_time_utc = kwargs.get('last_updated_time_utc', None) + self.source = kwargs.get('source', None) + self.display_name = kwargs.get('display_name', None) + self.description = kwargs.get('description', None) + self.indicator_types = kwargs.get('indicator_types', None) + self.pattern = kwargs.get('pattern', None) + self.pattern_type = kwargs.get('pattern_type', None) + self.pattern_version = kwargs.get('pattern_version', None) + self.kill_chain_phases = kwargs.get('kill_chain_phases', None) + self.parsed_pattern = kwargs.get('parsed_pattern', None) + self.external_id = kwargs.get('external_id', None) + self.created_by_ref = kwargs.get('created_by_ref', None) + self.defanged = kwargs.get('defanged', None) + self.external_last_updated_time_utc = kwargs.get('external_last_updated_time_utc', None) + self.external_references = kwargs.get('external_references', None) + self.granular_markings = kwargs.get('granular_markings', None) + self.labels = kwargs.get('labels', None) + self.revoked = kwargs.get('revoked', None) + self.confidence = kwargs.get('confidence', None) + self.object_marking_refs = kwargs.get('object_marking_refs', None) + self.language = kwargs.get('language', None) + self.threat_types = kwargs.get('threat_types', None) + self.valid_from = kwargs.get('valid_from', None) + self.valid_until = kwargs.get('valid_until', None) + self.created = kwargs.get('created', None) + self.modified = kwargs.get('modified', None) + self.extensions = kwargs.get('extensions', None) + + +class ThreatIntelligenceIndicatorModelForRequestBody(ThreatIntelligenceResourceKind): + """Threat intelligence indicator entity used in request body. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "indicator". + :type kind: str or ~security_insights.models.ThreatIntelligenceResourceInnerKind + :param etag: Etag of the azure resource. + :type etag: str + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :param threat_intelligence_tags: List of tags. + :type threat_intelligence_tags: list[str] + :param last_updated_time_utc: Last updated time in UTC. + :type last_updated_time_utc: str + :param source: Source of a threat intelligence entity. + :type source: str + :param display_name: Display name of a threat intelligence entity. + :type display_name: str + :param description: Description of a threat intelligence entity. + :type description: str + :param indicator_types: Indicator types of threat intelligence entities. + :type indicator_types: list[str] + :param pattern: Pattern of a threat intelligence entity. + :type pattern: str + :param pattern_type: Pattern type of a threat intelligence entity. + :type pattern_type: str + :param pattern_version: Pattern version of a threat intelligence entity. + :type pattern_version: str + :param kill_chain_phases: Kill chain phases. + :type kill_chain_phases: list[~security_insights.models.ThreatIntelligenceKillChainPhase] + :param parsed_pattern: Parsed patterns. + :type parsed_pattern: list[~security_insights.models.ThreatIntelligenceParsedPattern] + :param external_id: External ID of threat intelligence entity. + :type external_id: str + :param created_by_ref: Created by reference of threat intelligence entity. + :type created_by_ref: str + :param defanged: Is threat intelligence entity defanged. + :type defanged: bool + :param external_last_updated_time_utc: External last updated time in UTC. + :type external_last_updated_time_utc: str + :param external_references: External References. + :type external_references: list[~security_insights.models.ThreatIntelligenceExternalReference] + :param granular_markings: Granular Markings. + :type granular_markings: list[~security_insights.models.ThreatIntelligenceGranularMarkingModel] + :param labels: Labels of threat intelligence entity. + :type labels: list[str] + :param revoked: Is threat intelligence entity revoked. + :type revoked: bool + :param confidence: Confidence of threat intelligence entity. + :type confidence: int + :param object_marking_refs: Threat intelligence entity object marking references. + :type object_marking_refs: list[str] + :param language: Language of threat intelligence entity. + :type language: str + :param threat_types: Threat types. + :type threat_types: list[str] + :param valid_from: Valid from. + :type valid_from: str + :param valid_until: Valid until. + :type valid_until: str + :param created: Created by. + :type created: str + :param modified: Modified by. + :type modified: str + :param extensions: Extensions map. + :type extensions: dict[str, object] + """ + + _validation = { + 'kind': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'etag': {'key': 'etag', 'type': 'str'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'threat_intelligence_tags': {'key': 'properties.threatIntelligenceTags', 'type': '[str]'}, + 'last_updated_time_utc': {'key': 'properties.lastUpdatedTimeUtc', 'type': 'str'}, + 'source': {'key': 'properties.source', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'indicator_types': {'key': 'properties.indicatorTypes', 'type': '[str]'}, + 'pattern': {'key': 'properties.pattern', 'type': 'str'}, + 'pattern_type': {'key': 'properties.patternType', 'type': 'str'}, + 'pattern_version': {'key': 'properties.patternVersion', 'type': 'str'}, + 'kill_chain_phases': {'key': 'properties.killChainPhases', 'type': '[ThreatIntelligenceKillChainPhase]'}, + 'parsed_pattern': {'key': 'properties.parsedPattern', 'type': '[ThreatIntelligenceParsedPattern]'}, + 'external_id': {'key': 'properties.externalId', 'type': 'str'}, + 'created_by_ref': {'key': 'properties.createdByRef', 'type': 'str'}, + 'defanged': {'key': 'properties.defanged', 'type': 'bool'}, + 'external_last_updated_time_utc': {'key': 'properties.externalLastUpdatedTimeUtc', 'type': 'str'}, + 'external_references': {'key': 'properties.externalReferences', 'type': '[ThreatIntelligenceExternalReference]'}, + 'granular_markings': {'key': 'properties.granularMarkings', 'type': '[ThreatIntelligenceGranularMarkingModel]'}, + 'labels': {'key': 'properties.labels', 'type': '[str]'}, + 'revoked': {'key': 'properties.revoked', 'type': 'bool'}, + 'confidence': {'key': 'properties.confidence', 'type': 'int'}, + 'object_marking_refs': {'key': 'properties.objectMarkingRefs', 'type': '[str]'}, + 'language': {'key': 'properties.language', 'type': 'str'}, + 'threat_types': {'key': 'properties.threatTypes', 'type': '[str]'}, + 'valid_from': {'key': 'properties.validFrom', 'type': 'str'}, + 'valid_until': {'key': 'properties.validUntil', 'type': 'str'}, + 'created': {'key': 'properties.created', 'type': 'str'}, + 'modified': {'key': 'properties.modified', 'type': 'str'}, + 'extensions': {'key': 'properties.extensions', 'type': '{object}'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceIndicatorModelForRequestBody, self).__init__(**kwargs) + self.etag = kwargs.get('etag', None) + self.additional_data = None + self.friendly_name = None + self.threat_intelligence_tags = kwargs.get('threat_intelligence_tags', None) + self.last_updated_time_utc = kwargs.get('last_updated_time_utc', None) + self.source = kwargs.get('source', None) + self.display_name = kwargs.get('display_name', None) + self.description = kwargs.get('description', None) + self.indicator_types = kwargs.get('indicator_types', None) + self.pattern = kwargs.get('pattern', None) + self.pattern_type = kwargs.get('pattern_type', None) + self.pattern_version = kwargs.get('pattern_version', None) + self.kill_chain_phases = kwargs.get('kill_chain_phases', None) + self.parsed_pattern = kwargs.get('parsed_pattern', None) + self.external_id = kwargs.get('external_id', None) + self.created_by_ref = kwargs.get('created_by_ref', None) + self.defanged = kwargs.get('defanged', None) + self.external_last_updated_time_utc = kwargs.get('external_last_updated_time_utc', None) + self.external_references = kwargs.get('external_references', None) + self.granular_markings = kwargs.get('granular_markings', None) + self.labels = kwargs.get('labels', None) + self.revoked = kwargs.get('revoked', None) + self.confidence = kwargs.get('confidence', None) + self.object_marking_refs = kwargs.get('object_marking_refs', None) + self.language = kwargs.get('language', None) + self.threat_types = kwargs.get('threat_types', None) + self.valid_from = kwargs.get('valid_from', None) + self.valid_until = kwargs.get('valid_until', None) + self.created = kwargs.get('created', None) + self.modified = kwargs.get('modified', None) + self.extensions = kwargs.get('extensions', None) + + +class ThreatIntelligenceIndicatorProperties(EntityCommonProperties): + """Describes threat intelligence entity properties. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :param threat_intelligence_tags: List of tags. + :type threat_intelligence_tags: list[str] + :param last_updated_time_utc: Last updated time in UTC. + :type last_updated_time_utc: str + :param source: Source of a threat intelligence entity. + :type source: str + :param display_name: Display name of a threat intelligence entity. + :type display_name: str + :param description: Description of a threat intelligence entity. + :type description: str + :param indicator_types: Indicator types of threat intelligence entities. + :type indicator_types: list[str] + :param pattern: Pattern of a threat intelligence entity. + :type pattern: str + :param pattern_type: Pattern type of a threat intelligence entity. + :type pattern_type: str + :param pattern_version: Pattern version of a threat intelligence entity. + :type pattern_version: str + :param kill_chain_phases: Kill chain phases. + :type kill_chain_phases: list[~security_insights.models.ThreatIntelligenceKillChainPhase] + :param parsed_pattern: Parsed patterns. + :type parsed_pattern: list[~security_insights.models.ThreatIntelligenceParsedPattern] + :param external_id: External ID of threat intelligence entity. + :type external_id: str + :param created_by_ref: Created by reference of threat intelligence entity. + :type created_by_ref: str + :param defanged: Is threat intelligence entity defanged. + :type defanged: bool + :param external_last_updated_time_utc: External last updated time in UTC. + :type external_last_updated_time_utc: str + :param external_references: External References. + :type external_references: list[~security_insights.models.ThreatIntelligenceExternalReference] + :param granular_markings: Granular Markings. + :type granular_markings: list[~security_insights.models.ThreatIntelligenceGranularMarkingModel] + :param labels: Labels of threat intelligence entity. + :type labels: list[str] + :param revoked: Is threat intelligence entity revoked. + :type revoked: bool + :param confidence: Confidence of threat intelligence entity. + :type confidence: int + :param object_marking_refs: Threat intelligence entity object marking references. + :type object_marking_refs: list[str] + :param language: Language of threat intelligence entity. + :type language: str + :param threat_types: Threat types. + :type threat_types: list[str] + :param valid_from: Valid from. + :type valid_from: str + :param valid_until: Valid until. + :type valid_until: str + :param created: Created by. + :type created: str + :param modified: Modified by. + :type modified: str + :param extensions: Extensions map. + :type extensions: dict[str, object] + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'threat_intelligence_tags': {'key': 'threatIntelligenceTags', 'type': '[str]'}, + 'last_updated_time_utc': {'key': 'lastUpdatedTimeUtc', 'type': 'str'}, + 'source': {'key': 'source', 'type': 'str'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'description': {'key': 'description', 'type': 'str'}, + 'indicator_types': {'key': 'indicatorTypes', 'type': '[str]'}, + 'pattern': {'key': 'pattern', 'type': 'str'}, + 'pattern_type': {'key': 'patternType', 'type': 'str'}, + 'pattern_version': {'key': 'patternVersion', 'type': 'str'}, + 'kill_chain_phases': {'key': 'killChainPhases', 'type': '[ThreatIntelligenceKillChainPhase]'}, + 'parsed_pattern': {'key': 'parsedPattern', 'type': '[ThreatIntelligenceParsedPattern]'}, + 'external_id': {'key': 'externalId', 'type': 'str'}, + 'created_by_ref': {'key': 'createdByRef', 'type': 'str'}, + 'defanged': {'key': 'defanged', 'type': 'bool'}, + 'external_last_updated_time_utc': {'key': 'externalLastUpdatedTimeUtc', 'type': 'str'}, + 'external_references': {'key': 'externalReferences', 'type': '[ThreatIntelligenceExternalReference]'}, + 'granular_markings': {'key': 'granularMarkings', 'type': '[ThreatIntelligenceGranularMarkingModel]'}, + 'labels': {'key': 'labels', 'type': '[str]'}, + 'revoked': {'key': 'revoked', 'type': 'bool'}, + 'confidence': {'key': 'confidence', 'type': 'int'}, + 'object_marking_refs': {'key': 'objectMarkingRefs', 'type': '[str]'}, + 'language': {'key': 'language', 'type': 'str'}, + 'threat_types': {'key': 'threatTypes', 'type': '[str]'}, + 'valid_from': {'key': 'validFrom', 'type': 'str'}, + 'valid_until': {'key': 'validUntil', 'type': 'str'}, + 'created': {'key': 'created', 'type': 'str'}, + 'modified': {'key': 'modified', 'type': 'str'}, + 'extensions': {'key': 'extensions', 'type': '{object}'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceIndicatorProperties, self).__init__(**kwargs) + self.threat_intelligence_tags = kwargs.get('threat_intelligence_tags', None) + self.last_updated_time_utc = kwargs.get('last_updated_time_utc', None) + self.source = kwargs.get('source', None) + self.display_name = kwargs.get('display_name', None) + self.description = kwargs.get('description', None) + self.indicator_types = kwargs.get('indicator_types', None) + self.pattern = kwargs.get('pattern', None) + self.pattern_type = kwargs.get('pattern_type', None) + self.pattern_version = kwargs.get('pattern_version', None) + self.kill_chain_phases = kwargs.get('kill_chain_phases', None) + self.parsed_pattern = kwargs.get('parsed_pattern', None) + self.external_id = kwargs.get('external_id', None) + self.created_by_ref = kwargs.get('created_by_ref', None) + self.defanged = kwargs.get('defanged', None) + self.external_last_updated_time_utc = kwargs.get('external_last_updated_time_utc', None) + self.external_references = kwargs.get('external_references', None) + self.granular_markings = kwargs.get('granular_markings', None) + self.labels = kwargs.get('labels', None) + self.revoked = kwargs.get('revoked', None) + self.confidence = kwargs.get('confidence', None) + self.object_marking_refs = kwargs.get('object_marking_refs', None) + self.language = kwargs.get('language', None) + self.threat_types = kwargs.get('threat_types', None) + self.valid_from = kwargs.get('valid_from', None) + self.valid_until = kwargs.get('valid_until', None) + self.created = kwargs.get('created', None) + self.modified = kwargs.get('modified', None) + self.extensions = kwargs.get('extensions', None) + + +class ThreatIntelligenceInformationList(msrest.serialization.Model): + """List of all the threat intelligence information objects. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar next_link: URL to fetch the next set of information objects. + :vartype next_link: str + :param value: Required. Array of threat intelligence information objects. + :type value: list[~security_insights.models.ThreatIntelligenceInformation] + """ + + _validation = { + 'next_link': {'readonly': True}, + 'value': {'required': True}, + } + + _attribute_map = { + 'next_link': {'key': 'nextLink', 'type': 'str'}, + 'value': {'key': 'value', 'type': '[ThreatIntelligenceInformation]'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceInformationList, self).__init__(**kwargs) + self.next_link = None + self.value = kwargs['value'] + + +class ThreatIntelligenceKillChainPhase(msrest.serialization.Model): + """Describes threat kill chain phase entity. + + :param kill_chain_name: Kill chainName name. + :type kill_chain_name: str + :param phase_name: Phase name. + :type phase_name: str + """ + + _attribute_map = { + 'kill_chain_name': {'key': 'killChainName', 'type': 'str'}, + 'phase_name': {'key': 'phaseName', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceKillChainPhase, self).__init__(**kwargs) + self.kill_chain_name = kwargs.get('kill_chain_name', None) + self.phase_name = kwargs.get('phase_name', None) + + +class ThreatIntelligenceMetric(msrest.serialization.Model): + """Describes threat intelligence metric. + + :param last_updated_time_utc: Last updated indicator metric. + :type last_updated_time_utc: str + :param threat_type_metrics: Threat type metrics. + :type threat_type_metrics: list[~security_insights.models.ThreatIntelligenceMetricEntity] + :param pattern_type_metrics: Pattern type metrics. + :type pattern_type_metrics: list[~security_insights.models.ThreatIntelligenceMetricEntity] + :param source_metrics: Source metrics. + :type source_metrics: list[~security_insights.models.ThreatIntelligenceMetricEntity] + """ + + _attribute_map = { + 'last_updated_time_utc': {'key': 'lastUpdatedTimeUtc', 'type': 'str'}, + 'threat_type_metrics': {'key': 'threatTypeMetrics', 'type': '[ThreatIntelligenceMetricEntity]'}, + 'pattern_type_metrics': {'key': 'patternTypeMetrics', 'type': '[ThreatIntelligenceMetricEntity]'}, + 'source_metrics': {'key': 'sourceMetrics', 'type': '[ThreatIntelligenceMetricEntity]'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceMetric, self).__init__(**kwargs) + self.last_updated_time_utc = kwargs.get('last_updated_time_utc', None) + self.threat_type_metrics = kwargs.get('threat_type_metrics', None) + self.pattern_type_metrics = kwargs.get('pattern_type_metrics', None) + self.source_metrics = kwargs.get('source_metrics', None) + + +class ThreatIntelligenceMetricEntity(msrest.serialization.Model): + """Describes threat intelligence metric entity. + + :param metric_name: Metric name. + :type metric_name: str + :param metric_value: Metric value. + :type metric_value: int + """ + + _attribute_map = { + 'metric_name': {'key': 'metricName', 'type': 'str'}, + 'metric_value': {'key': 'metricValue', 'type': 'int'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceMetricEntity, self).__init__(**kwargs) + self.metric_name = kwargs.get('metric_name', None) + self.metric_value = kwargs.get('metric_value', None) + + +class ThreatIntelligenceMetrics(msrest.serialization.Model): + """Threat intelligence metrics. + + :param properties: Threat intelligence metrics. + :type properties: ~security_insights.models.ThreatIntelligenceMetric + """ + + _attribute_map = { + 'properties': {'key': 'properties', 'type': 'ThreatIntelligenceMetric'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceMetrics, self).__init__(**kwargs) + self.properties = kwargs.get('properties', None) + + +class ThreatIntelligenceMetricsList(msrest.serialization.Model): + """List of all the threat intelligence metric fields (type/threat type/source). + + All required parameters must be populated in order to send to Azure. + + :param value: Required. Array of threat intelligence metric fields (type/threat type/source). + :type value: list[~security_insights.models.ThreatIntelligenceMetrics] + """ + + _validation = { + 'value': {'required': True}, + } + + _attribute_map = { + 'value': {'key': 'value', 'type': '[ThreatIntelligenceMetrics]'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceMetricsList, self).__init__(**kwargs) + self.value = kwargs['value'] + + +class ThreatIntelligenceParsedPattern(msrest.serialization.Model): + """Describes parsed pattern entity. + + :param pattern_type_key: Pattern type key. + :type pattern_type_key: str + :param pattern_type_values: Pattern type keys. + :type pattern_type_values: + list[~security_insights.models.ThreatIntelligenceParsedPatternTypeValue] + """ + + _attribute_map = { + 'pattern_type_key': {'key': 'patternTypeKey', 'type': 'str'}, + 'pattern_type_values': {'key': 'patternTypeValues', 'type': '[ThreatIntelligenceParsedPatternTypeValue]'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceParsedPattern, self).__init__(**kwargs) + self.pattern_type_key = kwargs.get('pattern_type_key', None) + self.pattern_type_values = kwargs.get('pattern_type_values', None) + + +class ThreatIntelligenceParsedPatternTypeValue(msrest.serialization.Model): + """Describes threat kill chain phase entity. + + :param value_type: Type of the value. + :type value_type: str + :param value: Value of parsed pattern. + :type value: str + """ + + _attribute_map = { + 'value_type': {'key': 'valueType', 'type': 'str'}, + 'value': {'key': 'value', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligenceParsedPatternTypeValue, self).__init__(**kwargs) + self.value_type = kwargs.get('value_type', None) + self.value = kwargs.get('value', None) + + +class ThreatIntelligenceSortingCriteria(msrest.serialization.Model): + """List of available columns for sorting. + + :param item_key: Column name. + :type item_key: str + :param sort_order: Sorting order (ascending/descending/unsorted). Possible values include: + "unsorted", "ascending", "descending". + :type sort_order: str or ~security_insights.models.ThreatIntelligenceSortingOrder + """ + + _attribute_map = { + 'item_key': {'key': 'itemKey', 'type': 'str'}, + 'sort_order': {'key': 'sortOrder', 'type': 'str'}, } def __init__( self, **kwargs ): - super(ScheduledAlertRuleProperties, self).__init__(**kwargs) - self.alert_rule_template_name = kwargs.get('alert_rule_template_name', None) - self.description = kwargs.get('description', None) - self.display_name = kwargs['display_name'] - self.enabled = kwargs['enabled'] - self.last_modified_utc = None - self.suppression_duration = kwargs['suppression_duration'] - self.suppression_enabled = kwargs['suppression_enabled'] - self.tactics = kwargs.get('tactics', None) + super(ThreatIntelligenceSortingCriteria, self).__init__(**kwargs) + self.item_key = kwargs.get('item_key', None) + self.sort_order = kwargs.get('sort_order', None) -class ScheduledAlertRuleTemplate(AlertRuleTemplate): - """Represents scheduled alert rule template. +class UrlEntity(Entity): + """Represents a url entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rules_created_by_template_count: the number of alert rules that were created by - this template. - :type alert_rules_created_by_template_count: int - :ivar created_date_utc: The time that this alert rule template has been added. - :vartype created_date_utc: ~datetime.datetime - :param description: The description of the alert rule template. - :type description: str - :param display_name: The display name for alert rule template. - :type display_name: str - :param required_data_connectors: The required data connectors for this template. - :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] - :param status: The alert rule template status. Possible values include: "Installed", - "Available", "NotAvailable". - :type status: str or ~security_insights.models.TemplateStatus - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - :param tactics: The tactics of the alert rule template. - :type tactics: list[str or ~security_insights.models.AttackTactic] + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar url: A full URL the entity points to. + :vartype url: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, - 'created_date_utc': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'url': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, - 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'url': {'key': 'properties.url', 'type': 'str'}, } def __init__( self, **kwargs ): - super(ScheduledAlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'Scheduled' # type: str - self.alert_rules_created_by_template_count = kwargs.get('alert_rules_created_by_template_count', None) - self.created_date_utc = None - self.description = kwargs.get('description', None) - self.display_name = kwargs.get('display_name', None) - self.required_data_connectors = kwargs.get('required_data_connectors', None) - self.status = kwargs.get('status', None) - self.query = kwargs.get('query', None) - self.query_frequency = kwargs.get('query_frequency', None) - self.query_period = kwargs.get('query_period', None) - self.severity = kwargs.get('severity', None) - self.trigger_operator = kwargs.get('trigger_operator', None) - self.trigger_threshold = kwargs.get('trigger_threshold', None) - self.tactics = kwargs.get('tactics', None) - + super(UrlEntity, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + self.url = None -class Settings(ResourceWithEtag): - """The Settings. - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: ToggleSettings, UebaSettings. +class UrlEntityProperties(EntityCommonProperties): + """Url entity property bag. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar url: A full URL the entity points to. + :vartype url: str """ _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'url': {'readonly': True}, } _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'ToggleSettings': 'ToggleSettings', 'UebaSettings': 'UebaSettings'} + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'url': {'key': 'url', 'type': 'str'}, } def __init__( self, **kwargs ): - super(Settings, self).__init__(**kwargs) - self.kind = 'Settings' # type: str + super(UrlEntityProperties, self).__init__(**kwargs) + self.url = None -class ThreatIntelligence(msrest.serialization.Model): - """ThreatIntelligence property bag. +class UserInfo(msrest.serialization.Model): + """User information that made some action. Variables are only populated by the server, and will be ignored when sending a request. - :ivar confidence: Confidence (must be between 0 and 1). - :vartype confidence: float - :ivar provider_name: Name of the provider from whom this Threat Intelligence information was - received. - :vartype provider_name: str - :ivar report_link: Report link. - :vartype report_link: str - :ivar threat_description: Threat description (free text). - :vartype threat_description: str - :ivar threat_name: Threat name (e.g. "Jedobot malware"). - :vartype threat_name: str - :ivar threat_type: Threat type (e.g. "Botnet"). - :vartype threat_type: str + :ivar email: The email of the user. + :vartype email: str + :ivar name: The name of the user. + :vartype name: str + :param object_id: The object id of the user. + :type object_id: str """ _validation = { - 'confidence': {'readonly': True}, - 'provider_name': {'readonly': True}, - 'report_link': {'readonly': True}, - 'threat_description': {'readonly': True}, - 'threat_name': {'readonly': True}, - 'threat_type': {'readonly': True}, + 'email': {'readonly': True}, + 'name': {'readonly': True}, } _attribute_map = { - 'confidence': {'key': 'confidence', 'type': 'float'}, - 'provider_name': {'key': 'providerName', 'type': 'str'}, - 'report_link': {'key': 'reportLink', 'type': 'str'}, - 'threat_description': {'key': 'threatDescription', 'type': 'str'}, - 'threat_name': {'key': 'threatName', 'type': 'str'}, - 'threat_type': {'key': 'threatType', 'type': 'str'}, + 'email': {'key': 'email', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'object_id': {'key': 'objectId', 'type': 'str'}, } def __init__( self, **kwargs ): - super(ThreatIntelligence, self).__init__(**kwargs) - self.confidence = None - self.provider_name = None - self.report_link = None - self.threat_description = None - self.threat_name = None - self.threat_type = None + super(UserInfo, self).__init__(**kwargs) + self.email = None + self.name = None + self.object_id = kwargs.get('object_id', None) -class TIDataConnector(DataConnector): - """Represents threat intelligence data connector. +class Watchlist(ResourceWithEtag): + """Represents a Watchlist in Azure Security Insights. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. - :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. + :param watchlist_id: The id (a Guid) of the watchlist. + :type watchlist_id: str + :param display_name: The display name of the watchlist. + :type display_name: str + :param provider: The provider of the watchlist. + :type provider: str + :param source: The source of the watchlist. Possible values include: "Local file", "Remote + storage". + :type source: str or ~security_insights.models.Source + :param created: The time the watchlist was created. + :type created: ~datetime.datetime + :param updated: The last time the watchlist was updated. + :type updated: ~datetime.datetime + :param created_by: Describes a user that created the watchlist. + :type created_by: ~security_insights.models.UserInfo + :param updated_by: Describes a user that updated the watchlist. + :type updated_by: ~security_insights.models.UserInfo + :param description: A description of the watchlist. + :type description: str + :param watchlist_type: The type of the watchlist. + :type watchlist_type: str + :param watchlist_alias: The alias of the watchlist. + :type watchlist_alias: str + :param is_deleted: A flag that indicates if the watchlist is deleted or not. + :type is_deleted: bool + :param labels: List of labels relevant to this watchlist. + :type labels: list[str] + :param default_duration: The default duration of a watchlist (in ISO 8601 duration format). + :type default_duration: ~datetime.timedelta + :param tenant_id: The tenantId where the watchlist belongs to. :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :param number_of_lines_to_skip: The number of lines in a csv content to skip before the header. + :type number_of_lines_to_skip: int + :param raw_content: The raw content that represents to watchlist items to create. Example : + This line will be skipped + header1,header2 + value1,value2. + :type raw_content: str + :param items_search_key: The search key is used to optimize query performance when using + watchlists for joins with other data. For example, enable a column with IP addresses to be the + designated SearchKey field, then use this field as the key field when joining to other event + data by IP address. + :type items_search_key: str + :param content_type: The content type of the raw content. For now, only text/csv is valid. + :type content_type: str + :param upload_status: The status of the Watchlist upload : New, InProgress or Complete. + **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted. + :type upload_status: str """ _validation = { 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, + 'watchlist_id': {'key': 'properties.watchlistId', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'provider': {'key': 'properties.provider', 'type': 'str'}, + 'source': {'key': 'properties.source', 'type': 'str'}, + 'created': {'key': 'properties.created', 'type': 'iso-8601'}, + 'updated': {'key': 'properties.updated', 'type': 'iso-8601'}, + 'created_by': {'key': 'properties.createdBy', 'type': 'UserInfo'}, + 'updated_by': {'key': 'properties.updatedBy', 'type': 'UserInfo'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'watchlist_type': {'key': 'properties.watchlistType', 'type': 'str'}, + 'watchlist_alias': {'key': 'properties.watchlistAlias', 'type': 'str'}, + 'is_deleted': {'key': 'properties.isDeleted', 'type': 'bool'}, + 'labels': {'key': 'properties.labels', 'type': '[str]'}, + 'default_duration': {'key': 'properties.defaultDuration', 'type': 'duration'}, 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.indicators.state', 'type': 'str'}, + 'number_of_lines_to_skip': {'key': 'properties.numberOfLinesToSkip', 'type': 'int'}, + 'raw_content': {'key': 'properties.rawContent', 'type': 'str'}, + 'items_search_key': {'key': 'properties.itemsSearchKey', 'type': 'str'}, + 'content_type': {'key': 'properties.contentType', 'type': 'str'}, + 'upload_status': {'key': 'properties.uploadStatus', 'type': 'str'}, } def __init__( self, **kwargs ): - super(TIDataConnector, self).__init__(**kwargs) - self.kind = 'ThreatIntelligence' # type: str + super(Watchlist, self).__init__(**kwargs) + self.watchlist_id = kwargs.get('watchlist_id', None) + self.display_name = kwargs.get('display_name', None) + self.provider = kwargs.get('provider', None) + self.source = kwargs.get('source', None) + self.created = kwargs.get('created', None) + self.updated = kwargs.get('updated', None) + self.created_by = kwargs.get('created_by', None) + self.updated_by = kwargs.get('updated_by', None) + self.description = kwargs.get('description', None) + self.watchlist_type = kwargs.get('watchlist_type', None) + self.watchlist_alias = kwargs.get('watchlist_alias', None) + self.is_deleted = kwargs.get('is_deleted', None) + self.labels = kwargs.get('labels', None) + self.default_duration = kwargs.get('default_duration', None) self.tenant_id = kwargs.get('tenant_id', None) - self.state = kwargs.get('state', None) - - -class TIDataConnectorDataTypesIndicators(DataConnectorDataTypeCommon): - """Data type for indicators connection. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(TIDataConnectorDataTypesIndicators, self).__init__(**kwargs) + self.number_of_lines_to_skip = kwargs.get('number_of_lines_to_skip', None) + self.raw_content = kwargs.get('raw_content', None) + self.items_search_key = kwargs.get('items_search_key', None) + self.content_type = kwargs.get('content_type', None) + self.upload_status = kwargs.get('upload_status', None) -class ToggleSettings(Settings): - """Settings with single toggle. +class WatchlistItem(ResourceWithEtag): + """Represents a Watchlist Item in Azure Security Insights. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. - :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind - :param is_enabled: Determines whether the setting is enable or disabled. - :type is_enabled: bool + :param watchlist_item_type: The type of the watchlist item. + :type watchlist_item_type: str + :param watchlist_item_id: The id (a Guid) of the watchlist item. + :type watchlist_item_id: str + :param tenant_id: The tenantId to which the watchlist item belongs to. + :type tenant_id: str + :param is_deleted: A flag that indicates if the watchlist item is deleted or not. + :type is_deleted: bool + :param created: The time the watchlist item was created. + :type created: ~datetime.datetime + :param updated: The last time the watchlist item was updated. + :type updated: ~datetime.datetime + :param created_by: Describes a user that created the watchlist item. + :type created_by: ~security_insights.models.UserInfo + :param updated_by: Describes a user that updated the watchlist item. + :type updated_by: ~security_insights.models.UserInfo + :param items_key_value: key-value pairs for a watchlist item. + :type items_key_value: object + :param entity_mapping: key-value pairs for a watchlist item entity mapping. + :type entity_mapping: object """ _validation = { 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'}, + 'watchlist_item_type': {'key': 'properties.watchlistItemType', 'type': 'str'}, + 'watchlist_item_id': {'key': 'properties.watchlistItemId', 'type': 'str'}, + 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, + 'is_deleted': {'key': 'properties.isDeleted', 'type': 'bool'}, + 'created': {'key': 'properties.created', 'type': 'iso-8601'}, + 'updated': {'key': 'properties.updated', 'type': 'iso-8601'}, + 'created_by': {'key': 'properties.createdBy', 'type': 'UserInfo'}, + 'updated_by': {'key': 'properties.updatedBy', 'type': 'UserInfo'}, + 'items_key_value': {'key': 'properties.itemsKeyValue', 'type': 'object'}, + 'entity_mapping': {'key': 'properties.entityMapping', 'type': 'object'}, } def __init__( self, **kwargs ): - super(ToggleSettings, self).__init__(**kwargs) - self.kind = 'ToggleSettings' # type: str - self.is_enabled = kwargs.get('is_enabled', None) + super(WatchlistItem, self).__init__(**kwargs) + self.watchlist_item_type = kwargs.get('watchlist_item_type', None) + self.watchlist_item_id = kwargs.get('watchlist_item_id', None) + self.tenant_id = kwargs.get('tenant_id', None) + self.is_deleted = kwargs.get('is_deleted', None) + self.created = kwargs.get('created', None) + self.updated = kwargs.get('updated', None) + self.created_by = kwargs.get('created_by', None) + self.updated_by = kwargs.get('updated_by', None) + self.items_key_value = kwargs.get('items_key_value', None) + self.entity_mapping = kwargs.get('entity_mapping', None) -class UebaSettings(Settings): - """Represents settings for User and Entity Behavior Analytics enablement. +class WatchlistItemList(msrest.serialization.Model): + """List all the watchlist items. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind - :ivar atp_license_status: Determines whether the tenant has ATP (Advanced Threat Protection) - license. Possible values include: "Enabled", "Disabled". - :vartype atp_license_status: str or ~security_insights.models.LicenseStatus - :param is_enabled: Determines whether User and Entity Behavior Analytics is enabled for this - workspace. - :type is_enabled: bool - :ivar status_in_mcas: Determines whether User and Entity Behavior Analytics is enabled from - MCAS (Microsoft Cloud App Security). Possible values include: "Enabled", "Disabled". - :vartype status_in_mcas: str or ~security_insights.models.StatusInMCAS + :ivar next_link: URL to fetch the next set of watchlist items. + :vartype next_link: str + :param value: Required. Array of watchlist items. + :type value: list[~security_insights.models.WatchlistItem] """ _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'atp_license_status': {'readonly': True}, - 'status_in_mcas': {'readonly': True}, + 'next_link': {'readonly': True}, + 'value': {'required': True}, } _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'atp_license_status': {'key': 'properties.atpLicenseStatus', 'type': 'str'}, - 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'}, - 'status_in_mcas': {'key': 'properties.statusInMcas', 'type': 'str'}, + 'next_link': {'key': 'nextLink', 'type': 'str'}, + 'value': {'key': 'value', 'type': '[WatchlistItem]'}, + } + + def __init__( + self, + **kwargs + ): + super(WatchlistItemList, self).__init__(**kwargs) + self.next_link = None + self.value = kwargs['value'] + + +class WatchlistList(msrest.serialization.Model): + """List all the watchlists. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar next_link: URL to fetch the next set of watchlists. + :vartype next_link: str + :param value: Required. Array of watchlist. + :type value: list[~security_insights.models.Watchlist] + """ + + _validation = { + 'next_link': {'readonly': True}, + 'value': {'required': True}, + } + + _attribute_map = { + 'next_link': {'key': 'nextLink', 'type': 'str'}, + 'value': {'key': 'value', 'type': '[Watchlist]'}, } def __init__( self, **kwargs ): - super(UebaSettings, self).__init__(**kwargs) - self.kind = 'UebaSettings' # type: str - self.atp_license_status = None - self.is_enabled = kwargs.get('is_enabled', None) - self.status_in_mcas = None + super(WatchlistList, self).__init__(**kwargs) + self.next_link = None + self.value = kwargs['value'] diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models_py3.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models_py3.py index 29010ed670f..b212ef46fdc 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models_py3.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_models_py3.py @@ -7,15 +7,45 @@ # -------------------------------------------------------------------------- import datetime -from typing import List, Optional, Union +from typing import Dict, List, Optional, Union import msrest.serialization from ._security_insights_enums import * -class ResourceWithEtag(msrest.serialization.Model): - """An azure resource object with an Etag property. +class EntityKind(msrest.serialization.Model): + """Describes an entity with kind. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + """ + + _validation = { + 'kind': {'required': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + } + + def __init__( + self, + *, + kind: Union[str, "EntityKindEnum"], + **kwargs + ): + super(EntityKind, self).__init__(**kwargs) + self.kind = kind + + +class Resource(msrest.serialization.Model): + """An azure resource object. Variables are only populated by the server, and will be ignored when sending a request. @@ -25,204 +55,339 @@ class ResourceWithEtag(msrest.serialization.Model): :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData """ _validation = { 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, } def __init__( self, - *, - etag: Optional[str] = None, **kwargs ): - super(ResourceWithEtag, self).__init__(**kwargs) + super(Resource, self).__init__(**kwargs) self.id = None self.name = None self.type = None - self.etag = etag - + self.system_data = None -class DataConnector(ResourceWithEtag): - """Data connector. - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: AwsCloudTrailDataConnector, AADDataConnector, AATPDataConnector, ASCDataConnector, MCASDataConnector, MDATPDataConnector, OfficeDataConnector, TIDataConnector. +class Entity(Resource, EntityKind): + """Specific entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'AmazonWebServicesCloudTrail': 'AwsCloudTrailDataConnector', 'AzureActiveDirectory': 'AADDataConnector', 'AzureAdvancedThreatProtection': 'AATPDataConnector', 'AzureSecurityCenter': 'ASCDataConnector', 'MicrosoftCloudAppSecurity': 'MCASDataConnector', 'MicrosoftDefenderAdvancedThreatProtection': 'MDATPDataConnector', 'Office365': 'OfficeDataConnector', 'ThreatIntelligence': 'TIDataConnector'} + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, } def __init__( self, *, - etag: Optional[str] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(DataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'DataConnector' # type: str + super(Entity, self).__init__(kind=kind, **kwargs) + self.kind = kind + self.id = None + self.name = None + self.type = None + self.system_data = None -class AADDataConnector(DataConnector): - """Represents AAD (Azure Active Directory) data connector. +class AccountEntity(Entity): + """Represents an account entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar aad_tenant_id: The Azure Active Directory tenant id. + :vartype aad_tenant_id: str + :ivar aad_user_id: The Azure Active Directory user id. + :vartype aad_user_id: str + :ivar account_name: The name of the account. This field should hold only the name without any + domain added to it, i.e. administrator. + :vartype account_name: str + :ivar display_name: The display name of the account. + :vartype display_name: str + :ivar host_entity_id: The Host entity id that contains the account in case it is a local + account (not domain joined). + :vartype host_entity_id: str + :ivar is_domain_joined: Determines whether this is a domain account. + :vartype is_domain_joined: bool + :ivar nt_domain: The NetBIOS domain name as it appears in the alert format – domain\username. + Examples: NT AUTHORITY. + :vartype nt_domain: str + :ivar object_guid: The objectGUID attribute is a single-value attribute that is the unique + identifier for the object, assigned by active directory. + :vartype object_guid: str + :ivar puid: The Azure Active Directory Passport User ID. + :vartype puid: str + :ivar sid: The account security identifier, e.g. S-1-5-18. + :vartype sid: str + :ivar upn_suffix: The user principal name suffix for the account, in some cases it is also the + domain name. Examples: contoso.com. + :vartype upn_suffix: str + :ivar dns_domain: The fully qualified domain DNS name. + :vartype dns_domain: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'aad_tenant_id': {'readonly': True}, + 'aad_user_id': {'readonly': True}, + 'account_name': {'readonly': True}, + 'display_name': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'is_domain_joined': {'readonly': True}, + 'nt_domain': {'readonly': True}, + 'object_guid': {'readonly': True}, + 'puid': {'readonly': True}, + 'sid': {'readonly': True}, + 'upn_suffix': {'readonly': True}, + 'dns_domain': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'aad_tenant_id': {'key': 'properties.aadTenantId', 'type': 'str'}, + 'aad_user_id': {'key': 'properties.aadUserId', 'type': 'str'}, + 'account_name': {'key': 'properties.accountName', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'host_entity_id': {'key': 'properties.hostEntityId', 'type': 'str'}, + 'is_domain_joined': {'key': 'properties.isDomainJoined', 'type': 'bool'}, + 'nt_domain': {'key': 'properties.ntDomain', 'type': 'str'}, + 'object_guid': {'key': 'properties.objectGuid', 'type': 'str'}, + 'puid': {'key': 'properties.puid', 'type': 'str'}, + 'sid': {'key': 'properties.sid', 'type': 'str'}, + 'upn_suffix': {'key': 'properties.upnSuffix', 'type': 'str'}, + 'dns_domain': {'key': 'properties.dnsDomain', 'type': 'str'}, } def __init__( self, *, - etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(AADDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'AzureActiveDirectory' # type: str - self.tenant_id = tenant_id - self.state = state + super(AccountEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.aad_tenant_id = None + self.aad_user_id = None + self.account_name = None + self.display_name = None + self.host_entity_id = None + self.is_domain_joined = None + self.nt_domain = None + self.object_guid = None + self.puid = None + self.sid = None + self.upn_suffix = None + self.dns_domain = None -class AATPDataConnector(DataConnector): - """Represents AATP (Azure Advanced Threat Protection) data connector. +class EntityCommonProperties(msrest.serialization.Model): + """Entity common property bag. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + """ - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(EntityCommonProperties, self).__init__(**kwargs) + self.additional_data = None + self.friendly_name = None + + +class AccountEntityProperties(EntityCommonProperties): + """Account entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar aad_tenant_id: The Azure Active Directory tenant id. + :vartype aad_tenant_id: str + :ivar aad_user_id: The Azure Active Directory user id. + :vartype aad_user_id: str + :ivar account_name: The name of the account. This field should hold only the name without any + domain added to it, i.e. administrator. + :vartype account_name: str + :ivar display_name: The display name of the account. + :vartype display_name: str + :ivar host_entity_id: The Host entity id that contains the account in case it is a local + account (not domain joined). + :vartype host_entity_id: str + :ivar is_domain_joined: Determines whether this is a domain account. + :vartype is_domain_joined: bool + :ivar nt_domain: The NetBIOS domain name as it appears in the alert format – domain\username. + Examples: NT AUTHORITY. + :vartype nt_domain: str + :ivar object_guid: The objectGUID attribute is a single-value attribute that is the unique + identifier for the object, assigned by active directory. + :vartype object_guid: str + :ivar puid: The Azure Active Directory Passport User ID. + :vartype puid: str + :ivar sid: The account security identifier, e.g. S-1-5-18. + :vartype sid: str + :ivar upn_suffix: The user principal name suffix for the account, in some cases it is also the + domain name. Examples: contoso.com. + :vartype upn_suffix: str + :ivar dns_domain: The fully qualified domain DNS name. + :vartype dns_domain: str """ _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'aad_tenant_id': {'readonly': True}, + 'aad_user_id': {'readonly': True}, + 'account_name': {'readonly': True}, + 'display_name': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'is_domain_joined': {'readonly': True}, + 'nt_domain': {'readonly': True}, + 'object_guid': {'readonly': True}, + 'puid': {'readonly': True}, + 'sid': {'readonly': True}, + 'upn_suffix': {'readonly': True}, + 'dns_domain': {'readonly': True}, } _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'aad_tenant_id': {'key': 'aadTenantId', 'type': 'str'}, + 'aad_user_id': {'key': 'aadUserId', 'type': 'str'}, + 'account_name': {'key': 'accountName', 'type': 'str'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'host_entity_id': {'key': 'hostEntityId', 'type': 'str'}, + 'is_domain_joined': {'key': 'isDomainJoined', 'type': 'bool'}, + 'nt_domain': {'key': 'ntDomain', 'type': 'str'}, + 'object_guid': {'key': 'objectGuid', 'type': 'str'}, + 'puid': {'key': 'puid', 'type': 'str'}, + 'sid': {'key': 'sid', 'type': 'str'}, + 'upn_suffix': {'key': 'upnSuffix', 'type': 'str'}, + 'dns_domain': {'key': 'dnsDomain', 'type': 'str'}, } def __init__( self, - *, - etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, **kwargs ): - super(AATPDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'AzureAdvancedThreatProtection' # type: str - self.tenant_id = tenant_id - self.state = state + super(AccountEntityProperties, self).__init__(**kwargs) + self.aad_tenant_id = None + self.aad_user_id = None + self.account_name = None + self.display_name = None + self.host_entity_id = None + self.is_domain_joined = None + self.nt_domain = None + self.object_guid = None + self.puid = None + self.sid = None + self.upn_suffix = None + self.dns_domain = None class ActionPropertiesBase(msrest.serialization.Model): @@ -254,6 +419,49 @@ def __init__( self.logic_app_resource_id = logic_app_resource_id +class ResourceWithEtag(Resource): + """An azure resource object with an Etag property. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + } + + def __init__( + self, + *, + etag: Optional[str] = None, + **kwargs + ): + super(ResourceWithEtag, self).__init__(**kwargs) + self.etag = etag + + class ActionRequest(ResourceWithEtag): """Action for alert rule. @@ -265,6 +473,9 @@ class ActionRequest(ResourceWithEtag): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- @@ -279,12 +490,14 @@ class ActionRequest(ResourceWithEtag): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'}, 'trigger_uri': {'key': 'properties.triggerUri', 'type': 'str'}, @@ -312,12 +525,13 @@ class ActionRequestProperties(ActionPropertiesBase): subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- workflow-id}. :type logic_app_resource_id: str - :param trigger_uri: Logic App Callback URL for this specific workflow. + :param trigger_uri: Required. Logic App Callback URL for this specific workflow. :type trigger_uri: str """ _validation = { 'logic_app_resource_id': {'required': True}, + 'trigger_uri': {'required': True}, } _attribute_map = { @@ -329,48 +543,13 @@ def __init__( self, *, logic_app_resource_id: str, - trigger_uri: Optional[str] = None, + trigger_uri: str, **kwargs ): super(ActionRequestProperties, self).__init__(logic_app_resource_id=logic_app_resource_id, **kwargs) self.trigger_uri = trigger_uri -class Resource(msrest.serialization.Model): - """An azure resource object. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - """ - - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - } - - _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - } - - def __init__( - self, - **kwargs - ): - super(Resource, self).__init__(**kwargs) - self.id = None - self.name = None - self.type = None - - class ActionResponse(Resource): """Action for alert rule. @@ -382,6 +561,9 @@ class ActionResponse(Resource): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the action. :type etag: str :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- @@ -396,12 +578,14 @@ class ActionResponse(Resource): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'logic_app_resource_id': {'key': 'properties.logicAppResourceId', 'type': 'str'}, 'workflow_id': {'key': 'properties.workflowId', 'type': 'str'}, @@ -504,6 +688,9 @@ class AlertRule(ResourceWithEtag): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: @@ -515,6 +702,7 @@ class AlertRule(ResourceWithEtag): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'kind': {'required': True}, } @@ -522,6 +710,7 @@ class AlertRule(ResourceWithEtag): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'kind': {'key': 'kind', 'type': 'str'}, } @@ -590,6 +779,9 @@ class AlertRuleTemplate(Resource): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". :type kind: str or ~security_insights.models.AlertRuleKind @@ -599,6 +791,7 @@ class AlertRuleTemplate(Resource): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'kind': {'required': True}, } @@ -606,6 +799,7 @@ class AlertRuleTemplate(Resource): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'kind': {'key': 'kind', 'type': 'str'}, } @@ -681,464 +875,429 @@ def __init__( self.value = value -class AlertsDataTypeOfDataConnector(msrest.serialization.Model): - """Alerts data type for data connectors. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'alerts.state', 'type': 'str'}, - } - - def __init__( - self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(AlertsDataTypeOfDataConnector, self).__init__(**kwargs) - self.state = state - - -class ASCDataConnector(DataConnector): - """Represents ASC (Azure Security Center) data connector. +class AzureResourceEntity(Entity): + """Represents an azure resource entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param subscription_id: The subscription id to connect to, and get the data from. - :type subscription_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar resource_id: The azure resource id of the resource. + :vartype resource_id: str + :ivar subscription_id: The subscription id of the resource. + :vartype subscription_id: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'resource_id': {'readonly': True}, + 'subscription_id': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'resource_id': {'key': 'properties.resourceId', 'type': 'str'}, 'subscription_id': {'key': 'properties.subscriptionId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, } def __init__( self, *, - etag: Optional[str] = None, - subscription_id: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(ASCDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'AzureSecurityCenter' # type: str - self.subscription_id = subscription_id - self.state = state + super(AzureResourceEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.resource_id = None + self.subscription_id = None + +class AzureResourceEntityProperties(EntityCommonProperties): + """AzureResource entity property bag. -class DataConnectorWithAlertsProperties(msrest.serialization.Model): - """Data connector properties. + Variables are only populated by the server, and will be ignored when sending a request. - :param data_types: The available data types for the connector. - :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar resource_id: The azure resource id of the resource. + :vartype resource_id: str + :ivar subscription_id: The subscription id of the resource. + :vartype subscription_id: str """ + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'resource_id': {'readonly': True}, + 'subscription_id': {'readonly': True}, + } + _attribute_map = { - 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'resource_id': {'key': 'resourceId', 'type': 'str'}, + 'subscription_id': {'key': 'subscriptionId', 'type': 'str'}, } def __init__( self, - *, - data_types: Optional["AlertsDataTypeOfDataConnector"] = None, **kwargs ): - super(DataConnectorWithAlertsProperties, self).__init__(**kwargs) - self.data_types = data_types + super(AzureResourceEntityProperties, self).__init__(**kwargs) + self.resource_id = None + self.subscription_id = None -class ASCDataConnectorProperties(DataConnectorWithAlertsProperties): - """ASC (Azure Security Center) data connector properties. +class ClientInfo(msrest.serialization.Model): + """Information on the client (user or application) that made some action. - :param data_types: The available data types for the connector. - :type data_types: ~security_insights.models.AlertsDataTypeOfDataConnector - :param subscription_id: The subscription id to connect to, and get the data from. - :type subscription_id: str + :param email: The email of the client. + :type email: str + :param name: The name of the client. + :type name: str + :param object_id: The object id of the client. + :type object_id: str + :param user_principal_name: The user principal name of the client. + :type user_principal_name: str """ _attribute_map = { - 'data_types': {'key': 'dataTypes', 'type': 'AlertsDataTypeOfDataConnector'}, - 'subscription_id': {'key': 'subscriptionId', 'type': 'str'}, + 'email': {'key': 'email', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'object_id': {'key': 'objectId', 'type': 'str'}, + 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'}, } def __init__( self, *, - data_types: Optional["AlertsDataTypeOfDataConnector"] = None, - subscription_id: Optional[str] = None, + email: Optional[str] = None, + name: Optional[str] = None, + object_id: Optional[str] = None, + user_principal_name: Optional[str] = None, **kwargs ): - super(ASCDataConnectorProperties, self).__init__(data_types=data_types, **kwargs) - self.subscription_id = subscription_id + super(ClientInfo, self).__init__(**kwargs) + self.email = email + self.name = name + self.object_id = object_id + self.user_principal_name = user_principal_name -class AwsCloudTrailDataConnector(DataConnector): - """Represents Amazon Web Services CloudTrail data connector. +class CloudApplicationEntity(Entity): + """Represents a cloud application entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param aws_role_arn: The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access - the Aws account. - :type aws_role_arn: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar app_id: The technical identifier of the application. + :vartype app_id: int + :ivar app_name: The name of the related cloud application. + :vartype app_name: str + :ivar instance_name: The user defined instance name of the cloud application. It is often used + to distinguish between several applications of the same type that a customer has. + :vartype instance_name: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'app_id': {'readonly': True}, + 'app_name': {'readonly': True}, + 'instance_name': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'aws_role_arn': {'key': 'properties.awsRoleArn', 'type': 'str'}, - 'state': {'key': 'dataTypes.logs.state', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'app_id': {'key': 'properties.appId', 'type': 'int'}, + 'app_name': {'key': 'properties.appName', 'type': 'str'}, + 'instance_name': {'key': 'properties.instanceName', 'type': 'str'}, } def __init__( self, *, - etag: Optional[str] = None, - aws_role_arn: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(AwsCloudTrailDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'AmazonWebServicesCloudTrail' # type: str - self.aws_role_arn = aws_role_arn - self.state = state + super(CloudApplicationEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.app_id = None + self.app_name = None + self.instance_name = None -class DataConnectorDataTypeCommon(msrest.serialization.Model): - """Common field for data type in data connectors. +class CloudApplicationEntityProperties(EntityCommonProperties): + """CloudApplication entity property bag. - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar app_id: The technical identifier of the application. + :vartype app_id: int + :ivar app_name: The name of the related cloud application. + :vartype app_name: str + :ivar instance_name: The user defined instance name of the cloud application. It is often used + to distinguish between several applications of the same type that a customer has. + :vartype instance_name: str """ - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'app_id': {'readonly': True}, + 'app_name': {'readonly': True}, + 'instance_name': {'readonly': True}, } - def __init__( - self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(DataConnectorDataTypeCommon, self).__init__(**kwargs) - self.state = state - - -class AwsCloudTrailDataConnectorDataTypesLogs(DataConnectorDataTypeCommon): - """Logs data type. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'app_id': {'key': 'appId', 'type': 'int'}, + 'app_name': {'key': 'appName', 'type': 'str'}, + 'instance_name': {'key': 'instanceName', 'type': 'str'}, } def __init__( self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, **kwargs ): - super(AwsCloudTrailDataConnectorDataTypesLogs, self).__init__(state=state, **kwargs) + super(CloudApplicationEntityProperties, self).__init__(**kwargs) + self.app_id = None + self.app_name = None + self.instance_name = None -class Bookmark(ResourceWithEtag): - """Represents a bookmark in Azure Security Insights. +class DnsEntity(Entity): + """Represents a dns entity. Variables are only populated by the server, and will be ignored when sending a request. + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param created: The time the bookmark was created. - :type created: ~datetime.datetime - :param display_name: The display name of the bookmark. - :type display_name: str - :param labels: List of labels relevant to this bookmark. - :type labels: list[str] - :param notes: The notes of the bookmark. - :type notes: str - :param query: The query of the bookmark. - :type query: str - :param query_result: The query result of the bookmark. - :type query_result: str - :param updated: The last time the bookmark was updated. - :type updated: ~datetime.datetime - :param incident_info: Describes an incident that relates to bookmark. - :type incident_info: ~security_insights.models.IncidentInfo - :ivar email_updated_by_email: The email of the user. - :vartype email_updated_by_email: str - :ivar name_updated_by_name: The name of the user. - :vartype name_updated_by_name: str - :param object_id_updated_by_object_id: The object id of the user. - :type object_id_updated_by_object_id: str - :ivar email_created_by_email: The email of the user. - :vartype email_created_by_email: str - :ivar name_created_by_name: The name of the user. - :vartype name_created_by_name: str - :param object_id_created_by_object_id: The object id of the user. - :type object_id_created_by_object_id: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar dns_server_ip_entity_id: An ip entity id for the dns server resolving the request. + :vartype dns_server_ip_entity_id: str + :ivar domain_name: The name of the dns record associated with the alert. + :vartype domain_name: str + :ivar host_ip_address_entity_id: An ip entity id for the dns request client. + :vartype host_ip_address_entity_id: str + :ivar ip_address_entity_ids: Ip entity identifiers for the resolved ip address. + :vartype ip_address_entity_ids: list[str] """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'email_updated_by_email': {'readonly': True}, - 'name_updated_by_name': {'readonly': True}, - 'email_created_by_email': {'readonly': True}, - 'name_created_by_name': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'dns_server_ip_entity_id': {'readonly': True}, + 'domain_name': {'readonly': True}, + 'host_ip_address_entity_id': {'readonly': True}, + 'ip_address_entity_ids': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'created': {'key': 'properties.created', 'type': 'iso-8601'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'labels': {'key': 'properties.labels', 'type': '[str]'}, - 'notes': {'key': 'properties.notes', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_result': {'key': 'properties.queryResult', 'type': 'str'}, - 'updated': {'key': 'properties.updated', 'type': 'iso-8601'}, - 'incident_info': {'key': 'properties.incidentInfo', 'type': 'IncidentInfo'}, - 'email_updated_by_email': {'key': 'updatedBy.email', 'type': 'str'}, - 'name_updated_by_name': {'key': 'updatedBy.name', 'type': 'str'}, - 'object_id_updated_by_object_id': {'key': 'updatedBy.objectId', 'type': 'str'}, - 'email_created_by_email': {'key': 'createdBy.email', 'type': 'str'}, - 'name_created_by_name': {'key': 'createdBy.name', 'type': 'str'}, - 'object_id_created_by_object_id': {'key': 'createdBy.objectId', 'type': 'str'}, - } - - def __init__( - self, - *, - etag: Optional[str] = None, - created: Optional[datetime.datetime] = None, - display_name: Optional[str] = None, - labels: Optional[List[str]] = None, - notes: Optional[str] = None, - query: Optional[str] = None, - query_result: Optional[str] = None, - updated: Optional[datetime.datetime] = None, - incident_info: Optional["IncidentInfo"] = None, - object_id_updated_by_object_id: Optional[str] = None, - object_id_created_by_object_id: Optional[str] = None, - **kwargs - ): - super(Bookmark, self).__init__(etag=etag, **kwargs) - self.created = created - self.display_name = display_name - self.labels = labels - self.notes = notes - self.query = query - self.query_result = query_result - self.updated = updated - self.incident_info = incident_info - self.email_updated_by_email = None - self.name_updated_by_name = None - self.object_id_updated_by_object_id = object_id_updated_by_object_id - self.email_created_by_email = None - self.name_created_by_name = None - self.object_id_created_by_object_id = object_id_created_by_object_id - - -class BookmarkList(msrest.serialization.Model): - """List all the bookmarks. - - Variables are only populated by the server, and will be ignored when sending a request. - - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of cases. - :vartype next_link: str - :param value: Required. Array of bookmarks. - :type value: list[~security_insights.models.Bookmark] - """ - - _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, - } - - _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[Bookmark]'}, - } - - def __init__( - self, - *, - value: List["Bookmark"], - **kwargs - ): - super(BookmarkList, self).__init__(**kwargs) - self.next_link = None - self.value = value - - -class ClientInfo(msrest.serialization.Model): - """Information on the client (user or application) that made some action. - - :param email: The email of the client. - :type email: str - :param name: The name of the client. - :type name: str - :param object_id: The object id of the client. - :type object_id: str - :param user_principal_name: The user principal name of the client. - :type user_principal_name: str - """ - - _attribute_map = { - 'email': {'key': 'email', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'object_id': {'key': 'objectId', 'type': 'str'}, - 'user_principal_name': {'key': 'userPrincipalName', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'dns_server_ip_entity_id': {'key': 'properties.dnsServerIpEntityId', 'type': 'str'}, + 'domain_name': {'key': 'properties.domainName', 'type': 'str'}, + 'host_ip_address_entity_id': {'key': 'properties.hostIpAddressEntityId', 'type': 'str'}, + 'ip_address_entity_ids': {'key': 'properties.ipAddressEntityIds', 'type': '[str]'}, } def __init__( self, *, - email: Optional[str] = None, - name: Optional[str] = None, - object_id: Optional[str] = None, - user_principal_name: Optional[str] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(ClientInfo, self).__init__(**kwargs) - self.email = email - self.name = name - self.object_id = object_id - self.user_principal_name = user_principal_name + super(DnsEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.dns_server_ip_entity_id = None + self.domain_name = None + self.host_ip_address_entity_id = None + self.ip_address_entity_ids = None -class DataConnectorList(msrest.serialization.Model): - """List all the data connectors. +class DnsEntityProperties(EntityCommonProperties): + """Dns entity property bag. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of data connectors. - :vartype next_link: str - :param value: Required. Array of data connectors. - :type value: list[~security_insights.models.DataConnector] + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar dns_server_ip_entity_id: An ip entity id for the dns server resolving the request. + :vartype dns_server_ip_entity_id: str + :ivar domain_name: The name of the dns record associated with the alert. + :vartype domain_name: str + :ivar host_ip_address_entity_id: An ip entity id for the dns request client. + :vartype host_ip_address_entity_id: str + :ivar ip_address_entity_ids: Ip entity identifiers for the resolved ip address. + :vartype ip_address_entity_ids: list[str] """ _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'dns_server_ip_entity_id': {'readonly': True}, + 'domain_name': {'readonly': True}, + 'host_ip_address_entity_id': {'readonly': True}, + 'ip_address_entity_ids': {'readonly': True}, } _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[DataConnector]'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'dns_server_ip_entity_id': {'key': 'dnsServerIpEntityId', 'type': 'str'}, + 'domain_name': {'key': 'domainName', 'type': 'str'}, + 'host_ip_address_entity_id': {'key': 'hostIpAddressEntityId', 'type': 'str'}, + 'ip_address_entity_ids': {'key': 'ipAddressEntityIds', 'type': '[str]'}, } def __init__( self, - *, - value: List["DataConnector"], **kwargs ): - super(DataConnectorList, self).__init__(**kwargs) - self.next_link = None - self.value = value + super(DnsEntityProperties, self).__init__(**kwargs) + self.dns_server_ip_entity_id = None + self.domain_name = None + self.host_ip_address_entity_id = None + self.ip_address_entity_ids = None -class DataConnectorTenantId(msrest.serialization.Model): - """Properties data connector on tenant level. +class EntityEdges(msrest.serialization.Model): + """The edge that connects the entity to the other entity. - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str + :param target_entity_id: The target entity Id. + :type target_entity_id: str + :param additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :type additional_data: dict[str, object] """ _attribute_map = { - 'tenant_id': {'key': 'tenantId', 'type': 'str'}, + 'target_entity_id': {'key': 'targetEntityId', 'type': 'str'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, } def __init__( self, *, - tenant_id: Optional[str] = None, + target_entity_id: Optional[str] = None, + additional_data: Optional[Dict[str, object]] = None, **kwargs ): - super(DataConnectorTenantId, self).__init__(**kwargs) - self.tenant_id = tenant_id + super(EntityEdges, self).__init__(**kwargs) + self.target_entity_id = target_entity_id + self.additional_data = additional_data class ErrorAdditionalInfo(msrest.serialization.Model): @@ -1172,7 +1331,7 @@ def __init__( class ErrorResponse(msrest.serialization.Model): - """The resource management error response. + """Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.). Variables are only populated by the server, and will be ignored when sending a request. @@ -1216,6 +1375,248 @@ def __init__( self.additional_info = None +class FileEntity(Entity): + """Represents a file entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar directory: The full path to the file. + :vartype directory: str + :ivar file_hash_entity_ids: The file hash entity identifiers associated with this file. + :vartype file_hash_entity_ids: list[str] + :ivar file_name: The file name without path (some alerts might not include path). + :vartype file_name: str + :ivar host_entity_id: The Host entity id which the file belongs to. + :vartype host_entity_id: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'directory': {'readonly': True}, + 'file_hash_entity_ids': {'readonly': True}, + 'file_name': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'directory': {'key': 'properties.directory', 'type': 'str'}, + 'file_hash_entity_ids': {'key': 'properties.fileHashEntityIds', 'type': '[str]'}, + 'file_name': {'key': 'properties.fileName', 'type': 'str'}, + 'host_entity_id': {'key': 'properties.hostEntityId', 'type': 'str'}, + } + + def __init__( + self, + *, + kind: Union[str, "EntityKindEnum"], + **kwargs + ): + super(FileEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.directory = None + self.file_hash_entity_ids = None + self.file_name = None + self.host_entity_id = None + + +class FileEntityProperties(EntityCommonProperties): + """File entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar directory: The full path to the file. + :vartype directory: str + :ivar file_hash_entity_ids: The file hash entity identifiers associated with this file. + :vartype file_hash_entity_ids: list[str] + :ivar file_name: The file name without path (some alerts might not include path). + :vartype file_name: str + :ivar host_entity_id: The Host entity id which the file belongs to. + :vartype host_entity_id: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'directory': {'readonly': True}, + 'file_hash_entity_ids': {'readonly': True}, + 'file_name': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'directory': {'key': 'directory', 'type': 'str'}, + 'file_hash_entity_ids': {'key': 'fileHashEntityIds', 'type': '[str]'}, + 'file_name': {'key': 'fileName', 'type': 'str'}, + 'host_entity_id': {'key': 'hostEntityId', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(FileEntityProperties, self).__init__(**kwargs) + self.directory = None + self.file_hash_entity_ids = None + self.file_name = None + self.host_entity_id = None + + +class FileHashEntity(Entity): + """Represents a file hash entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar algorithm: The hash algorithm type. Possible values include: "Unknown", "MD5", "SHA1", + "SHA256", "SHA256AC". + :vartype algorithm: str or ~security_insights.models.FileHashAlgorithm + :ivar hash_value: The file hash value. + :vartype hash_value: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'algorithm': {'readonly': True}, + 'hash_value': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'algorithm': {'key': 'properties.algorithm', 'type': 'str'}, + 'hash_value': {'key': 'properties.hashValue', 'type': 'str'}, + } + + def __init__( + self, + *, + kind: Union[str, "EntityKindEnum"], + **kwargs + ): + super(FileHashEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.algorithm = None + self.hash_value = None + + +class FileHashEntityProperties(EntityCommonProperties): + """FileHash entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar algorithm: The hash algorithm type. Possible values include: "Unknown", "MD5", "SHA1", + "SHA256", "SHA256AC". + :vartype algorithm: str or ~security_insights.models.FileHashAlgorithm + :ivar hash_value: The file hash value. + :vartype hash_value: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'algorithm': {'readonly': True}, + 'hash_value': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'algorithm': {'key': 'algorithm', 'type': 'str'}, + 'hash_value': {'key': 'hashValue', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(FileHashEntityProperties, self).__init__(**kwargs) + self.algorithm = None + self.hash_value = None + + class FusionAlertRule(AlertRule): """Represents Fusion alert rule. @@ -1229,6 +1630,9 @@ class FusionAlertRule(AlertRule): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: @@ -1255,6 +1659,7 @@ class FusionAlertRule(AlertRule): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'kind': {'required': True}, 'description': {'readonly': True}, 'display_name': {'readonly': True}, @@ -1267,6 +1672,7 @@ class FusionAlertRule(AlertRule): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'kind': {'key': 'kind', 'type': 'str'}, 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, @@ -1310,6 +1716,9 @@ class FusionAlertRuleTemplate(AlertRuleTemplate): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". :type kind: str or ~security_insights.models.AlertRuleKind @@ -1338,6 +1747,7 @@ class FusionAlertRuleTemplate(AlertRuleTemplate): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'kind': {'required': True}, 'created_date_utc': {'readonly': True}, } @@ -1346,6 +1756,7 @@ class FusionAlertRuleTemplate(AlertRuleTemplate): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'kind': {'key': 'kind', 'type': 'str'}, 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, @@ -1381,18 +1792,475 @@ def __init__( self.tactics = tactics -class Incident(ResourceWithEtag): - """Represents an incident in Azure Security Insights. +class GeoLocation(msrest.serialization.Model): + """The geo-location context attached to the ip entity. Variables are only populated by the server, and will be ignored when sending a request. - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. + :ivar asn: Autonomous System Number. + :vartype asn: int + :ivar city: City name. + :vartype city: str + :ivar country_code: The country code according to ISO 3166 format. + :vartype country_code: str + :ivar country_name: Country name according to ISO 3166 Alpha 2: the lowercase of the English + Short Name. + :vartype country_name: str + :ivar latitude: The longitude of the identified location, expressed as a floating point number + with range of -180 to 180, with positive numbers representing East and negative numbers + representing West. Latitude and longitude are derived from the city or postal code. + :vartype latitude: float + :ivar longitude: The latitude of the identified location, expressed as a floating point number + with range of - 90 to 90, with positive numbers representing North and negative numbers + representing South. Latitude and longitude are derived from the city or postal code. + :vartype longitude: float + :ivar state: State name. + :vartype state: str + """ + + _validation = { + 'asn': {'readonly': True}, + 'city': {'readonly': True}, + 'country_code': {'readonly': True}, + 'country_name': {'readonly': True}, + 'latitude': {'readonly': True}, + 'longitude': {'readonly': True}, + 'state': {'readonly': True}, + } + + _attribute_map = { + 'asn': {'key': 'asn', 'type': 'int'}, + 'city': {'key': 'city', 'type': 'str'}, + 'country_code': {'key': 'countryCode', 'type': 'str'}, + 'country_name': {'key': 'countryName', 'type': 'str'}, + 'latitude': {'key': 'latitude', 'type': 'float'}, + 'longitude': {'key': 'longitude', 'type': 'float'}, + 'state': {'key': 'state', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(GeoLocation, self).__init__(**kwargs) + self.asn = None + self.city = None + self.country_code = None + self.country_name = None + self.latitude = None + self.longitude = None + self.state = None + + +class HostEntity(Entity): + """Represents a host entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar azure_id: The azure resource id of the VM. + :vartype azure_id: str + :ivar dns_domain: The DNS domain that this host belongs to. Should contain the compete DNS + suffix for the domain. + :vartype dns_domain: str + :ivar host_name: The hostname without the domain suffix. + :vartype host_name: str + :ivar is_domain_joined: Determines whether this host belongs to a domain. + :vartype is_domain_joined: bool + :ivar net_bios_name: The host name (pre-windows2000). + :vartype net_bios_name: str + :ivar nt_domain: The NT domain that this host belongs to. + :vartype nt_domain: str + :ivar oms_agent_id: The OMS agent id, if the host has OMS agent installed. + :vartype oms_agent_id: str + :param os_family: The operating system type. Possible values include: "Linux", "Windows", + "Android", "IOS", "Unknown". + :type os_family: str or ~security_insights.models.OsFamily + :ivar os_version: A free text representation of the operating system. This field is meant to + hold specific versions the are more fine grained than OSFamily or future values not supported + by OSFamily enumeration. + :vartype os_version: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'azure_id': {'readonly': True}, + 'dns_domain': {'readonly': True}, + 'host_name': {'readonly': True}, + 'is_domain_joined': {'readonly': True}, + 'net_bios_name': {'readonly': True}, + 'nt_domain': {'readonly': True}, + 'oms_agent_id': {'readonly': True}, + 'os_version': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'azure_id': {'key': 'properties.azureID', 'type': 'str'}, + 'dns_domain': {'key': 'properties.dnsDomain', 'type': 'str'}, + 'host_name': {'key': 'properties.hostName', 'type': 'str'}, + 'is_domain_joined': {'key': 'properties.isDomainJoined', 'type': 'bool'}, + 'net_bios_name': {'key': 'properties.netBiosName', 'type': 'str'}, + 'nt_domain': {'key': 'properties.ntDomain', 'type': 'str'}, + 'oms_agent_id': {'key': 'properties.omsAgentID', 'type': 'str'}, + 'os_family': {'key': 'properties.osFamily', 'type': 'str'}, + 'os_version': {'key': 'properties.osVersion', 'type': 'str'}, + } + + def __init__( + self, + *, + kind: Union[str, "EntityKindEnum"], + os_family: Optional[Union[str, "OsFamily"]] = None, + **kwargs + ): + super(HostEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.azure_id = None + self.dns_domain = None + self.host_name = None + self.is_domain_joined = None + self.net_bios_name = None + self.nt_domain = None + self.oms_agent_id = None + self.os_family = os_family + self.os_version = None + + +class HostEntityProperties(EntityCommonProperties): + """Host entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar azure_id: The azure resource id of the VM. + :vartype azure_id: str + :ivar dns_domain: The DNS domain that this host belongs to. Should contain the compete DNS + suffix for the domain. + :vartype dns_domain: str + :ivar host_name: The hostname without the domain suffix. + :vartype host_name: str + :ivar is_domain_joined: Determines whether this host belongs to a domain. + :vartype is_domain_joined: bool + :ivar net_bios_name: The host name (pre-windows2000). + :vartype net_bios_name: str + :ivar nt_domain: The NT domain that this host belongs to. + :vartype nt_domain: str + :ivar oms_agent_id: The OMS agent id, if the host has OMS agent installed. + :vartype oms_agent_id: str + :param os_family: The operating system type. Possible values include: "Linux", "Windows", + "Android", "IOS", "Unknown". + :type os_family: str or ~security_insights.models.OsFamily + :ivar os_version: A free text representation of the operating system. This field is meant to + hold specific versions the are more fine grained than OSFamily or future values not supported + by OSFamily enumeration. + :vartype os_version: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'azure_id': {'readonly': True}, + 'dns_domain': {'readonly': True}, + 'host_name': {'readonly': True}, + 'is_domain_joined': {'readonly': True}, + 'net_bios_name': {'readonly': True}, + 'nt_domain': {'readonly': True}, + 'oms_agent_id': {'readonly': True}, + 'os_version': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'azure_id': {'key': 'azureID', 'type': 'str'}, + 'dns_domain': {'key': 'dnsDomain', 'type': 'str'}, + 'host_name': {'key': 'hostName', 'type': 'str'}, + 'is_domain_joined': {'key': 'isDomainJoined', 'type': 'bool'}, + 'net_bios_name': {'key': 'netBiosName', 'type': 'str'}, + 'nt_domain': {'key': 'ntDomain', 'type': 'str'}, + 'oms_agent_id': {'key': 'omsAgentID', 'type': 'str'}, + 'os_family': {'key': 'osFamily', 'type': 'str'}, + 'os_version': {'key': 'osVersion', 'type': 'str'}, + } + + def __init__( + self, + *, + os_family: Optional[Union[str, "OsFamily"]] = None, + **kwargs + ): + super(HostEntityProperties, self).__init__(**kwargs) + self.azure_id = None + self.dns_domain = None + self.host_name = None + self.is_domain_joined = None + self.net_bios_name = None + self.nt_domain = None + self.oms_agent_id = None + self.os_family = os_family + self.os_version = None + + +class HuntingBookmark(Entity): + """Represents a Hunting bookmark entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :param created: The time the bookmark was created. + :type created: ~datetime.datetime + :param created_by: Describes a user that created the bookmark. + :type created_by: ~security_insights.models.UserInfo + :param display_name: The display name of the bookmark. + :type display_name: str + :param event_time: The time of the event. + :type event_time: ~datetime.datetime + :param labels: List of labels relevant to this bookmark. + :type labels: list[str] + :param notes: The notes of the bookmark. + :type notes: str + :param query: The query of the bookmark. + :type query: str + :param query_result: The query result of the bookmark. + :type query_result: str + :param updated: The last time the bookmark was updated. + :type updated: ~datetime.datetime + :param updated_by: Describes a user that updated the bookmark. + :type updated_by: ~security_insights.models.UserInfo + :param incident_info: Describes an incident that relates to bookmark. + :type incident_info: ~security_insights.models.IncidentInfo + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'created': {'key': 'properties.created', 'type': 'iso-8601'}, + 'created_by': {'key': 'properties.createdBy', 'type': 'UserInfo'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'event_time': {'key': 'properties.eventTime', 'type': 'iso-8601'}, + 'labels': {'key': 'properties.labels', 'type': '[str]'}, + 'notes': {'key': 'properties.notes', 'type': 'str'}, + 'query': {'key': 'properties.query', 'type': 'str'}, + 'query_result': {'key': 'properties.queryResult', 'type': 'str'}, + 'updated': {'key': 'properties.updated', 'type': 'iso-8601'}, + 'updated_by': {'key': 'properties.updatedBy', 'type': 'UserInfo'}, + 'incident_info': {'key': 'properties.incidentInfo', 'type': 'IncidentInfo'}, + } + + def __init__( + self, + *, + kind: Union[str, "EntityKindEnum"], + created: Optional[datetime.datetime] = None, + created_by: Optional["UserInfo"] = None, + display_name: Optional[str] = None, + event_time: Optional[datetime.datetime] = None, + labels: Optional[List[str]] = None, + notes: Optional[str] = None, + query: Optional[str] = None, + query_result: Optional[str] = None, + updated: Optional[datetime.datetime] = None, + updated_by: Optional["UserInfo"] = None, + incident_info: Optional["IncidentInfo"] = None, + **kwargs + ): + super(HuntingBookmark, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.created = created + self.created_by = created_by + self.display_name = display_name + self.event_time = event_time + self.labels = labels + self.notes = notes + self.query = query + self.query_result = query_result + self.updated = updated + self.updated_by = updated_by + self.incident_info = incident_info + + +class HuntingBookmarkProperties(EntityCommonProperties): + """Describes bookmark properties. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :param created: The time the bookmark was created. + :type created: ~datetime.datetime + :param created_by: Describes a user that created the bookmark. + :type created_by: ~security_insights.models.UserInfo + :param display_name: Required. The display name of the bookmark. + :type display_name: str + :param event_time: The time of the event. + :type event_time: ~datetime.datetime + :param labels: List of labels relevant to this bookmark. + :type labels: list[str] + :param notes: The notes of the bookmark. + :type notes: str + :param query: Required. The query of the bookmark. + :type query: str + :param query_result: The query result of the bookmark. + :type query_result: str + :param updated: The last time the bookmark was updated. + :type updated: ~datetime.datetime + :param updated_by: Describes a user that updated the bookmark. + :type updated_by: ~security_insights.models.UserInfo + :param incident_info: Describes an incident that relates to bookmark. + :type incident_info: ~security_insights.models.IncidentInfo + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'display_name': {'required': True}, + 'query': {'required': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'created': {'key': 'created', 'type': 'iso-8601'}, + 'created_by': {'key': 'createdBy', 'type': 'UserInfo'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'event_time': {'key': 'eventTime', 'type': 'iso-8601'}, + 'labels': {'key': 'labels', 'type': '[str]'}, + 'notes': {'key': 'notes', 'type': 'str'}, + 'query': {'key': 'query', 'type': 'str'}, + 'query_result': {'key': 'queryResult', 'type': 'str'}, + 'updated': {'key': 'updated', 'type': 'iso-8601'}, + 'updated_by': {'key': 'updatedBy', 'type': 'UserInfo'}, + 'incident_info': {'key': 'incidentInfo', 'type': 'IncidentInfo'}, + } + + def __init__( + self, + *, + display_name: str, + query: str, + created: Optional[datetime.datetime] = None, + created_by: Optional["UserInfo"] = None, + event_time: Optional[datetime.datetime] = None, + labels: Optional[List[str]] = None, + notes: Optional[str] = None, + query_result: Optional[str] = None, + updated: Optional[datetime.datetime] = None, + updated_by: Optional["UserInfo"] = None, + incident_info: Optional["IncidentInfo"] = None, + **kwargs + ): + super(HuntingBookmarkProperties, self).__init__(**kwargs) + self.created = created + self.created_by = created_by + self.display_name = display_name + self.event_time = event_time + self.labels = labels + self.notes = notes + self.query = query + self.query_result = query_result + self.updated = updated + self.updated_by = updated_by + self.incident_info = incident_info + + +class Incident(ResourceWithEtag): + """Represents an incident in Azure Security Insights. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. :type etag: str :ivar additional_data: Additional data on the incident. :vartype additional_data: ~security_insights.models.IncidentAdditionalData @@ -1439,6 +2307,7 @@ class Incident(ResourceWithEtag): 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'additional_data': {'readonly': True}, 'created_time_utc': {'readonly': True}, 'incident_url': {'readonly': True}, @@ -1451,6 +2320,7 @@ class Incident(ResourceWithEtag): 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'additional_data': {'key': 'properties.additionalData', 'type': 'IncidentAdditionalData'}, 'classification': {'key': 'properties.classification', 'type': 'str'}, @@ -1553,111 +2423,234 @@ def __init__( self.tactics = None -class IncidentComment(Resource): - """Represents an incident comment. +class IncidentAlertList(msrest.serialization.Model): + """List of incident alerts. - Variables are only populated by the server, and will be ignored when sending a request. + All required parameters must be populated in order to send to Azure. - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :ivar created_time_utc: The time the comment was created. - :vartype created_time_utc: ~datetime.datetime - :param message: The comment message. - :type message: str - :ivar author: Describes the client that created the comment. - :vartype author: ~security_insights.models.ClientInfo + :param value: Required. Array of incident alerts. + :type value: list[~security_insights.models.SecurityAlert] """ _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'created_time_utc': {'readonly': True}, - 'author': {'readonly': True}, + 'value': {'required': True}, } _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'}, - 'message': {'key': 'properties.message', 'type': 'str'}, - 'author': {'key': 'properties.author', 'type': 'ClientInfo'}, + 'value': {'key': 'value', 'type': '[SecurityAlert]'}, } def __init__( self, *, - message: Optional[str] = None, + value: List["SecurityAlert"], **kwargs ): - super(IncidentComment, self).__init__(**kwargs) - self.created_time_utc = None - self.message = message - self.author = None - + super(IncidentAlertList, self).__init__(**kwargs) + self.value = value -class IncidentCommentList(msrest.serialization.Model): - """List of incident comments. - Variables are only populated by the server, and will be ignored when sending a request. +class IncidentBookmarkList(msrest.serialization.Model): + """List of incident bookmarks. All required parameters must be populated in order to send to Azure. - :ivar next_link: URL to fetch the next set of comments. - :vartype next_link: str - :param value: Required. Array of comments. - :type value: list[~security_insights.models.IncidentComment] + :param value: Required. Array of incident bookmarks. + :type value: list[~security_insights.models.HuntingBookmark] """ _validation = { - 'next_link': {'readonly': True}, 'value': {'required': True}, } _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[IncidentComment]'}, + 'value': {'key': 'value', 'type': '[HuntingBookmark]'}, } def __init__( self, *, - value: List["IncidentComment"], + value: List["HuntingBookmark"], **kwargs ): - super(IncidentCommentList, self).__init__(**kwargs) + super(IncidentBookmarkList, self).__init__(**kwargs) + self.value = value + + +class IncidentComment(ResourceWithEtag): + """Represents an incident comment. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + :ivar created_time_utc: The time the comment was created. + :vartype created_time_utc: ~datetime.datetime + :ivar last_modified_time_utc: The time the comment was updated. + :vartype last_modified_time_utc: ~datetime.datetime + :param message: The comment message. + :type message: str + :ivar author: Describes the client that created the comment. + :vartype author: ~security_insights.models.ClientInfo + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'created_time_utc': {'readonly': True}, + 'last_modified_time_utc': {'readonly': True}, + 'author': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + 'created_time_utc': {'key': 'properties.createdTimeUtc', 'type': 'iso-8601'}, + 'last_modified_time_utc': {'key': 'properties.lastModifiedTimeUtc', 'type': 'iso-8601'}, + 'message': {'key': 'properties.message', 'type': 'str'}, + 'author': {'key': 'properties.author', 'type': 'ClientInfo'}, + } + + def __init__( + self, + *, + etag: Optional[str] = None, + message: Optional[str] = None, + **kwargs + ): + super(IncidentComment, self).__init__(etag=etag, **kwargs) + self.created_time_utc = None + self.last_modified_time_utc = None + self.message = message + self.author = None + + +class IncidentCommentList(msrest.serialization.Model): + """List of incident comments. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar next_link: URL to fetch the next set of comments. + :vartype next_link: str + :param value: Required. Array of comments. + :type value: list[~security_insights.models.IncidentComment] + """ + + _validation = { + 'next_link': {'readonly': True}, + 'value': {'required': True}, + } + + _attribute_map = { + 'next_link': {'key': 'nextLink', 'type': 'str'}, + 'value': {'key': 'value', 'type': '[IncidentComment]'}, + } + + def __init__( + self, + *, + value: List["IncidentComment"], + **kwargs + ): + super(IncidentCommentList, self).__init__(**kwargs) self.next_link = None self.value = value -class IncidentInfo(msrest.serialization.Model): - """Describes related incident information for the bookmark. +class IncidentEntitiesResponse(msrest.serialization.Model): + """The incident related entities response. + + :param entities: Array of the incident related entities. + :type entities: list[~security_insights.models.Entity] + :param meta_data: The metadata from the incident related entities results. + :type meta_data: list[~security_insights.models.IncidentEntitiesResultsMetadata] + """ + + _attribute_map = { + 'entities': {'key': 'entities', 'type': '[Entity]'}, + 'meta_data': {'key': 'metaData', 'type': '[IncidentEntitiesResultsMetadata]'}, + } + + def __init__( + self, + *, + entities: Optional[List["Entity"]] = None, + meta_data: Optional[List["IncidentEntitiesResultsMetadata"]] = None, + **kwargs + ): + super(IncidentEntitiesResponse, self).__init__(**kwargs) + self.entities = entities + self.meta_data = meta_data + + +class IncidentEntitiesResultsMetadata(msrest.serialization.Model): + """Information of a specific aggregation in the incident related entities result. All required parameters must be populated in order to send to Azure. - :param incident_id: Required. Incident Id. + :param count: Required. Total number of aggregations of the given kind in the incident related + entities result. + :type count: int + :param entity_kind: Required. The kind of the aggregated entity. Possible values include: + "Account", "Host", "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", + "Ip", "Malware", "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", + "IoTDevice", "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", + "SubmissionMail". + :type entity_kind: str or ~security_insights.models.EntityKindEnum + """ + + _validation = { + 'count': {'required': True}, + 'entity_kind': {'required': True}, + } + + _attribute_map = { + 'count': {'key': 'count', 'type': 'int'}, + 'entity_kind': {'key': 'entityKind', 'type': 'str'}, + } + + def __init__( + self, + *, + count: int, + entity_kind: Union[str, "EntityKindEnum"], + **kwargs + ): + super(IncidentEntitiesResultsMetadata, self).__init__(**kwargs) + self.count = count + self.entity_kind = entity_kind + + +class IncidentInfo(msrest.serialization.Model): + """Describes related incident information for the bookmark. + + :param incident_id: Incident Id. :type incident_id: str - :param severity: Required. The severity of the incident. Possible values include: "Critical", - "High", "Medium", "Low", "Informational". + :param severity: The severity of the incident. Possible values include: "Critical", "High", + "Medium", "Low", "Informational". :type severity: str or ~security_insights.models.CaseSeverity - :param title: Required. The title of the incident. + :param title: The title of the incident. :type title: str - :param relation_name: Required. Relation Name. + :param relation_name: Relation Name. :type relation_name: str """ - _validation = { - 'incident_id': {'required': True}, - 'severity': {'required': True}, - 'title': {'required': True}, - 'relation_name': {'required': True}, - } - _attribute_map = { 'incident_id': {'key': 'incidentId', 'type': 'str'}, 'severity': {'key': 'severity', 'type': 'str'}, @@ -1668,10 +2661,10 @@ class IncidentInfo(msrest.serialization.Model): def __init__( self, *, - incident_id: str, - severity: Union[str, "CaseSeverity"], - title: str, - relation_name: str, + incident_id: Optional[str] = None, + severity: Optional[Union[str, "CaseSeverity"]] = None, + title: Optional[str] = None, + relation_name: Optional[str] = None, **kwargs ): super(IncidentInfo, self).__init__(**kwargs) @@ -1785,540 +2778,1247 @@ def __init__( self.user_principal_name = user_principal_name -class MCASDataConnector(DataConnector): - """Represents MCAS (Microsoft Cloud App Security) data connector. +class IoTDeviceEntity(Entity): + """Represents an IoT device entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state_data_types_alerts_state: Describe whether this data type connection is enabled or - not. Possible values include: "Enabled", "Disabled". - :type state_data_types_alerts_state: str or ~security_insights.models.DataTypeState - :param state_data_types_discovery_logs_state: Describe whether this data type connection is - enabled or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_discovery_logs_state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar device_id: The ID of the IoT Device in the IoT Hub. + :vartype device_id: str + :ivar device_name: The friendly name of the device. + :vartype device_name: str + :ivar source: The source of the device. + :vartype source: str + :ivar iot_security_agent_id: The ID of the security agent running on the device. + :vartype iot_security_agent_id: str + :ivar device_type: The type of the device. + :vartype device_type: str + :ivar vendor: The vendor of the device. + :vartype vendor: str + :ivar edge_id: The ID of the edge device. + :vartype edge_id: str + :ivar mac_address: The MAC address of the device. + :vartype mac_address: str + :ivar model: The model of the device. + :vartype model: str + :ivar serial_number: The serial number of the device. + :vartype serial_number: str + :ivar firmware_version: The firmware version of the device. + :vartype firmware_version: str + :ivar operating_system: The operating system of the device. + :vartype operating_system: str + :ivar iot_hub_entity_id: The AzureResource entity id of the IoT Hub. + :vartype iot_hub_entity_id: str + :ivar host_entity_id: The Host entity id of this device. + :vartype host_entity_id: str + :ivar ip_address_entity_id: The IP entity if of this device. + :vartype ip_address_entity_id: str + :ivar threat_intelligence: A list of TI contexts attached to the IoTDevice entity. + :vartype threat_intelligence: list[~security_insights.models.ThreatIntelligence] + :ivar protocols: A list of protocols of the IoTDevice entity. + :vartype protocols: list[str] """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'device_id': {'readonly': True}, + 'device_name': {'readonly': True}, + 'source': {'readonly': True}, + 'iot_security_agent_id': {'readonly': True}, + 'device_type': {'readonly': True}, + 'vendor': {'readonly': True}, + 'edge_id': {'readonly': True}, + 'mac_address': {'readonly': True}, + 'model': {'readonly': True}, + 'serial_number': {'readonly': True}, + 'firmware_version': {'readonly': True}, + 'operating_system': {'readonly': True}, + 'iot_hub_entity_id': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'ip_address_entity_id': {'readonly': True}, + 'threat_intelligence': {'readonly': True}, + 'protocols': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state_data_types_alerts_state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, - 'state_data_types_discovery_logs_state': {'key': 'dataTypes.discoveryLogs.state', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'device_id': {'key': 'properties.deviceId', 'type': 'str'}, + 'device_name': {'key': 'properties.deviceName', 'type': 'str'}, + 'source': {'key': 'properties.source', 'type': 'str'}, + 'iot_security_agent_id': {'key': 'properties.iotSecurityAgentId', 'type': 'str'}, + 'device_type': {'key': 'properties.deviceType', 'type': 'str'}, + 'vendor': {'key': 'properties.vendor', 'type': 'str'}, + 'edge_id': {'key': 'properties.edgeId', 'type': 'str'}, + 'mac_address': {'key': 'properties.macAddress', 'type': 'str'}, + 'model': {'key': 'properties.model', 'type': 'str'}, + 'serial_number': {'key': 'properties.serialNumber', 'type': 'str'}, + 'firmware_version': {'key': 'properties.firmwareVersion', 'type': 'str'}, + 'operating_system': {'key': 'properties.operatingSystem', 'type': 'str'}, + 'iot_hub_entity_id': {'key': 'properties.iotHubEntityId', 'type': 'str'}, + 'host_entity_id': {'key': 'properties.hostEntityId', 'type': 'str'}, + 'ip_address_entity_id': {'key': 'properties.ipAddressEntityId', 'type': 'str'}, + 'threat_intelligence': {'key': 'properties.threatIntelligence', 'type': '[ThreatIntelligence]'}, + 'protocols': {'key': 'properties.protocols', 'type': '[str]'}, } def __init__( self, *, - etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state_data_types_alerts_state: Optional[Union[str, "DataTypeState"]] = None, - state_data_types_discovery_logs_state: Optional[Union[str, "DataTypeState"]] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(MCASDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'MicrosoftCloudAppSecurity' # type: str - self.tenant_id = tenant_id - self.state_data_types_alerts_state = state_data_types_alerts_state - self.state_data_types_discovery_logs_state = state_data_types_discovery_logs_state - + super(IoTDeviceEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.device_id = None + self.device_name = None + self.source = None + self.iot_security_agent_id = None + self.device_type = None + self.vendor = None + self.edge_id = None + self.mac_address = None + self.model = None + self.serial_number = None + self.firmware_version = None + self.operating_system = None + self.iot_hub_entity_id = None + self.host_entity_id = None + self.ip_address_entity_id = None + self.threat_intelligence = None + self.protocols = None + + +class IoTDeviceEntityProperties(EntityCommonProperties): + """IoTDevice entity property bag. -class MCASDataConnectorDataTypes(AlertsDataTypeOfDataConnector): - """The available data types for MCAS (Microsoft Cloud App Security) data connector. + Variables are only populated by the server, and will be ignored when sending a request. - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - :param state_discovery_logs_state: Describe whether this data type connection is enabled or - not. Possible values include: "Enabled", "Disabled". - :type state_discovery_logs_state: str or ~security_insights.models.DataTypeState + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar device_id: The ID of the IoT Device in the IoT Hub. + :vartype device_id: str + :ivar device_name: The friendly name of the device. + :vartype device_name: str + :ivar source: The source of the device. + :vartype source: str + :ivar iot_security_agent_id: The ID of the security agent running on the device. + :vartype iot_security_agent_id: str + :ivar device_type: The type of the device. + :vartype device_type: str + :ivar vendor: The vendor of the device. + :vartype vendor: str + :ivar edge_id: The ID of the edge device. + :vartype edge_id: str + :ivar mac_address: The MAC address of the device. + :vartype mac_address: str + :ivar model: The model of the device. + :vartype model: str + :ivar serial_number: The serial number of the device. + :vartype serial_number: str + :ivar firmware_version: The firmware version of the device. + :vartype firmware_version: str + :ivar operating_system: The operating system of the device. + :vartype operating_system: str + :ivar iot_hub_entity_id: The AzureResource entity id of the IoT Hub. + :vartype iot_hub_entity_id: str + :ivar host_entity_id: The Host entity id of this device. + :vartype host_entity_id: str + :ivar ip_address_entity_id: The IP entity if of this device. + :vartype ip_address_entity_id: str + :ivar threat_intelligence: A list of TI contexts attached to the IoTDevice entity. + :vartype threat_intelligence: list[~security_insights.models.ThreatIntelligence] + :ivar protocols: A list of protocols of the IoTDevice entity. + :vartype protocols: list[str] """ + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'device_id': {'readonly': True}, + 'device_name': {'readonly': True}, + 'source': {'readonly': True}, + 'iot_security_agent_id': {'readonly': True}, + 'device_type': {'readonly': True}, + 'vendor': {'readonly': True}, + 'edge_id': {'readonly': True}, + 'mac_address': {'readonly': True}, + 'model': {'readonly': True}, + 'serial_number': {'readonly': True}, + 'firmware_version': {'readonly': True}, + 'operating_system': {'readonly': True}, + 'iot_hub_entity_id': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'ip_address_entity_id': {'readonly': True}, + 'threat_intelligence': {'readonly': True}, + 'protocols': {'readonly': True}, + } + _attribute_map = { - 'state': {'key': 'alerts.state', 'type': 'str'}, - 'state_discovery_logs_state': {'key': 'discoveryLogs.state', 'type': 'str'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'device_id': {'key': 'deviceId', 'type': 'str'}, + 'device_name': {'key': 'deviceName', 'type': 'str'}, + 'source': {'key': 'source', 'type': 'str'}, + 'iot_security_agent_id': {'key': 'iotSecurityAgentId', 'type': 'str'}, + 'device_type': {'key': 'deviceType', 'type': 'str'}, + 'vendor': {'key': 'vendor', 'type': 'str'}, + 'edge_id': {'key': 'edgeId', 'type': 'str'}, + 'mac_address': {'key': 'macAddress', 'type': 'str'}, + 'model': {'key': 'model', 'type': 'str'}, + 'serial_number': {'key': 'serialNumber', 'type': 'str'}, + 'firmware_version': {'key': 'firmwareVersion', 'type': 'str'}, + 'operating_system': {'key': 'operatingSystem', 'type': 'str'}, + 'iot_hub_entity_id': {'key': 'iotHubEntityId', 'type': 'str'}, + 'host_entity_id': {'key': 'hostEntityId', 'type': 'str'}, + 'ip_address_entity_id': {'key': 'ipAddressEntityId', 'type': 'str'}, + 'threat_intelligence': {'key': 'threatIntelligence', 'type': '[ThreatIntelligence]'}, + 'protocols': {'key': 'protocols', 'type': '[str]'}, } def __init__( self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - state_discovery_logs_state: Optional[Union[str, "DataTypeState"]] = None, **kwargs ): - super(MCASDataConnectorDataTypes, self).__init__(state=state, **kwargs) - self.state_discovery_logs_state = state_discovery_logs_state - - -class MDATPDataConnector(DataConnector): - """Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector. + super(IoTDeviceEntityProperties, self).__init__(**kwargs) + self.device_id = None + self.device_name = None + self.source = None + self.iot_security_agent_id = None + self.device_type = None + self.vendor = None + self.edge_id = None + self.mac_address = None + self.model = None + self.serial_number = None + self.firmware_version = None + self.operating_system = None + self.iot_hub_entity_id = None + self.host_entity_id = None + self.ip_address_entity_id = None + self.threat_intelligence = None + self.protocols = None + + +class IpEntity(Entity): + """Represents an ip entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar address: The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6). + :vartype address: str + :ivar location: The geo-location context attached to the ip entity. + :vartype location: ~security_insights.models.GeoLocation + :ivar threat_intelligence: A list of TI contexts attached to the ip entity. + :vartype threat_intelligence: list[~security_insights.models.ThreatIntelligence] """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'address': {'readonly': True}, + 'location': {'readonly': True}, + 'threat_intelligence': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.alerts.state', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'address': {'key': 'properties.address', 'type': 'str'}, + 'location': {'key': 'properties.location', 'type': 'GeoLocation'}, + 'threat_intelligence': {'key': 'properties.threatIntelligence', 'type': '[ThreatIntelligence]'}, } def __init__( self, *, - etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(MDATPDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'MicrosoftDefenderAdvancedThreatProtection' # type: str - self.tenant_id = tenant_id - self.state = state + super(IpEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.address = None + self.location = None + self.threat_intelligence = None -class MicrosoftSecurityIncidentCreationAlertRule(AlertRule): - """Represents MicrosoftSecurityIncidentCreation rule. +class IpEntityProperties(EntityCommonProperties): + """Ip entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar address: The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6). + :vartype address: str + :ivar location: The geo-location context attached to the ip entity. + :vartype location: ~security_insights.models.GeoLocation + :ivar threat_intelligence: A list of TI contexts attached to the ip entity. + :vartype threat_intelligence: list[~security_insights.models.ThreatIntelligence] + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'address': {'readonly': True}, + 'location': {'readonly': True}, + 'threat_intelligence': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'address': {'key': 'address', 'type': 'str'}, + 'location': {'key': 'location', 'type': 'GeoLocation'}, + 'threat_intelligence': {'key': 'threatIntelligence', 'type': '[ThreatIntelligence]'}, + } + + def __init__( + self, + **kwargs + ): + super(IpEntityProperties, self).__init__(**kwargs) + self.address = None + self.location = None + self.threat_intelligence = None + + +class MailboxEntity(Entity): + """Represents a mailbox entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: The alerts' productName on which the cases will be generated. Possible - values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat - Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert has been modified. - :vartype last_modified_utc: ~datetime.datetime + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar mailbox_primary_address: The mailbox's primary address. + :vartype mailbox_primary_address: str + :ivar display_name: The mailbox's display name. + :vartype display_name: str + :ivar upn: The mailbox's UPN. + :vartype upn: str + :ivar external_directory_object_id: The AzureAD identifier of mailbox. Similar to AadUserId in + account entity but this property is specific to mailbox object on office side. + :vartype external_directory_object_id: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, - 'last_modified_utc': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'mailbox_primary_address': {'readonly': True}, + 'display_name': {'readonly': True}, + 'upn': {'readonly': True}, + 'external_directory_object_id': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, - 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'properties.description', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'mailbox_primary_address': {'key': 'properties.mailboxPrimaryAddress', 'type': 'str'}, 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, + 'upn': {'key': 'properties.upn', 'type': 'str'}, + 'external_directory_object_id': {'key': 'properties.externalDirectoryObjectId', 'type': 'str'}, } def __init__( self, *, - etag: Optional[str] = None, - display_names_filter: Optional[List[str]] = None, - display_names_exclude_filter: Optional[List[str]] = None, - product_filter: Optional[Union[str, "MicrosoftSecurityProductName"]] = None, - severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, - alert_rule_template_name: Optional[str] = None, - description: Optional[str] = None, - display_name: Optional[str] = None, - enabled: Optional[bool] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(MicrosoftSecurityIncidentCreationAlertRule, self).__init__(etag=etag, **kwargs) - self.kind = 'MicrosoftSecurityIncidentCreation' # type: str - self.display_names_filter = display_names_filter - self.display_names_exclude_filter = display_names_exclude_filter - self.product_filter = product_filter - self.severities_filter = severities_filter - self.alert_rule_template_name = alert_rule_template_name - self.description = description - self.display_name = display_name - self.enabled = enabled - self.last_modified_utc = None + super(MailboxEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.mailbox_primary_address = None + self.display_name = None + self.upn = None + self.external_directory_object_id = None -class MicrosoftSecurityIncidentCreationAlertRuleCommonProperties(msrest.serialization.Model): - """MicrosoftSecurityIncidentCreation rule common property bag. +class MailboxEntityProperties(EntityCommonProperties): + """Mailbox entity property bag. - All required parameters must be populated in order to send to Azure. + Variables are only populated by the server, and will be ignored when sending a request. - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: Required. The alerts' productName on which the cases will be generated. - Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure - Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security - Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar mailbox_primary_address: The mailbox's primary address. + :vartype mailbox_primary_address: str + :ivar display_name: The mailbox's display name. + :vartype display_name: str + :ivar upn: The mailbox's UPN. + :vartype upn: str + :ivar external_directory_object_id: The AzureAD identifier of mailbox. Similar to AadUserId in + account entity but this property is specific to mailbox object on office side. + :vartype external_directory_object_id: str """ _validation = { - 'product_filter': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'mailbox_primary_address': {'readonly': True}, + 'display_name': {'readonly': True}, + 'upn': {'readonly': True}, + 'external_directory_object_id': {'readonly': True}, } _attribute_map = { - 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'mailbox_primary_address': {'key': 'mailboxPrimaryAddress', 'type': 'str'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'upn': {'key': 'upn', 'type': 'str'}, + 'external_directory_object_id': {'key': 'externalDirectoryObjectId', 'type': 'str'}, } def __init__( self, - *, - product_filter: Union[str, "MicrosoftSecurityProductName"], - display_names_filter: Optional[List[str]] = None, - display_names_exclude_filter: Optional[List[str]] = None, - severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, **kwargs ): - super(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties, self).__init__(**kwargs) - self.display_names_filter = display_names_filter - self.display_names_exclude_filter = display_names_exclude_filter - self.product_filter = product_filter - self.severities_filter = severities_filter + super(MailboxEntityProperties, self).__init__(**kwargs) + self.mailbox_primary_address = None + self.display_name = None + self.upn = None + self.external_directory_object_id = None -class MicrosoftSecurityIncidentCreationAlertRuleProperties(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties): - """MicrosoftSecurityIncidentCreation rule property bag. +class MailClusterEntity(Entity): + """Represents a mail cluster entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: Required. The alerts' productName on which the cases will be generated. - Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure - Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security - Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: Required. The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Required. Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert has been modified. - :vartype last_modified_utc: ~datetime.datetime + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar network_message_ids: The mail message IDs that are part of the mail cluster. + :vartype network_message_ids: list[str] + :ivar count_by_delivery_status: Count of mail messages by DeliveryStatus string representation. + :vartype count_by_delivery_status: object + :ivar count_by_threat_type: Count of mail messages by ThreatType string representation. + :vartype count_by_threat_type: object + :ivar count_by_protection_status: Count of mail messages by ProtectionStatus string + representation. + :vartype count_by_protection_status: object + :ivar threats: The threats of mail messages that are part of the mail cluster. + :vartype threats: list[str] + :ivar query: The query that was used to identify the messages of the mail cluster. + :vartype query: str + :ivar query_time: The query time. + :vartype query_time: ~datetime.datetime + :ivar mail_count: The number of mail messages that are part of the mail cluster. + :vartype mail_count: int + :ivar is_volume_anomaly: Is this a volume anomaly mail cluster. + :vartype is_volume_anomaly: bool + :ivar source: The source of the mail cluster (default is 'O365 ATP'). + :vartype source: str + :ivar cluster_source_identifier: The id of the cluster source. + :vartype cluster_source_identifier: str + :ivar cluster_source_type: The type of the cluster source. + :vartype cluster_source_type: str + :ivar cluster_query_start_time: The cluster query start time. + :vartype cluster_query_start_time: ~datetime.datetime + :ivar cluster_query_end_time: The cluster query end time. + :vartype cluster_query_end_time: ~datetime.datetime + :ivar cluster_group: The cluster group. + :vartype cluster_group: str """ _validation = { - 'product_filter': {'required': True}, - 'display_name': {'required': True}, - 'enabled': {'required': True}, - 'last_modified_utc': {'readonly': True}, + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'network_message_ids': {'readonly': True}, + 'count_by_delivery_status': {'readonly': True}, + 'count_by_threat_type': {'readonly': True}, + 'count_by_protection_status': {'readonly': True}, + 'threats': {'readonly': True}, + 'query': {'readonly': True}, + 'query_time': {'readonly': True}, + 'mail_count': {'readonly': True}, + 'is_volume_anomaly': {'readonly': True}, + 'source': {'readonly': True}, + 'cluster_source_identifier': {'readonly': True}, + 'cluster_source_type': {'readonly': True}, + 'cluster_query_start_time': {'readonly': True}, + 'cluster_query_end_time': {'readonly': True}, + 'cluster_group': {'readonly': True}, } _attribute_map = { - 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, - 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'description', 'type': 'str'}, - 'display_name': {'key': 'displayName', 'type': 'str'}, - 'enabled': {'key': 'enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'network_message_ids': {'key': 'properties.networkMessageIds', 'type': '[str]'}, + 'count_by_delivery_status': {'key': 'properties.countByDeliveryStatus', 'type': 'object'}, + 'count_by_threat_type': {'key': 'properties.countByThreatType', 'type': 'object'}, + 'count_by_protection_status': {'key': 'properties.countByProtectionStatus', 'type': 'object'}, + 'threats': {'key': 'properties.threats', 'type': '[str]'}, + 'query': {'key': 'properties.query', 'type': 'str'}, + 'query_time': {'key': 'properties.queryTime', 'type': 'iso-8601'}, + 'mail_count': {'key': 'properties.mailCount', 'type': 'int'}, + 'is_volume_anomaly': {'key': 'properties.isVolumeAnomaly', 'type': 'bool'}, + 'source': {'key': 'properties.source', 'type': 'str'}, + 'cluster_source_identifier': {'key': 'properties.clusterSourceIdentifier', 'type': 'str'}, + 'cluster_source_type': {'key': 'properties.clusterSourceType', 'type': 'str'}, + 'cluster_query_start_time': {'key': 'properties.clusterQueryStartTime', 'type': 'iso-8601'}, + 'cluster_query_end_time': {'key': 'properties.clusterQueryEndTime', 'type': 'iso-8601'}, + 'cluster_group': {'key': 'properties.clusterGroup', 'type': 'str'}, } def __init__( self, *, - product_filter: Union[str, "MicrosoftSecurityProductName"], - display_name: str, - enabled: bool, - display_names_filter: Optional[List[str]] = None, - display_names_exclude_filter: Optional[List[str]] = None, - severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, - alert_rule_template_name: Optional[str] = None, - description: Optional[str] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(MicrosoftSecurityIncidentCreationAlertRuleProperties, self).__init__(display_names_filter=display_names_filter, display_names_exclude_filter=display_names_exclude_filter, product_filter=product_filter, severities_filter=severities_filter, **kwargs) - self.alert_rule_template_name = alert_rule_template_name - self.description = description - self.display_name = display_name - self.enabled = enabled - self.last_modified_utc = None + super(MailClusterEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.network_message_ids = None + self.count_by_delivery_status = None + self.count_by_threat_type = None + self.count_by_protection_status = None + self.threats = None + self.query = None + self.query_time = None + self.mail_count = None + self.is_volume_anomaly = None + self.source = None + self.cluster_source_identifier = None + self.cluster_source_type = None + self.cluster_query_start_time = None + self.cluster_query_end_time = None + self.cluster_group = None + + +class MailClusterEntityProperties(EntityCommonProperties): + """Mail cluster entity property bag. + Variables are only populated by the server, and will be ignored when sending a request. -class MicrosoftSecurityIncidentCreationAlertRuleTemplate(AlertRuleTemplate): - """Represents MicrosoftSecurityIncidentCreation rule template. + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar network_message_ids: The mail message IDs that are part of the mail cluster. + :vartype network_message_ids: list[str] + :ivar count_by_delivery_status: Count of mail messages by DeliveryStatus string representation. + :vartype count_by_delivery_status: object + :ivar count_by_threat_type: Count of mail messages by ThreatType string representation. + :vartype count_by_threat_type: object + :ivar count_by_protection_status: Count of mail messages by ProtectionStatus string + representation. + :vartype count_by_protection_status: object + :ivar threats: The threats of mail messages that are part of the mail cluster. + :vartype threats: list[str] + :ivar query: The query that was used to identify the messages of the mail cluster. + :vartype query: str + :ivar query_time: The query time. + :vartype query_time: ~datetime.datetime + :ivar mail_count: The number of mail messages that are part of the mail cluster. + :vartype mail_count: int + :ivar is_volume_anomaly: Is this a volume anomaly mail cluster. + :vartype is_volume_anomaly: bool + :ivar source: The source of the mail cluster (default is 'O365 ATP'). + :vartype source: str + :ivar cluster_source_identifier: The id of the cluster source. + :vartype cluster_source_identifier: str + :ivar cluster_source_type: The type of the cluster source. + :vartype cluster_source_type: str + :ivar cluster_query_start_time: The cluster query start time. + :vartype cluster_query_start_time: ~datetime.datetime + :ivar cluster_query_end_time: The cluster query end time. + :vartype cluster_query_end_time: ~datetime.datetime + :ivar cluster_group: The cluster group. + :vartype cluster_group: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'network_message_ids': {'readonly': True}, + 'count_by_delivery_status': {'readonly': True}, + 'count_by_threat_type': {'readonly': True}, + 'count_by_protection_status': {'readonly': True}, + 'threats': {'readonly': True}, + 'query': {'readonly': True}, + 'query_time': {'readonly': True}, + 'mail_count': {'readonly': True}, + 'is_volume_anomaly': {'readonly': True}, + 'source': {'readonly': True}, + 'cluster_source_identifier': {'readonly': True}, + 'cluster_source_type': {'readonly': True}, + 'cluster_query_start_time': {'readonly': True}, + 'cluster_query_end_time': {'readonly': True}, + 'cluster_group': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'network_message_ids': {'key': 'networkMessageIds', 'type': '[str]'}, + 'count_by_delivery_status': {'key': 'countByDeliveryStatus', 'type': 'object'}, + 'count_by_threat_type': {'key': 'countByThreatType', 'type': 'object'}, + 'count_by_protection_status': {'key': 'countByProtectionStatus', 'type': 'object'}, + 'threats': {'key': 'threats', 'type': '[str]'}, + 'query': {'key': 'query', 'type': 'str'}, + 'query_time': {'key': 'queryTime', 'type': 'iso-8601'}, + 'mail_count': {'key': 'mailCount', 'type': 'int'}, + 'is_volume_anomaly': {'key': 'isVolumeAnomaly', 'type': 'bool'}, + 'source': {'key': 'source', 'type': 'str'}, + 'cluster_source_identifier': {'key': 'clusterSourceIdentifier', 'type': 'str'}, + 'cluster_source_type': {'key': 'clusterSourceType', 'type': 'str'}, + 'cluster_query_start_time': {'key': 'clusterQueryStartTime', 'type': 'iso-8601'}, + 'cluster_query_end_time': {'key': 'clusterQueryEndTime', 'type': 'iso-8601'}, + 'cluster_group': {'key': 'clusterGroup', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(MailClusterEntityProperties, self).__init__(**kwargs) + self.network_message_ids = None + self.count_by_delivery_status = None + self.count_by_threat_type = None + self.count_by_protection_status = None + self.threats = None + self.query = None + self.query_time = None + self.mail_count = None + self.is_volume_anomaly = None + self.source = None + self.cluster_source_identifier = None + self.cluster_source_type = None + self.cluster_query_start_time = None + self.cluster_query_end_time = None + self.cluster_group = None + + +class MailMessageEntity(Entity): + """Represents a mail message entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rules_created_by_template_count: the number of alert rules that were created by - this template. - :type alert_rules_created_by_template_count: int - :ivar created_date_utc: The time that this alert rule template has been added. - :vartype created_date_utc: ~datetime.datetime - :param description: The description of the alert rule template. - :type description: str - :param display_name: The display name for alert rule template. - :type display_name: str - :param required_data_connectors: The required data connectors for this template. - :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] - :param status: The alert rule template status. Possible values include: "Installed", - "Available", "NotAvailable". - :type status: str or ~security_insights.models.TemplateStatus - :param display_names_filter: the alerts' displayNames on which the cases will be generated. - :type display_names_filter: list[str] - :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be - generated. - :type display_names_exclude_filter: list[str] - :param product_filter: The alerts' productName on which the cases will be generated. Possible - values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat - Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". - :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName - :param severities_filter: the alerts' severities on which the cases will be generated. - :type severities_filter: list[str or ~security_insights.models.AlertSeverity] + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar file_entity_ids: The File entity ids of this mail message's attachments. + :vartype file_entity_ids: list[str] + :ivar recipient: The recipient of this mail message. Note that in case of multiple recipients + the mail message is forked and each copy has one recipient. + :vartype recipient: str + :ivar urls: The Urls contained in this mail message. + :vartype urls: list[str] + :ivar threats: The threats of this mail message. + :vartype threats: list[str] + :ivar p1_sender: The p1 sender's email address. + :vartype p1_sender: str + :ivar p1_sender_display_name: The p1 sender's display name. + :vartype p1_sender_display_name: str + :ivar p1_sender_domain: The p1 sender's domain. + :vartype p1_sender_domain: str + :ivar sender_ip: The sender's IP address. + :vartype sender_ip: str + :ivar p2_sender: The p2 sender's email address. + :vartype p2_sender: str + :ivar p2_sender_display_name: The p2 sender's display name. + :vartype p2_sender_display_name: str + :ivar p2_sender_domain: The p2 sender's domain. + :vartype p2_sender_domain: str + :ivar receive_date: The receive date of this message. + :vartype receive_date: ~datetime.datetime + :ivar network_message_id: The network message id of this mail message. + :vartype network_message_id: str + :ivar internet_message_id: The internet message id of this mail message. + :vartype internet_message_id: str + :ivar subject: The subject of this mail message. + :vartype subject: str + :ivar language: The language of this mail message. + :vartype language: str + :ivar threat_detection_methods: The threat detection methods. + :vartype threat_detection_methods: list[str] + :param body_fingerprint_bin1: The bodyFingerprintBin1. + :type body_fingerprint_bin1: int + :param body_fingerprint_bin2: The bodyFingerprintBin2. + :type body_fingerprint_bin2: int + :param body_fingerprint_bin3: The bodyFingerprintBin3. + :type body_fingerprint_bin3: int + :param body_fingerprint_bin4: The bodyFingerprintBin4. + :type body_fingerprint_bin4: int + :param body_fingerprint_bin5: The bodyFingerprintBin5. + :type body_fingerprint_bin5: int + :param antispam_direction: The directionality of this mail message. Possible values include: + "Unknown", "Inbound", "Outbound", "Intraorg". + :type antispam_direction: str or ~security_insights.models.AntispamMailDirection + :param delivery_action: The delivery action of this mail message like Delivered, Blocked, + Replaced etc. Possible values include: "Unknown", "DeliveredAsSpam", "Delivered", "Blocked", + "Replaced". + :type delivery_action: str or ~security_insights.models.DeliveryAction + :param delivery_location: The delivery location of this mail message like Inbox, JunkFolder + etc. Possible values include: "Unknown", "Inbox", "JunkFolder", "DeletedFolder", "Quarantine", + "External", "Failed", "Dropped", "Forwarded". + :type delivery_location: str or ~security_insights.models.DeliveryLocation """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, - 'created_date_utc': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'file_entity_ids': {'readonly': True}, + 'recipient': {'readonly': True}, + 'urls': {'readonly': True}, + 'threats': {'readonly': True}, + 'p1_sender': {'readonly': True}, + 'p1_sender_display_name': {'readonly': True}, + 'p1_sender_domain': {'readonly': True}, + 'sender_ip': {'readonly': True}, + 'p2_sender': {'readonly': True}, + 'p2_sender_display_name': {'readonly': True}, + 'p2_sender_domain': {'readonly': True}, + 'receive_date': {'readonly': True}, + 'network_message_id': {'readonly': True}, + 'internet_message_id': {'readonly': True}, + 'subject': {'readonly': True}, + 'language': {'readonly': True}, + 'threat_detection_methods': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, - 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, - 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, - 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, - 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'file_entity_ids': {'key': 'properties.fileEntityIds', 'type': '[str]'}, + 'recipient': {'key': 'properties.recipient', 'type': 'str'}, + 'urls': {'key': 'properties.urls', 'type': '[str]'}, + 'threats': {'key': 'properties.threats', 'type': '[str]'}, + 'p1_sender': {'key': 'properties.p1Sender', 'type': 'str'}, + 'p1_sender_display_name': {'key': 'properties.p1SenderDisplayName', 'type': 'str'}, + 'p1_sender_domain': {'key': 'properties.p1SenderDomain', 'type': 'str'}, + 'sender_ip': {'key': 'properties.senderIP', 'type': 'str'}, + 'p2_sender': {'key': 'properties.p2Sender', 'type': 'str'}, + 'p2_sender_display_name': {'key': 'properties.p2SenderDisplayName', 'type': 'str'}, + 'p2_sender_domain': {'key': 'properties.p2SenderDomain', 'type': 'str'}, + 'receive_date': {'key': 'properties.receiveDate', 'type': 'iso-8601'}, + 'network_message_id': {'key': 'properties.networkMessageId', 'type': 'str'}, + 'internet_message_id': {'key': 'properties.internetMessageId', 'type': 'str'}, + 'subject': {'key': 'properties.subject', 'type': 'str'}, + 'language': {'key': 'properties.language', 'type': 'str'}, + 'threat_detection_methods': {'key': 'properties.threatDetectionMethods', 'type': '[str]'}, + 'body_fingerprint_bin1': {'key': 'properties.bodyFingerprintBin1', 'type': 'int'}, + 'body_fingerprint_bin2': {'key': 'properties.bodyFingerprintBin2', 'type': 'int'}, + 'body_fingerprint_bin3': {'key': 'properties.bodyFingerprintBin3', 'type': 'int'}, + 'body_fingerprint_bin4': {'key': 'properties.bodyFingerprintBin4', 'type': 'int'}, + 'body_fingerprint_bin5': {'key': 'properties.bodyFingerprintBin5', 'type': 'int'}, + 'antispam_direction': {'key': 'properties.antispamDirection', 'type': 'str'}, + 'delivery_action': {'key': 'properties.deliveryAction', 'type': 'str'}, + 'delivery_location': {'key': 'properties.deliveryLocation', 'type': 'str'}, } def __init__( self, *, - alert_rules_created_by_template_count: Optional[int] = None, - description: Optional[str] = None, - display_name: Optional[str] = None, - required_data_connectors: Optional[List["AlertRuleTemplateDataSource"]] = None, - status: Optional[Union[str, "TemplateStatus"]] = None, - display_names_filter: Optional[List[str]] = None, - display_names_exclude_filter: Optional[List[str]] = None, - product_filter: Optional[Union[str, "MicrosoftSecurityProductName"]] = None, - severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, + kind: Union[str, "EntityKindEnum"], + body_fingerprint_bin1: Optional[int] = None, + body_fingerprint_bin2: Optional[int] = None, + body_fingerprint_bin3: Optional[int] = None, + body_fingerprint_bin4: Optional[int] = None, + body_fingerprint_bin5: Optional[int] = None, + antispam_direction: Optional[Union[str, "AntispamMailDirection"]] = None, + delivery_action: Optional[Union[str, "DeliveryAction"]] = None, + delivery_location: Optional[Union[str, "DeliveryLocation"]] = None, **kwargs ): - super(MicrosoftSecurityIncidentCreationAlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'MicrosoftSecurityIncidentCreation' # type: str - self.alert_rules_created_by_template_count = alert_rules_created_by_template_count - self.created_date_utc = None - self.description = description - self.display_name = display_name - self.required_data_connectors = required_data_connectors - self.status = status - self.display_names_filter = display_names_filter - self.display_names_exclude_filter = display_names_exclude_filter - self.product_filter = product_filter - self.severities_filter = severities_filter + super(MailMessageEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.file_entity_ids = None + self.recipient = None + self.urls = None + self.threats = None + self.p1_sender = None + self.p1_sender_display_name = None + self.p1_sender_domain = None + self.sender_ip = None + self.p2_sender = None + self.p2_sender_display_name = None + self.p2_sender_domain = None + self.receive_date = None + self.network_message_id = None + self.internet_message_id = None + self.subject = None + self.language = None + self.threat_detection_methods = None + self.body_fingerprint_bin1 = body_fingerprint_bin1 + self.body_fingerprint_bin2 = body_fingerprint_bin2 + self.body_fingerprint_bin3 = body_fingerprint_bin3 + self.body_fingerprint_bin4 = body_fingerprint_bin4 + self.body_fingerprint_bin5 = body_fingerprint_bin5 + self.antispam_direction = antispam_direction + self.delivery_action = delivery_action + self.delivery_location = delivery_location + + +class MailMessageEntityProperties(EntityCommonProperties): + """Mail message entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar file_entity_ids: The File entity ids of this mail message's attachments. + :vartype file_entity_ids: list[str] + :ivar recipient: The recipient of this mail message. Note that in case of multiple recipients + the mail message is forked and each copy has one recipient. + :vartype recipient: str + :ivar urls: The Urls contained in this mail message. + :vartype urls: list[str] + :ivar threats: The threats of this mail message. + :vartype threats: list[str] + :ivar p1_sender: The p1 sender's email address. + :vartype p1_sender: str + :ivar p1_sender_display_name: The p1 sender's display name. + :vartype p1_sender_display_name: str + :ivar p1_sender_domain: The p1 sender's domain. + :vartype p1_sender_domain: str + :ivar sender_ip: The sender's IP address. + :vartype sender_ip: str + :ivar p2_sender: The p2 sender's email address. + :vartype p2_sender: str + :ivar p2_sender_display_name: The p2 sender's display name. + :vartype p2_sender_display_name: str + :ivar p2_sender_domain: The p2 sender's domain. + :vartype p2_sender_domain: str + :ivar receive_date: The receive date of this message. + :vartype receive_date: ~datetime.datetime + :ivar network_message_id: The network message id of this mail message. + :vartype network_message_id: str + :ivar internet_message_id: The internet message id of this mail message. + :vartype internet_message_id: str + :ivar subject: The subject of this mail message. + :vartype subject: str + :ivar language: The language of this mail message. + :vartype language: str + :ivar threat_detection_methods: The threat detection methods. + :vartype threat_detection_methods: list[str] + :param body_fingerprint_bin1: The bodyFingerprintBin1. + :type body_fingerprint_bin1: int + :param body_fingerprint_bin2: The bodyFingerprintBin2. + :type body_fingerprint_bin2: int + :param body_fingerprint_bin3: The bodyFingerprintBin3. + :type body_fingerprint_bin3: int + :param body_fingerprint_bin4: The bodyFingerprintBin4. + :type body_fingerprint_bin4: int + :param body_fingerprint_bin5: The bodyFingerprintBin5. + :type body_fingerprint_bin5: int + :param antispam_direction: The directionality of this mail message. Possible values include: + "Unknown", "Inbound", "Outbound", "Intraorg". + :type antispam_direction: str or ~security_insights.models.AntispamMailDirection + :param delivery_action: The delivery action of this mail message like Delivered, Blocked, + Replaced etc. Possible values include: "Unknown", "DeliveredAsSpam", "Delivered", "Blocked", + "Replaced". + :type delivery_action: str or ~security_insights.models.DeliveryAction + :param delivery_location: The delivery location of this mail message like Inbox, JunkFolder + etc. Possible values include: "Unknown", "Inbox", "JunkFolder", "DeletedFolder", "Quarantine", + "External", "Failed", "Dropped", "Forwarded". + :type delivery_location: str or ~security_insights.models.DeliveryLocation + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'file_entity_ids': {'readonly': True}, + 'recipient': {'readonly': True}, + 'urls': {'readonly': True}, + 'threats': {'readonly': True}, + 'p1_sender': {'readonly': True}, + 'p1_sender_display_name': {'readonly': True}, + 'p1_sender_domain': {'readonly': True}, + 'sender_ip': {'readonly': True}, + 'p2_sender': {'readonly': True}, + 'p2_sender_display_name': {'readonly': True}, + 'p2_sender_domain': {'readonly': True}, + 'receive_date': {'readonly': True}, + 'network_message_id': {'readonly': True}, + 'internet_message_id': {'readonly': True}, + 'subject': {'readonly': True}, + 'language': {'readonly': True}, + 'threat_detection_methods': {'readonly': True}, + } + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'file_entity_ids': {'key': 'fileEntityIds', 'type': '[str]'}, + 'recipient': {'key': 'recipient', 'type': 'str'}, + 'urls': {'key': 'urls', 'type': '[str]'}, + 'threats': {'key': 'threats', 'type': '[str]'}, + 'p1_sender': {'key': 'p1Sender', 'type': 'str'}, + 'p1_sender_display_name': {'key': 'p1SenderDisplayName', 'type': 'str'}, + 'p1_sender_domain': {'key': 'p1SenderDomain', 'type': 'str'}, + 'sender_ip': {'key': 'senderIP', 'type': 'str'}, + 'p2_sender': {'key': 'p2Sender', 'type': 'str'}, + 'p2_sender_display_name': {'key': 'p2SenderDisplayName', 'type': 'str'}, + 'p2_sender_domain': {'key': 'p2SenderDomain', 'type': 'str'}, + 'receive_date': {'key': 'receiveDate', 'type': 'iso-8601'}, + 'network_message_id': {'key': 'networkMessageId', 'type': 'str'}, + 'internet_message_id': {'key': 'internetMessageId', 'type': 'str'}, + 'subject': {'key': 'subject', 'type': 'str'}, + 'language': {'key': 'language', 'type': 'str'}, + 'threat_detection_methods': {'key': 'threatDetectionMethods', 'type': '[str]'}, + 'body_fingerprint_bin1': {'key': 'bodyFingerprintBin1', 'type': 'int'}, + 'body_fingerprint_bin2': {'key': 'bodyFingerprintBin2', 'type': 'int'}, + 'body_fingerprint_bin3': {'key': 'bodyFingerprintBin3', 'type': 'int'}, + 'body_fingerprint_bin4': {'key': 'bodyFingerprintBin4', 'type': 'int'}, + 'body_fingerprint_bin5': {'key': 'bodyFingerprintBin5', 'type': 'int'}, + 'antispam_direction': {'key': 'antispamDirection', 'type': 'str'}, + 'delivery_action': {'key': 'deliveryAction', 'type': 'str'}, + 'delivery_location': {'key': 'deliveryLocation', 'type': 'str'}, + } -class OfficeConsent(Resource): - """Consent for Office365 tenant that already made. + def __init__( + self, + *, + body_fingerprint_bin1: Optional[int] = None, + body_fingerprint_bin2: Optional[int] = None, + body_fingerprint_bin3: Optional[int] = None, + body_fingerprint_bin4: Optional[int] = None, + body_fingerprint_bin5: Optional[int] = None, + antispam_direction: Optional[Union[str, "AntispamMailDirection"]] = None, + delivery_action: Optional[Union[str, "DeliveryAction"]] = None, + delivery_location: Optional[Union[str, "DeliveryLocation"]] = None, + **kwargs + ): + super(MailMessageEntityProperties, self).__init__(**kwargs) + self.file_entity_ids = None + self.recipient = None + self.urls = None + self.threats = None + self.p1_sender = None + self.p1_sender_display_name = None + self.p1_sender_domain = None + self.sender_ip = None + self.p2_sender = None + self.p2_sender_display_name = None + self.p2_sender_domain = None + self.receive_date = None + self.network_message_id = None + self.internet_message_id = None + self.subject = None + self.language = None + self.threat_detection_methods = None + self.body_fingerprint_bin1 = body_fingerprint_bin1 + self.body_fingerprint_bin2 = body_fingerprint_bin2 + self.body_fingerprint_bin3 = body_fingerprint_bin3 + self.body_fingerprint_bin4 = body_fingerprint_bin4 + self.body_fingerprint_bin5 = body_fingerprint_bin5 + self.antispam_direction = antispam_direction + self.delivery_action = delivery_action + self.delivery_location = delivery_location + + +class MalwareEntity(Entity): + """Represents a malware entity. Variables are only populated by the server, and will be ignored when sending a request. + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param tenant_id: The tenantId of the Office365 with the consent. - :type tenant_id: str - :ivar tenant_name: The tenant name of the Office365 with the consent. - :vartype tenant_name: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar category: The malware category by the vendor, e.g. Trojan. + :vartype category: str + :ivar file_entity_ids: List of linked file entity identifiers on which the malware was found. + :vartype file_entity_ids: list[str] + :ivar malware_name: The malware name by the vendor, e.g. Win32/Toga!rfn. + :vartype malware_name: str + :ivar process_entity_ids: List of linked process entity identifiers on which the malware was + found. + :vartype process_entity_ids: list[str] """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'tenant_name': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'category': {'readonly': True}, + 'file_entity_ids': {'readonly': True}, + 'malware_name': {'readonly': True}, + 'process_entity_ids': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'tenant_name': {'key': 'properties.tenantName', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'category': {'key': 'properties.category', 'type': 'str'}, + 'file_entity_ids': {'key': 'properties.fileEntityIds', 'type': '[str]'}, + 'malware_name': {'key': 'properties.malwareName', 'type': 'str'}, + 'process_entity_ids': {'key': 'properties.processEntityIds', 'type': '[str]'}, } def __init__( self, *, - tenant_id: Optional[str] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(OfficeConsent, self).__init__(**kwargs) - self.tenant_id = tenant_id - self.tenant_name = None + super(MalwareEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.category = None + self.file_entity_ids = None + self.malware_name = None + self.process_entity_ids = None -class OfficeConsentList(msrest.serialization.Model): - """List of all the office365 consents. +class MalwareEntityProperties(EntityCommonProperties): + """Malware entity property bag. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. - - :ivar next_link: URL to fetch the next set of office consents. - :vartype next_link: str - :param value: Required. Array of the consents. - :type value: list[~security_insights.models.OfficeConsent] + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar category: The malware category by the vendor, e.g. Trojan. + :vartype category: str + :ivar file_entity_ids: List of linked file entity identifiers on which the malware was found. + :vartype file_entity_ids: list[str] + :ivar malware_name: The malware name by the vendor, e.g. Win32/Toga!rfn. + :vartype malware_name: str + :ivar process_entity_ids: List of linked process entity identifiers on which the malware was + found. + :vartype process_entity_ids: list[str] """ _validation = { - 'next_link': {'readonly': True}, - 'value': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'category': {'readonly': True}, + 'file_entity_ids': {'readonly': True}, + 'malware_name': {'readonly': True}, + 'process_entity_ids': {'readonly': True}, } _attribute_map = { - 'next_link': {'key': 'nextLink', 'type': 'str'}, - 'value': {'key': 'value', 'type': '[OfficeConsent]'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'category': {'key': 'category', 'type': 'str'}, + 'file_entity_ids': {'key': 'fileEntityIds', 'type': '[str]'}, + 'malware_name': {'key': 'malwareName', 'type': 'str'}, + 'process_entity_ids': {'key': 'processEntityIds', 'type': '[str]'}, } def __init__( self, - *, - value: List["OfficeConsent"], **kwargs ): - super(OfficeConsentList, self).__init__(**kwargs) - self.next_link = None - self.value = value + super(MalwareEntityProperties, self).__init__(**kwargs) + self.category = None + self.file_entity_ids = None + self.malware_name = None + self.process_entity_ids = None -class OfficeDataConnector(DataConnector): - """Represents office data connector. +class MicrosoftSecurityIncidentCreationAlertRule(AlertRule): + """Represents MicrosoftSecurityIncidentCreation rule. Variables are only populated by the server, and will be ignored when sending a request. @@ -2330,97 +4030,307 @@ class OfficeDataConnector(DataConnector): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. - :type tenant_id: str - :param state_data_types_share_point_state: Describe whether this data type connection is - enabled or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_share_point_state: str or ~security_insights.models.DataTypeState - :param state_data_types_exchange_state: Describe whether this data type connection is enabled - or not. Possible values include: "Enabled", "Disabled". - :type state_data_types_exchange_state: str or ~security_insights.models.DataTypeState + :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: + "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". + :type kind: str or ~security_insights.models.AlertRuleKind + :param display_names_filter: the alerts' displayNames on which the cases will be generated. + :type display_names_filter: list[str] + :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be + generated. + :type display_names_exclude_filter: list[str] + :param product_filter: The alerts' productName on which the cases will be generated. Possible + values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat + Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". + :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName + :param severities_filter: the alerts' severities on which the cases will be generated. + :type severities_filter: list[str or ~security_insights.models.AlertSeverity] + :param alert_rule_template_name: The Name of the alert rule template used to create this rule. + :type alert_rule_template_name: str + :param description: The description of the alert rule. + :type description: str + :param display_name: The display name for alerts created by this alert rule. + :type display_name: str + :param enabled: Determines whether this alert rule is enabled or disabled. + :type enabled: bool + :ivar last_modified_utc: The last time that this alert has been modified. + :vartype last_modified_utc: ~datetime.datetime """ _validation = { 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, + 'system_data': {'readonly': True}, 'kind': {'required': True}, + 'last_modified_utc': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, 'kind': {'key': 'kind', 'type': 'str'}, - 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state_data_types_share_point_state': {'key': 'dataTypes.sharePoint.state', 'type': 'str'}, - 'state_data_types_exchange_state': {'key': 'dataTypes.exchange.state', 'type': 'str'}, + 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, + 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, + 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, + 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, + 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, + 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, } def __init__( self, *, etag: Optional[str] = None, - tenant_id: Optional[str] = None, - state_data_types_share_point_state: Optional[Union[str, "DataTypeState"]] = None, - state_data_types_exchange_state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(OfficeDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'Office365' # type: str - self.tenant_id = tenant_id - self.state_data_types_share_point_state = state_data_types_share_point_state - self.state_data_types_exchange_state = state_data_types_exchange_state + display_names_filter: Optional[List[str]] = None, + display_names_exclude_filter: Optional[List[str]] = None, + product_filter: Optional[Union[str, "MicrosoftSecurityProductName"]] = None, + severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, + alert_rule_template_name: Optional[str] = None, + description: Optional[str] = None, + display_name: Optional[str] = None, + enabled: Optional[bool] = None, + **kwargs + ): + super(MicrosoftSecurityIncidentCreationAlertRule, self).__init__(etag=etag, **kwargs) + self.kind = 'MicrosoftSecurityIncidentCreation' # type: str + self.display_names_filter = display_names_filter + self.display_names_exclude_filter = display_names_exclude_filter + self.product_filter = product_filter + self.severities_filter = severities_filter + self.alert_rule_template_name = alert_rule_template_name + self.description = description + self.display_name = display_name + self.enabled = enabled + self.last_modified_utc = None + +class MicrosoftSecurityIncidentCreationAlertRuleCommonProperties(msrest.serialization.Model): + """MicrosoftSecurityIncidentCreation rule common property bag. -class OfficeDataConnectorDataTypesExchange(DataConnectorDataTypeCommon): - """Exchange data type connection. + All required parameters must be populated in order to send to Azure. - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :param display_names_filter: the alerts' displayNames on which the cases will be generated. + :type display_names_filter: list[str] + :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be + generated. + :type display_names_exclude_filter: list[str] + :param product_filter: Required. The alerts' productName on which the cases will be generated. + Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure + Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security + Center for IoT". + :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName + :param severities_filter: the alerts' severities on which the cases will be generated. + :type severities_filter: list[str or ~security_insights.models.AlertSeverity] """ + _validation = { + 'product_filter': {'required': True}, + } + _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, + 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, + 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, + 'product_filter': {'key': 'productFilter', 'type': 'str'}, + 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, } def __init__( self, *, - state: Optional[Union[str, "DataTypeState"]] = None, + product_filter: Union[str, "MicrosoftSecurityProductName"], + display_names_filter: Optional[List[str]] = None, + display_names_exclude_filter: Optional[List[str]] = None, + severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, **kwargs ): - super(OfficeDataConnectorDataTypesExchange, self).__init__(state=state, **kwargs) + super(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties, self).__init__(**kwargs) + self.display_names_filter = display_names_filter + self.display_names_exclude_filter = display_names_exclude_filter + self.product_filter = product_filter + self.severities_filter = severities_filter + +class MicrosoftSecurityIncidentCreationAlertRuleProperties(MicrosoftSecurityIncidentCreationAlertRuleCommonProperties): + """MicrosoftSecurityIncidentCreation rule property bag. + + Variables are only populated by the server, and will be ignored when sending a request. -class OfficeDataConnectorDataTypesSharePoint(DataConnectorDataTypeCommon): - """SharePoint data type connection. + All required parameters must be populated in order to send to Azure. - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :param display_names_filter: the alerts' displayNames on which the cases will be generated. + :type display_names_filter: list[str] + :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be + generated. + :type display_names_exclude_filter: list[str] + :param product_filter: Required. The alerts' productName on which the cases will be generated. + Possible values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure + Advanced Threat Protection", "Azure Active Directory Identity Protection", "Azure Security + Center for IoT". + :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName + :param severities_filter: the alerts' severities on which the cases will be generated. + :type severities_filter: list[str or ~security_insights.models.AlertSeverity] + :param alert_rule_template_name: The Name of the alert rule template used to create this rule. + :type alert_rule_template_name: str + :param description: The description of the alert rule. + :type description: str + :param display_name: Required. The display name for alerts created by this alert rule. + :type display_name: str + :param enabled: Required. Determines whether this alert rule is enabled or disabled. + :type enabled: bool + :ivar last_modified_utc: The last time that this alert has been modified. + :vartype last_modified_utc: ~datetime.datetime """ + _validation = { + 'product_filter': {'required': True}, + 'display_name': {'required': True}, + 'enabled': {'required': True}, + 'last_modified_utc': {'readonly': True}, + } + _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, + 'display_names_filter': {'key': 'displayNamesFilter', 'type': '[str]'}, + 'display_names_exclude_filter': {'key': 'displayNamesExcludeFilter', 'type': '[str]'}, + 'product_filter': {'key': 'productFilter', 'type': 'str'}, + 'severities_filter': {'key': 'severitiesFilter', 'type': '[str]'}, + 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, + 'description': {'key': 'description', 'type': 'str'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'enabled': {'key': 'enabled', 'type': 'bool'}, + 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, + } + + def __init__( + self, + *, + product_filter: Union[str, "MicrosoftSecurityProductName"], + display_name: str, + enabled: bool, + display_names_filter: Optional[List[str]] = None, + display_names_exclude_filter: Optional[List[str]] = None, + severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, + alert_rule_template_name: Optional[str] = None, + description: Optional[str] = None, + **kwargs + ): + super(MicrosoftSecurityIncidentCreationAlertRuleProperties, self).__init__(display_names_filter=display_names_filter, display_names_exclude_filter=display_names_exclude_filter, product_filter=product_filter, severities_filter=severities_filter, **kwargs) + self.alert_rule_template_name = alert_rule_template_name + self.description = description + self.display_name = display_name + self.enabled = enabled + self.last_modified_utc = None + + +class MicrosoftSecurityIncidentCreationAlertRuleTemplate(AlertRuleTemplate): + """Represents MicrosoftSecurityIncidentCreation rule template. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: + "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". + :type kind: str or ~security_insights.models.AlertRuleKind + :param alert_rules_created_by_template_count: the number of alert rules that were created by + this template. + :type alert_rules_created_by_template_count: int + :ivar created_date_utc: The time that this alert rule template has been added. + :vartype created_date_utc: ~datetime.datetime + :param description: The description of the alert rule template. + :type description: str + :param display_name: The display name for alert rule template. + :type display_name: str + :param required_data_connectors: The required data connectors for this template. + :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] + :param status: The alert rule template status. Possible values include: "Installed", + "Available", "NotAvailable". + :type status: str or ~security_insights.models.TemplateStatus + :param display_names_filter: the alerts' displayNames on which the cases will be generated. + :type display_names_filter: list[str] + :param display_names_exclude_filter: the alerts' displayNames on which the cases will not be + generated. + :type display_names_exclude_filter: list[str] + :param product_filter: The alerts' productName on which the cases will be generated. Possible + values include: "Microsoft Cloud App Security", "Azure Security Center", "Azure Advanced Threat + Protection", "Azure Active Directory Identity Protection", "Azure Security Center for IoT". + :type product_filter: str or ~security_insights.models.MicrosoftSecurityProductName + :param severities_filter: the alerts' severities on which the cases will be generated. + :type severities_filter: list[str or ~security_insights.models.AlertSeverity] + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'kind': {'required': True}, + 'created_date_utc': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'kind': {'key': 'kind', 'type': 'str'}, + 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, + 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, + 'status': {'key': 'properties.status', 'type': 'str'}, + 'display_names_filter': {'key': 'properties.displayNamesFilter', 'type': '[str]'}, + 'display_names_exclude_filter': {'key': 'properties.displayNamesExcludeFilter', 'type': '[str]'}, + 'product_filter': {'key': 'properties.productFilter', 'type': 'str'}, + 'severities_filter': {'key': 'properties.severitiesFilter', 'type': '[str]'}, } def __init__( self, *, - state: Optional[Union[str, "DataTypeState"]] = None, + alert_rules_created_by_template_count: Optional[int] = None, + description: Optional[str] = None, + display_name: Optional[str] = None, + required_data_connectors: Optional[List["AlertRuleTemplateDataSource"]] = None, + status: Optional[Union[str, "TemplateStatus"]] = None, + display_names_filter: Optional[List[str]] = None, + display_names_exclude_filter: Optional[List[str]] = None, + product_filter: Optional[Union[str, "MicrosoftSecurityProductName"]] = None, + severities_filter: Optional[List[Union[str, "AlertSeverity"]]] = None, **kwargs ): - super(OfficeDataConnectorDataTypesSharePoint, self).__init__(state=state, **kwargs) + super(MicrosoftSecurityIncidentCreationAlertRuleTemplate, self).__init__(**kwargs) + self.kind = 'MicrosoftSecurityIncidentCreation' # type: str + self.alert_rules_created_by_template_count = alert_rules_created_by_template_count + self.created_date_utc = None + self.description = description + self.display_name = display_name + self.required_data_connectors = required_data_connectors + self.status = status + self.display_names_filter = display_names_filter + self.display_names_exclude_filter = display_names_exclude_filter + self.product_filter = product_filter + self.severities_filter = severities_filter class Operation(msrest.serialization.Model): @@ -2430,11 +4340,14 @@ class Operation(msrest.serialization.Model): :type display: ~security_insights.models.OperationDisplay :param name: Name of the operation. :type name: str + :param origin: The origin of the operation. + :type origin: str """ _attribute_map = { 'display': {'key': 'display', 'type': 'OperationDisplay'}, 'name': {'key': 'name', 'type': 'str'}, + 'origin': {'key': 'origin', 'type': 'str'}, } def __init__( @@ -2442,11 +4355,13 @@ def __init__( *, display: Optional["OperationDisplay"] = None, name: Optional[str] = None, + origin: Optional[str] = None, **kwargs ): super(Operation, self).__init__(**kwargs) self.display = display self.name = name + self.origin = origin class OperationDisplay(msrest.serialization.Model): @@ -2488,15 +4403,18 @@ def __init__( class OperationsList(msrest.serialization.Model): """Lists the operations available in the SecurityInsights RP. + Variables are only populated by the server, and will be ignored when sending a request. + All required parameters must be populated in order to send to Azure. - :param next_link: URL to fetch the next set of operations. - :type next_link: str + :ivar next_link: URL to fetch the next set of operations. + :vartype next_link: str :param value: Required. Array of operations. :type value: list[~security_insights.models.Operation] """ _validation = { + 'next_link': {'readonly': True}, 'value': {'required': True}, } @@ -2509,495 +4427,2939 @@ def __init__( self, *, value: List["Operation"], - next_link: Optional[str] = None, **kwargs ): super(OperationsList, self).__init__(**kwargs) - self.next_link = next_link + self.next_link = None self.value = value -class ScheduledAlertRule(AlertRule): - """Represents scheduled alert rule. +class ProcessEntity(Entity): + """Represents a process entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert rule has been modified. - :vartype last_modified_utc: ~datetime.datetime - :param suppression_duration: The suppression (in ISO 8601 duration format) to wait since last - time this alert rule been triggered. - :type suppression_duration: ~datetime.timedelta - :param suppression_enabled: Determines whether the suppression for this alert rule is enabled - or disabled. - :type suppression_enabled: bool - :param tactics: The tactics of the alert rule. - :type tactics: list[str or ~security_insights.models.AttackTactic] + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar account_entity_id: The account entity id running the processes. + :vartype account_entity_id: str + :ivar command_line: The command line used to create the process. + :vartype command_line: str + :ivar creation_time_utc: The time when the process started to run. + :vartype creation_time_utc: ~datetime.datetime + :param elevation_token: The elevation token associated with the process. Possible values + include: "Default", "Full", "Limited". + :type elevation_token: str or ~security_insights.models.ElevationToken + :ivar host_entity_id: The host entity id on which the process was running. + :vartype host_entity_id: str + :ivar host_logon_session_entity_id: The session entity id in which the process was running. + :vartype host_logon_session_entity_id: str + :ivar image_file_entity_id: Image file entity id. + :vartype image_file_entity_id: str + :ivar parent_process_entity_id: The parent process entity id. + :vartype parent_process_entity_id: str + :ivar process_id: The process ID. + :vartype process_id: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, - 'last_modified_utc': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'account_entity_id': {'readonly': True}, + 'command_line': {'readonly': True}, + 'creation_time_utc': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'host_logon_session_entity_id': {'readonly': True}, + 'image_file_entity_id': {'readonly': True}, + 'parent_process_entity_id': {'readonly': True}, + 'process_id': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, - 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, - 'suppression_duration': {'key': 'properties.suppressionDuration', 'type': 'duration'}, - 'suppression_enabled': {'key': 'properties.suppressionEnabled', 'type': 'bool'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'account_entity_id': {'key': 'properties.accountEntityId', 'type': 'str'}, + 'command_line': {'key': 'properties.commandLine', 'type': 'str'}, + 'creation_time_utc': {'key': 'properties.creationTimeUtc', 'type': 'iso-8601'}, + 'elevation_token': {'key': 'properties.elevationToken', 'type': 'str'}, + 'host_entity_id': {'key': 'properties.hostEntityId', 'type': 'str'}, + 'host_logon_session_entity_id': {'key': 'properties.hostLogonSessionEntityId', 'type': 'str'}, + 'image_file_entity_id': {'key': 'properties.imageFileEntityId', 'type': 'str'}, + 'parent_process_entity_id': {'key': 'properties.parentProcessEntityId', 'type': 'str'}, + 'process_id': {'key': 'properties.processId', 'type': 'str'}, } def __init__( self, *, - etag: Optional[str] = None, - query: Optional[str] = None, - query_frequency: Optional[datetime.timedelta] = None, - query_period: Optional[datetime.timedelta] = None, - severity: Optional[Union[str, "AlertSeverity"]] = None, - trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, - trigger_threshold: Optional[int] = None, - alert_rule_template_name: Optional[str] = None, - description: Optional[str] = None, - display_name: Optional[str] = None, - enabled: Optional[bool] = None, - suppression_duration: Optional[datetime.timedelta] = None, - suppression_enabled: Optional[bool] = None, - tactics: Optional[List[Union[str, "AttackTactic"]]] = None, + kind: Union[str, "EntityKindEnum"], + elevation_token: Optional[Union[str, "ElevationToken"]] = None, **kwargs ): - super(ScheduledAlertRule, self).__init__(etag=etag, **kwargs) - self.kind = 'Scheduled' # type: str - self.query = query - self.query_frequency = query_frequency - self.query_period = query_period - self.severity = severity - self.trigger_operator = trigger_operator - self.trigger_threshold = trigger_threshold - self.alert_rule_template_name = alert_rule_template_name - self.description = description - self.display_name = display_name - self.enabled = enabled - self.last_modified_utc = None - self.suppression_duration = suppression_duration - self.suppression_enabled = suppression_enabled - self.tactics = tactics + super(ProcessEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.account_entity_id = None + self.command_line = None + self.creation_time_utc = None + self.elevation_token = elevation_token + self.host_entity_id = None + self.host_logon_session_entity_id = None + self.image_file_entity_id = None + self.parent_process_entity_id = None + self.process_id = None -class ScheduledAlertRuleCommonProperties(msrest.serialization.Model): - """Schedule alert rule template property bag. +class ProcessEntityProperties(EntityCommonProperties): + """Process entity property bag. - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar account_entity_id: The account entity id running the processes. + :vartype account_entity_id: str + :ivar command_line: The command line used to create the process. + :vartype command_line: str + :ivar creation_time_utc: The time when the process started to run. + :vartype creation_time_utc: ~datetime.datetime + :param elevation_token: The elevation token associated with the process. Possible values + include: "Default", "Full", "Limited". + :type elevation_token: str or ~security_insights.models.ElevationToken + :ivar host_entity_id: The host entity id on which the process was running. + :vartype host_entity_id: str + :ivar host_logon_session_entity_id: The session entity id in which the process was running. + :vartype host_logon_session_entity_id: str + :ivar image_file_entity_id: Image file entity id. + :vartype image_file_entity_id: str + :ivar parent_process_entity_id: The parent process entity id. + :vartype parent_process_entity_id: str + :ivar process_id: The process ID. + :vartype process_id: str """ + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'account_entity_id': {'readonly': True}, + 'command_line': {'readonly': True}, + 'creation_time_utc': {'readonly': True}, + 'host_entity_id': {'readonly': True}, + 'host_logon_session_entity_id': {'readonly': True}, + 'image_file_entity_id': {'readonly': True}, + 'parent_process_entity_id': {'readonly': True}, + 'process_id': {'readonly': True}, + } + _attribute_map = { - 'query': {'key': 'query', 'type': 'str'}, - 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'account_entity_id': {'key': 'accountEntityId', 'type': 'str'}, + 'command_line': {'key': 'commandLine', 'type': 'str'}, + 'creation_time_utc': {'key': 'creationTimeUtc', 'type': 'iso-8601'}, + 'elevation_token': {'key': 'elevationToken', 'type': 'str'}, + 'host_entity_id': {'key': 'hostEntityId', 'type': 'str'}, + 'host_logon_session_entity_id': {'key': 'hostLogonSessionEntityId', 'type': 'str'}, + 'image_file_entity_id': {'key': 'imageFileEntityId', 'type': 'str'}, + 'parent_process_entity_id': {'key': 'parentProcessEntityId', 'type': 'str'}, + 'process_id': {'key': 'processId', 'type': 'str'}, } def __init__( self, *, - query: Optional[str] = None, - query_frequency: Optional[datetime.timedelta] = None, - query_period: Optional[datetime.timedelta] = None, - severity: Optional[Union[str, "AlertSeverity"]] = None, - trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, - trigger_threshold: Optional[int] = None, + elevation_token: Optional[Union[str, "ElevationToken"]] = None, **kwargs ): - super(ScheduledAlertRuleCommonProperties, self).__init__(**kwargs) - self.query = query - self.query_frequency = query_frequency - self.query_period = query_period - self.severity = severity - self.trigger_operator = trigger_operator - self.trigger_threshold = trigger_threshold + super(ProcessEntityProperties, self).__init__(**kwargs) + self.account_entity_id = None + self.command_line = None + self.creation_time_utc = None + self.elevation_token = elevation_token + self.host_entity_id = None + self.host_logon_session_entity_id = None + self.image_file_entity_id = None + self.parent_process_entity_id = None + self.process_id = None -class ScheduledAlertRuleProperties(ScheduledAlertRuleCommonProperties): - """Scheduled alert rule base property bag. +class RegistryKeyEntity(Entity): + """Represents a registry key entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - :param alert_rule_template_name: The Name of the alert rule template used to create this rule. - :type alert_rule_template_name: str - :param description: The description of the alert rule. - :type description: str - :param display_name: Required. The display name for alerts created by this alert rule. - :type display_name: str - :param enabled: Required. Determines whether this alert rule is enabled or disabled. - :type enabled: bool - :ivar last_modified_utc: The last time that this alert rule has been modified. - :vartype last_modified_utc: ~datetime.datetime - :param suppression_duration: Required. The suppression (in ISO 8601 duration format) to wait - since last time this alert rule been triggered. - :type suppression_duration: ~datetime.timedelta - :param suppression_enabled: Required. Determines whether the suppression for this alert rule is - enabled or disabled. - :type suppression_enabled: bool - :param tactics: The tactics of the alert rule. - :type tactics: list[str or ~security_insights.models.AttackTactic] + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar hive: the hive that holds the registry key. Possible values include: + "HKEY_LOCAL_MACHINE", "HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_USERS", + "HKEY_CURRENT_USER_LOCAL_SETTINGS", "HKEY_PERFORMANCE_DATA", "HKEY_PERFORMANCE_NLSTEXT", + "HKEY_PERFORMANCE_TEXT", "HKEY_A", "HKEY_CURRENT_USER". + :vartype hive: str or ~security_insights.models.RegistryHive + :ivar key: The registry key path. + :vartype key: str """ _validation = { - 'display_name': {'required': True}, - 'enabled': {'required': True}, - 'last_modified_utc': {'readonly': True}, - 'suppression_duration': {'required': True}, - 'suppression_enabled': {'required': True}, + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'hive': {'readonly': True}, + 'key': {'readonly': True}, } _attribute_map = { - 'query': {'key': 'query', 'type': 'str'}, - 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'severity', 'type': 'str'}, - 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, - 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, - 'description': {'key': 'description', 'type': 'str'}, - 'display_name': {'key': 'displayName', 'type': 'str'}, - 'enabled': {'key': 'enabled', 'type': 'bool'}, - 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, - 'suppression_duration': {'key': 'suppressionDuration', 'type': 'duration'}, - 'suppression_enabled': {'key': 'suppressionEnabled', 'type': 'bool'}, - 'tactics': {'key': 'tactics', 'type': '[str]'}, + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'hive': {'key': 'properties.hive', 'type': 'str'}, + 'key': {'key': 'properties.key', 'type': 'str'}, } def __init__( self, *, - display_name: str, - enabled: bool, - suppression_duration: datetime.timedelta, - suppression_enabled: bool, - query: Optional[str] = None, - query_frequency: Optional[datetime.timedelta] = None, - query_period: Optional[datetime.timedelta] = None, - severity: Optional[Union[str, "AlertSeverity"]] = None, - trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, - trigger_threshold: Optional[int] = None, - alert_rule_template_name: Optional[str] = None, - description: Optional[str] = None, - tactics: Optional[List[Union[str, "AttackTactic"]]] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(ScheduledAlertRuleProperties, self).__init__(query=query, query_frequency=query_frequency, query_period=query_period, severity=severity, trigger_operator=trigger_operator, trigger_threshold=trigger_threshold, **kwargs) - self.alert_rule_template_name = alert_rule_template_name - self.description = description - self.display_name = display_name - self.enabled = enabled - self.last_modified_utc = None - self.suppression_duration = suppression_duration - self.suppression_enabled = suppression_enabled - self.tactics = tactics + super(RegistryKeyEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.hive = None + self.key = None -class ScheduledAlertRuleTemplate(AlertRuleTemplate): - """Represents scheduled alert rule template. +class RegistryKeyEntityProperties(EntityCommonProperties): + """RegistryKey entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar hive: the hive that holds the registry key. Possible values include: + "HKEY_LOCAL_MACHINE", "HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_USERS", + "HKEY_CURRENT_USER_LOCAL_SETTINGS", "HKEY_PERFORMANCE_DATA", "HKEY_PERFORMANCE_NLSTEXT", + "HKEY_PERFORMANCE_TEXT", "HKEY_A", "HKEY_CURRENT_USER". + :vartype hive: str or ~security_insights.models.RegistryHive + :ivar key: The registry key path. + :vartype key: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'hive': {'readonly': True}, + 'key': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'hive': {'key': 'hive', 'type': 'str'}, + 'key': {'key': 'key', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(RegistryKeyEntityProperties, self).__init__(**kwargs) + self.hive = None + self.key = None + + +class RegistryValueEntity(Entity): + """Represents a registry value entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: - "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". - :type kind: str or ~security_insights.models.AlertRuleKind - :param alert_rules_created_by_template_count: the number of alert rules that were created by - this template. - :type alert_rules_created_by_template_count: int - :ivar created_date_utc: The time that this alert rule template has been added. - :vartype created_date_utc: ~datetime.datetime - :param description: The description of the alert rule template. - :type description: str - :param display_name: The display name for alert rule template. - :type display_name: str - :param required_data_connectors: The required data connectors for this template. - :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] - :param status: The alert rule template status. Possible values include: "Installed", - "Available", "NotAvailable". - :type status: str or ~security_insights.models.TemplateStatus - :param query: The query that creates alerts for this rule. - :type query: str - :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. - :type query_frequency: ~datetime.timedelta - :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. - :type query_period: ~datetime.timedelta - :param severity: The severity for alerts created by this alert rule. Possible values include: - "High", "Medium", "Low", "Informational". - :type severity: str or ~security_insights.models.AlertSeverity - :param trigger_operator: The operation against the threshold that triggers alert rule. Possible - values include: "GreaterThan", "LessThan", "Equal", "NotEqual". - :type trigger_operator: str or ~security_insights.models.TriggerOperator - :param trigger_threshold: The threshold triggers this alert rule. - :type trigger_threshold: int - :param tactics: The tactics of the alert rule template. - :type tactics: list[str or ~security_insights.models.AttackTactic] + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar key_entity_id: The registry key entity id. + :vartype key_entity_id: str + :ivar value_data: String formatted representation of the value data. + :vartype value_data: str + :ivar value_name: The registry value name. + :vartype value_name: str + :ivar value_type: Specifies the data types to use when storing values in the registry, or + identifies the data type of a value in the registry. Possible values include: "None", + "Unknown", "String", "ExpandString", "Binary", "DWord", "MultiString", "QWord". + :vartype value_type: str or ~security_insights.models.RegistryValueKind + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'key_entity_id': {'readonly': True}, + 'value_data': {'readonly': True}, + 'value_name': {'readonly': True}, + 'value_type': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'key_entity_id': {'key': 'properties.keyEntityId', 'type': 'str'}, + 'value_data': {'key': 'properties.valueData', 'type': 'str'}, + 'value_name': {'key': 'properties.valueName', 'type': 'str'}, + 'value_type': {'key': 'properties.valueType', 'type': 'str'}, + } + + def __init__( + self, + *, + kind: Union[str, "EntityKindEnum"], + **kwargs + ): + super(RegistryValueEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.key_entity_id = None + self.value_data = None + self.value_name = None + self.value_type = None + + +class RegistryValueEntityProperties(EntityCommonProperties): + """RegistryValue entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar key_entity_id: The registry key entity id. + :vartype key_entity_id: str + :ivar value_data: String formatted representation of the value data. + :vartype value_data: str + :ivar value_name: The registry value name. + :vartype value_name: str + :ivar value_type: Specifies the data types to use when storing values in the registry, or + identifies the data type of a value in the registry. Possible values include: "None", + "Unknown", "String", "ExpandString", "Binary", "DWord", "MultiString", "QWord". + :vartype value_type: str or ~security_insights.models.RegistryValueKind + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'key_entity_id': {'readonly': True}, + 'value_data': {'readonly': True}, + 'value_name': {'readonly': True}, + 'value_type': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'key_entity_id': {'key': 'keyEntityId', 'type': 'str'}, + 'value_data': {'key': 'valueData', 'type': 'str'}, + 'value_name': {'key': 'valueName', 'type': 'str'}, + 'value_type': {'key': 'valueType', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(RegistryValueEntityProperties, self).__init__(**kwargs) + self.key_entity_id = None + self.value_data = None + self.value_name = None + self.value_type = None + + +class Relation(ResourceWithEtag): + """Represents a relation between two resources. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + :param related_resource_id: The resource ID of the related resource. + :type related_resource_id: str + :ivar related_resource_name: The name of the related resource. + :vartype related_resource_name: str + :ivar related_resource_type: The resource type of the related resource. + :vartype related_resource_type: str + :ivar related_resource_kind: The resource kind of the related resource. + :vartype related_resource_kind: str + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'related_resource_name': {'readonly': True}, + 'related_resource_type': {'readonly': True}, + 'related_resource_kind': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + 'related_resource_id': {'key': 'properties.relatedResourceId', 'type': 'str'}, + 'related_resource_name': {'key': 'properties.relatedResourceName', 'type': 'str'}, + 'related_resource_type': {'key': 'properties.relatedResourceType', 'type': 'str'}, + 'related_resource_kind': {'key': 'properties.relatedResourceKind', 'type': 'str'}, + } + + def __init__( + self, + *, + etag: Optional[str] = None, + related_resource_id: Optional[str] = None, + **kwargs + ): + super(Relation, self).__init__(etag=etag, **kwargs) + self.related_resource_id = related_resource_id + self.related_resource_name = None + self.related_resource_type = None + self.related_resource_kind = None + + +class RelationList(msrest.serialization.Model): + """List of relations. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar next_link: URL to fetch the next set of relations. + :vartype next_link: str + :param value: Required. Array of relations. + :type value: list[~security_insights.models.Relation] + """ + + _validation = { + 'next_link': {'readonly': True}, + 'value': {'required': True}, + } + + _attribute_map = { + 'next_link': {'key': 'nextLink', 'type': 'str'}, + 'value': {'key': 'value', 'type': '[Relation]'}, + } + + def __init__( + self, + *, + value: List["Relation"], + **kwargs + ): + super(RelationList, self).__init__(**kwargs) + self.next_link = None + self.value = value + + +class ScheduledAlertRule(AlertRule): + """Represents scheduled alert rule. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: + "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". + :type kind: str or ~security_insights.models.AlertRuleKind + :param query: The query that creates alerts for this rule. + :type query: str + :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. + :type query_frequency: ~datetime.timedelta + :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. + :type query_period: ~datetime.timedelta + :param severity: The severity for alerts created by this alert rule. Possible values include: + "High", "Medium", "Low", "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :param trigger_operator: The operation against the threshold that triggers alert rule. Possible + values include: "GreaterThan", "LessThan", "Equal", "NotEqual". + :type trigger_operator: str or ~security_insights.models.TriggerOperator + :param trigger_threshold: The threshold triggers this alert rule. + :type trigger_threshold: int + :param alert_rule_template_name: The Name of the alert rule template used to create this rule. + :type alert_rule_template_name: str + :param description: The description of the alert rule. + :type description: str + :param display_name: The display name for alerts created by this alert rule. + :type display_name: str + :param enabled: Determines whether this alert rule is enabled or disabled. + :type enabled: bool + :ivar last_modified_utc: The last time that this alert rule has been modified. + :vartype last_modified_utc: ~datetime.datetime + :param suppression_duration: The suppression (in ISO 8601 duration format) to wait since last + time this alert rule been triggered. + :type suppression_duration: ~datetime.timedelta + :param suppression_enabled: Determines whether the suppression for this alert rule is enabled + or disabled. + :type suppression_enabled: bool + :param tactics: The tactics of the alert rule. + :type tactics: list[str or ~security_insights.models.AttackTactic] + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'kind': {'required': True}, + 'last_modified_utc': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + 'kind': {'key': 'kind', 'type': 'str'}, + 'query': {'key': 'properties.query', 'type': 'str'}, + 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, + 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, + 'severity': {'key': 'properties.severity', 'type': 'str'}, + 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, + 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, + 'alert_rule_template_name': {'key': 'properties.alertRuleTemplateName', 'type': 'str'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'enabled': {'key': 'properties.enabled', 'type': 'bool'}, + 'last_modified_utc': {'key': 'properties.lastModifiedUtc', 'type': 'iso-8601'}, + 'suppression_duration': {'key': 'properties.suppressionDuration', 'type': 'duration'}, + 'suppression_enabled': {'key': 'properties.suppressionEnabled', 'type': 'bool'}, + 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, + } + + def __init__( + self, + *, + etag: Optional[str] = None, + query: Optional[str] = None, + query_frequency: Optional[datetime.timedelta] = None, + query_period: Optional[datetime.timedelta] = None, + severity: Optional[Union[str, "AlertSeverity"]] = None, + trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, + trigger_threshold: Optional[int] = None, + alert_rule_template_name: Optional[str] = None, + description: Optional[str] = None, + display_name: Optional[str] = None, + enabled: Optional[bool] = None, + suppression_duration: Optional[datetime.timedelta] = None, + suppression_enabled: Optional[bool] = None, + tactics: Optional[List[Union[str, "AttackTactic"]]] = None, + **kwargs + ): + super(ScheduledAlertRule, self).__init__(etag=etag, **kwargs) + self.kind = 'Scheduled' # type: str + self.query = query + self.query_frequency = query_frequency + self.query_period = query_period + self.severity = severity + self.trigger_operator = trigger_operator + self.trigger_threshold = trigger_threshold + self.alert_rule_template_name = alert_rule_template_name + self.description = description + self.display_name = display_name + self.enabled = enabled + self.last_modified_utc = None + self.suppression_duration = suppression_duration + self.suppression_enabled = suppression_enabled + self.tactics = tactics + + +class ScheduledAlertRuleCommonProperties(msrest.serialization.Model): + """Schedule alert rule template property bag. + + :param query: The query that creates alerts for this rule. + :type query: str + :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. + :type query_frequency: ~datetime.timedelta + :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. + :type query_period: ~datetime.timedelta + :param severity: The severity for alerts created by this alert rule. Possible values include: + "High", "Medium", "Low", "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :param trigger_operator: The operation against the threshold that triggers alert rule. Possible + values include: "GreaterThan", "LessThan", "Equal", "NotEqual". + :type trigger_operator: str or ~security_insights.models.TriggerOperator + :param trigger_threshold: The threshold triggers this alert rule. + :type trigger_threshold: int + """ + + _attribute_map = { + 'query': {'key': 'query', 'type': 'str'}, + 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, + 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, + 'severity': {'key': 'severity', 'type': 'str'}, + 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, + 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, + } + + def __init__( + self, + *, + query: Optional[str] = None, + query_frequency: Optional[datetime.timedelta] = None, + query_period: Optional[datetime.timedelta] = None, + severity: Optional[Union[str, "AlertSeverity"]] = None, + trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, + trigger_threshold: Optional[int] = None, + **kwargs + ): + super(ScheduledAlertRuleCommonProperties, self).__init__(**kwargs) + self.query = query + self.query_frequency = query_frequency + self.query_period = query_period + self.severity = severity + self.trigger_operator = trigger_operator + self.trigger_threshold = trigger_threshold + + +class ScheduledAlertRuleProperties(ScheduledAlertRuleCommonProperties): + """Scheduled alert rule base property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param query: The query that creates alerts for this rule. + :type query: str + :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. + :type query_frequency: ~datetime.timedelta + :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. + :type query_period: ~datetime.timedelta + :param severity: The severity for alerts created by this alert rule. Possible values include: + "High", "Medium", "Low", "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :param trigger_operator: The operation against the threshold that triggers alert rule. Possible + values include: "GreaterThan", "LessThan", "Equal", "NotEqual". + :type trigger_operator: str or ~security_insights.models.TriggerOperator + :param trigger_threshold: The threshold triggers this alert rule. + :type trigger_threshold: int + :param alert_rule_template_name: The Name of the alert rule template used to create this rule. + :type alert_rule_template_name: str + :param description: The description of the alert rule. + :type description: str + :param display_name: Required. The display name for alerts created by this alert rule. + :type display_name: str + :param enabled: Required. Determines whether this alert rule is enabled or disabled. + :type enabled: bool + :ivar last_modified_utc: The last time that this alert rule has been modified. + :vartype last_modified_utc: ~datetime.datetime + :param suppression_duration: Required. The suppression (in ISO 8601 duration format) to wait + since last time this alert rule been triggered. + :type suppression_duration: ~datetime.timedelta + :param suppression_enabled: Required. Determines whether the suppression for this alert rule is + enabled or disabled. + :type suppression_enabled: bool + :param tactics: The tactics of the alert rule. + :type tactics: list[str or ~security_insights.models.AttackTactic] + """ + + _validation = { + 'display_name': {'required': True}, + 'enabled': {'required': True}, + 'last_modified_utc': {'readonly': True}, + 'suppression_duration': {'required': True}, + 'suppression_enabled': {'required': True}, + } + + _attribute_map = { + 'query': {'key': 'query', 'type': 'str'}, + 'query_frequency': {'key': 'queryFrequency', 'type': 'duration'}, + 'query_period': {'key': 'queryPeriod', 'type': 'duration'}, + 'severity': {'key': 'severity', 'type': 'str'}, + 'trigger_operator': {'key': 'triggerOperator', 'type': 'str'}, + 'trigger_threshold': {'key': 'triggerThreshold', 'type': 'int'}, + 'alert_rule_template_name': {'key': 'alertRuleTemplateName', 'type': 'str'}, + 'description': {'key': 'description', 'type': 'str'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'enabled': {'key': 'enabled', 'type': 'bool'}, + 'last_modified_utc': {'key': 'lastModifiedUtc', 'type': 'iso-8601'}, + 'suppression_duration': {'key': 'suppressionDuration', 'type': 'duration'}, + 'suppression_enabled': {'key': 'suppressionEnabled', 'type': 'bool'}, + 'tactics': {'key': 'tactics', 'type': '[str]'}, + } + + def __init__( + self, + *, + display_name: str, + enabled: bool, + suppression_duration: datetime.timedelta, + suppression_enabled: bool, + query: Optional[str] = None, + query_frequency: Optional[datetime.timedelta] = None, + query_period: Optional[datetime.timedelta] = None, + severity: Optional[Union[str, "AlertSeverity"]] = None, + trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, + trigger_threshold: Optional[int] = None, + alert_rule_template_name: Optional[str] = None, + description: Optional[str] = None, + tactics: Optional[List[Union[str, "AttackTactic"]]] = None, + **kwargs + ): + super(ScheduledAlertRuleProperties, self).__init__(query=query, query_frequency=query_frequency, query_period=query_period, severity=severity, trigger_operator=trigger_operator, trigger_threshold=trigger_threshold, **kwargs) + self.alert_rule_template_name = alert_rule_template_name + self.description = description + self.display_name = display_name + self.enabled = enabled + self.last_modified_utc = None + self.suppression_duration = suppression_duration + self.suppression_enabled = suppression_enabled + self.tactics = tactics + + +class ScheduledAlertRuleTemplate(AlertRuleTemplate): + """Represents scheduled alert rule template. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param kind: Required. The alert rule kind.Constant filled by server. Possible values include: + "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion". + :type kind: str or ~security_insights.models.AlertRuleKind + :param alert_rules_created_by_template_count: the number of alert rules that were created by + this template. + :type alert_rules_created_by_template_count: int + :ivar created_date_utc: The time that this alert rule template has been added. + :vartype created_date_utc: ~datetime.datetime + :param description: The description of the alert rule template. + :type description: str + :param display_name: The display name for alert rule template. + :type display_name: str + :param required_data_connectors: The required data connectors for this template. + :type required_data_connectors: list[~security_insights.models.AlertRuleTemplateDataSource] + :param status: The alert rule template status. Possible values include: "Installed", + "Available", "NotAvailable". + :type status: str or ~security_insights.models.TemplateStatus + :param query: The query that creates alerts for this rule. + :type query: str + :param query_frequency: The frequency (in ISO 8601 duration format) for this alert rule to run. + :type query_frequency: ~datetime.timedelta + :param query_period: The period (in ISO 8601 duration format) that this alert rule looks at. + :type query_period: ~datetime.timedelta + :param severity: The severity for alerts created by this alert rule. Possible values include: + "High", "Medium", "Low", "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :param trigger_operator: The operation against the threshold that triggers alert rule. Possible + values include: "GreaterThan", "LessThan", "Equal", "NotEqual". + :type trigger_operator: str or ~security_insights.models.TriggerOperator + :param trigger_threshold: The threshold triggers this alert rule. + :type trigger_threshold: int + :param tactics: The tactics of the alert rule template. + :type tactics: list[str or ~security_insights.models.AttackTactic] + """ + + _validation = { + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'kind': {'required': True}, + 'created_date_utc': {'readonly': True}, + } + + _attribute_map = { + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'kind': {'key': 'kind', 'type': 'str'}, + 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, + 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, + 'status': {'key': 'properties.status', 'type': 'str'}, + 'query': {'key': 'properties.query', 'type': 'str'}, + 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, + 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, + 'severity': {'key': 'properties.severity', 'type': 'str'}, + 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, + 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, + 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, + } + + def __init__( + self, + *, + alert_rules_created_by_template_count: Optional[int] = None, + description: Optional[str] = None, + display_name: Optional[str] = None, + required_data_connectors: Optional[List["AlertRuleTemplateDataSource"]] = None, + status: Optional[Union[str, "TemplateStatus"]] = None, + query: Optional[str] = None, + query_frequency: Optional[datetime.timedelta] = None, + query_period: Optional[datetime.timedelta] = None, + severity: Optional[Union[str, "AlertSeverity"]] = None, + trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, + trigger_threshold: Optional[int] = None, + tactics: Optional[List[Union[str, "AttackTactic"]]] = None, + **kwargs + ): + super(ScheduledAlertRuleTemplate, self).__init__(**kwargs) + self.kind = 'Scheduled' # type: str + self.alert_rules_created_by_template_count = alert_rules_created_by_template_count + self.created_date_utc = None + self.description = description + self.display_name = display_name + self.required_data_connectors = required_data_connectors + self.status = status + self.query = query + self.query_frequency = query_frequency + self.query_period = query_period + self.severity = severity + self.trigger_operator = trigger_operator + self.trigger_threshold = trigger_threshold + self.tactics = tactics + + +class SecurityAlert(Entity): + """Represents a security alert entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar alert_display_name: The display name of the alert. + :vartype alert_display_name: str + :ivar alert_type: The type name of the alert. + :vartype alert_type: str + :ivar compromised_entity: Display name of the main entity being reported on. + :vartype compromised_entity: str + :ivar confidence_level: The confidence level of this alert. Possible values include: "Unknown", + "Low", "High". + :vartype confidence_level: str or ~security_insights.models.ConfidenceLevel + :ivar confidence_reasons: The confidence reasons. + :vartype confidence_reasons: + list[~security_insights.models.SecurityAlertPropertiesConfidenceReasonsItem] + :ivar confidence_score: The confidence score of the alert. + :vartype confidence_score: float + :ivar confidence_score_status: The confidence score calculation status, i.e. indicating if + score calculation is pending for this alert, not applicable or final. Possible values include: + "NotApplicable", "InProcess", "NotFinal", "Final". + :vartype confidence_score_status: str or ~security_insights.models.ConfidenceScoreStatus + :ivar description: Alert description. + :vartype description: str + :ivar end_time_utc: The impact end time of the alert (the time of the last event contributing + to the alert). + :vartype end_time_utc: ~datetime.datetime + :ivar intent: Holds the alert intent stage(s) mapping for this alert. Possible values include: + "Unknown", "Probing", "Exploitation", "Persistence", "PrivilegeEscalation", "DefenseEvasion", + "CredentialAccess", "Discovery", "LateralMovement", "Execution", "Collection", "Exfiltration", + "CommandAndControl", "Impact". + :vartype intent: str or ~security_insights.models.KillChainIntent + :ivar provider_alert_id: The identifier of the alert inside the product which generated the + alert. + :vartype provider_alert_id: str + :ivar processing_end_time: The time the alert was made available for consumption. + :vartype processing_end_time: ~datetime.datetime + :ivar product_component_name: The name of a component inside the product which generated the + alert. + :vartype product_component_name: str + :ivar product_name: The name of the product which published this alert. + :vartype product_name: str + :ivar product_version: The version of the product generating the alert. + :vartype product_version: str + :ivar remediation_steps: Manual action items to take to remediate the alert. + :vartype remediation_steps: list[str] + :param severity: The severity of the alert. Possible values include: "High", "Medium", "Low", + "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :ivar start_time_utc: The impact start time of the alert (the time of the first event + contributing to the alert). + :vartype start_time_utc: ~datetime.datetime + :ivar status: The lifecycle status of the alert. Possible values include: "Unknown", "New", + "Resolved", "Dismissed", "InProgress". + :vartype status: str or ~security_insights.models.AlertStatus + :ivar system_alert_id: Holds the product identifier of the alert for the product. + :vartype system_alert_id: str + :ivar tactics: The tactics of the alert. + :vartype tactics: list[str or ~security_insights.models.AttackTactic] + :ivar time_generated: The time the alert was generated. + :vartype time_generated: ~datetime.datetime + :ivar vendor_name: The name of the vendor that raise the alert. + :vartype vendor_name: str + :ivar alert_link: The uri link of the alert. + :vartype alert_link: str + :ivar resource_identifiers: The list of resource identifiers of the alert. + :vartype resource_identifiers: list[object] + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'alert_display_name': {'readonly': True}, + 'alert_type': {'readonly': True}, + 'compromised_entity': {'readonly': True}, + 'confidence_level': {'readonly': True}, + 'confidence_reasons': {'readonly': True}, + 'confidence_score': {'readonly': True}, + 'confidence_score_status': {'readonly': True}, + 'description': {'readonly': True}, + 'end_time_utc': {'readonly': True}, + 'intent': {'readonly': True}, + 'provider_alert_id': {'readonly': True}, + 'processing_end_time': {'readonly': True}, + 'product_component_name': {'readonly': True}, + 'product_name': {'readonly': True}, + 'product_version': {'readonly': True}, + 'remediation_steps': {'readonly': True}, + 'start_time_utc': {'readonly': True}, + 'status': {'readonly': True}, + 'system_alert_id': {'readonly': True}, + 'tactics': {'readonly': True}, + 'time_generated': {'readonly': True}, + 'vendor_name': {'readonly': True}, + 'alert_link': {'readonly': True}, + 'resource_identifiers': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'alert_display_name': {'key': 'properties.alertDisplayName', 'type': 'str'}, + 'alert_type': {'key': 'properties.alertType', 'type': 'str'}, + 'compromised_entity': {'key': 'properties.compromisedEntity', 'type': 'str'}, + 'confidence_level': {'key': 'properties.confidenceLevel', 'type': 'str'}, + 'confidence_reasons': {'key': 'properties.confidenceReasons', 'type': '[SecurityAlertPropertiesConfidenceReasonsItem]'}, + 'confidence_score': {'key': 'properties.confidenceScore', 'type': 'float'}, + 'confidence_score_status': {'key': 'properties.confidenceScoreStatus', 'type': 'str'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'end_time_utc': {'key': 'properties.endTimeUtc', 'type': 'iso-8601'}, + 'intent': {'key': 'properties.intent', 'type': 'str'}, + 'provider_alert_id': {'key': 'properties.providerAlertId', 'type': 'str'}, + 'processing_end_time': {'key': 'properties.processingEndTime', 'type': 'iso-8601'}, + 'product_component_name': {'key': 'properties.productComponentName', 'type': 'str'}, + 'product_name': {'key': 'properties.productName', 'type': 'str'}, + 'product_version': {'key': 'properties.productVersion', 'type': 'str'}, + 'remediation_steps': {'key': 'properties.remediationSteps', 'type': '[str]'}, + 'severity': {'key': 'properties.severity', 'type': 'str'}, + 'start_time_utc': {'key': 'properties.startTimeUtc', 'type': 'iso-8601'}, + 'status': {'key': 'properties.status', 'type': 'str'}, + 'system_alert_id': {'key': 'properties.systemAlertId', 'type': 'str'}, + 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, + 'time_generated': {'key': 'properties.timeGenerated', 'type': 'iso-8601'}, + 'vendor_name': {'key': 'properties.vendorName', 'type': 'str'}, + 'alert_link': {'key': 'properties.alertLink', 'type': 'str'}, + 'resource_identifiers': {'key': 'properties.resourceIdentifiers', 'type': '[object]'}, + } + + def __init__( + self, + *, + kind: Union[str, "EntityKindEnum"], + severity: Optional[Union[str, "AlertSeverity"]] = None, + **kwargs + ): + super(SecurityAlert, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.alert_display_name = None + self.alert_type = None + self.compromised_entity = None + self.confidence_level = None + self.confidence_reasons = None + self.confidence_score = None + self.confidence_score_status = None + self.description = None + self.end_time_utc = None + self.intent = None + self.provider_alert_id = None + self.processing_end_time = None + self.product_component_name = None + self.product_name = None + self.product_version = None + self.remediation_steps = None + self.severity = severity + self.start_time_utc = None + self.status = None + self.system_alert_id = None + self.tactics = None + self.time_generated = None + self.vendor_name = None + self.alert_link = None + self.resource_identifiers = None + + +class SecurityAlertProperties(EntityCommonProperties): + """SecurityAlert entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar alert_display_name: The display name of the alert. + :vartype alert_display_name: str + :ivar alert_type: The type name of the alert. + :vartype alert_type: str + :ivar compromised_entity: Display name of the main entity being reported on. + :vartype compromised_entity: str + :ivar confidence_level: The confidence level of this alert. Possible values include: "Unknown", + "Low", "High". + :vartype confidence_level: str or ~security_insights.models.ConfidenceLevel + :ivar confidence_reasons: The confidence reasons. + :vartype confidence_reasons: + list[~security_insights.models.SecurityAlertPropertiesConfidenceReasonsItem] + :ivar confidence_score: The confidence score of the alert. + :vartype confidence_score: float + :ivar confidence_score_status: The confidence score calculation status, i.e. indicating if + score calculation is pending for this alert, not applicable or final. Possible values include: + "NotApplicable", "InProcess", "NotFinal", "Final". + :vartype confidence_score_status: str or ~security_insights.models.ConfidenceScoreStatus + :ivar description: Alert description. + :vartype description: str + :ivar end_time_utc: The impact end time of the alert (the time of the last event contributing + to the alert). + :vartype end_time_utc: ~datetime.datetime + :ivar intent: Holds the alert intent stage(s) mapping for this alert. Possible values include: + "Unknown", "Probing", "Exploitation", "Persistence", "PrivilegeEscalation", "DefenseEvasion", + "CredentialAccess", "Discovery", "LateralMovement", "Execution", "Collection", "Exfiltration", + "CommandAndControl", "Impact". + :vartype intent: str or ~security_insights.models.KillChainIntent + :ivar provider_alert_id: The identifier of the alert inside the product which generated the + alert. + :vartype provider_alert_id: str + :ivar processing_end_time: The time the alert was made available for consumption. + :vartype processing_end_time: ~datetime.datetime + :ivar product_component_name: The name of a component inside the product which generated the + alert. + :vartype product_component_name: str + :ivar product_name: The name of the product which published this alert. + :vartype product_name: str + :ivar product_version: The version of the product generating the alert. + :vartype product_version: str + :ivar remediation_steps: Manual action items to take to remediate the alert. + :vartype remediation_steps: list[str] + :param severity: The severity of the alert. Possible values include: "High", "Medium", "Low", + "Informational". + :type severity: str or ~security_insights.models.AlertSeverity + :ivar start_time_utc: The impact start time of the alert (the time of the first event + contributing to the alert). + :vartype start_time_utc: ~datetime.datetime + :ivar status: The lifecycle status of the alert. Possible values include: "Unknown", "New", + "Resolved", "Dismissed", "InProgress". + :vartype status: str or ~security_insights.models.AlertStatus + :ivar system_alert_id: Holds the product identifier of the alert for the product. + :vartype system_alert_id: str + :ivar tactics: The tactics of the alert. + :vartype tactics: list[str or ~security_insights.models.AttackTactic] + :ivar time_generated: The time the alert was generated. + :vartype time_generated: ~datetime.datetime + :ivar vendor_name: The name of the vendor that raise the alert. + :vartype vendor_name: str + :ivar alert_link: The uri link of the alert. + :vartype alert_link: str + :ivar resource_identifiers: The list of resource identifiers of the alert. + :vartype resource_identifiers: list[object] + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'alert_display_name': {'readonly': True}, + 'alert_type': {'readonly': True}, + 'compromised_entity': {'readonly': True}, + 'confidence_level': {'readonly': True}, + 'confidence_reasons': {'readonly': True}, + 'confidence_score': {'readonly': True}, + 'confidence_score_status': {'readonly': True}, + 'description': {'readonly': True}, + 'end_time_utc': {'readonly': True}, + 'intent': {'readonly': True}, + 'provider_alert_id': {'readonly': True}, + 'processing_end_time': {'readonly': True}, + 'product_component_name': {'readonly': True}, + 'product_name': {'readonly': True}, + 'product_version': {'readonly': True}, + 'remediation_steps': {'readonly': True}, + 'start_time_utc': {'readonly': True}, + 'status': {'readonly': True}, + 'system_alert_id': {'readonly': True}, + 'tactics': {'readonly': True}, + 'time_generated': {'readonly': True}, + 'vendor_name': {'readonly': True}, + 'alert_link': {'readonly': True}, + 'resource_identifiers': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'alert_display_name': {'key': 'alertDisplayName', 'type': 'str'}, + 'alert_type': {'key': 'alertType', 'type': 'str'}, + 'compromised_entity': {'key': 'compromisedEntity', 'type': 'str'}, + 'confidence_level': {'key': 'confidenceLevel', 'type': 'str'}, + 'confidence_reasons': {'key': 'confidenceReasons', 'type': '[SecurityAlertPropertiesConfidenceReasonsItem]'}, + 'confidence_score': {'key': 'confidenceScore', 'type': 'float'}, + 'confidence_score_status': {'key': 'confidenceScoreStatus', 'type': 'str'}, + 'description': {'key': 'description', 'type': 'str'}, + 'end_time_utc': {'key': 'endTimeUtc', 'type': 'iso-8601'}, + 'intent': {'key': 'intent', 'type': 'str'}, + 'provider_alert_id': {'key': 'providerAlertId', 'type': 'str'}, + 'processing_end_time': {'key': 'processingEndTime', 'type': 'iso-8601'}, + 'product_component_name': {'key': 'productComponentName', 'type': 'str'}, + 'product_name': {'key': 'productName', 'type': 'str'}, + 'product_version': {'key': 'productVersion', 'type': 'str'}, + 'remediation_steps': {'key': 'remediationSteps', 'type': '[str]'}, + 'severity': {'key': 'severity', 'type': 'str'}, + 'start_time_utc': {'key': 'startTimeUtc', 'type': 'iso-8601'}, + 'status': {'key': 'status', 'type': 'str'}, + 'system_alert_id': {'key': 'systemAlertId', 'type': 'str'}, + 'tactics': {'key': 'tactics', 'type': '[str]'}, + 'time_generated': {'key': 'timeGenerated', 'type': 'iso-8601'}, + 'vendor_name': {'key': 'vendorName', 'type': 'str'}, + 'alert_link': {'key': 'alertLink', 'type': 'str'}, + 'resource_identifiers': {'key': 'resourceIdentifiers', 'type': '[object]'}, + } + + def __init__( + self, + *, + severity: Optional[Union[str, "AlertSeverity"]] = None, + **kwargs + ): + super(SecurityAlertProperties, self).__init__(**kwargs) + self.alert_display_name = None + self.alert_type = None + self.compromised_entity = None + self.confidence_level = None + self.confidence_reasons = None + self.confidence_score = None + self.confidence_score_status = None + self.description = None + self.end_time_utc = None + self.intent = None + self.provider_alert_id = None + self.processing_end_time = None + self.product_component_name = None + self.product_name = None + self.product_version = None + self.remediation_steps = None + self.severity = severity + self.start_time_utc = None + self.status = None + self.system_alert_id = None + self.tactics = None + self.time_generated = None + self.vendor_name = None + self.alert_link = None + self.resource_identifiers = None + + +class SecurityAlertPropertiesConfidenceReasonsItem(msrest.serialization.Model): + """confidence reason item. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar reason: The reason's description. + :vartype reason: str + :ivar reason_type: The type (category) of the reason. + :vartype reason_type: str + """ + + _validation = { + 'reason': {'readonly': True}, + 'reason_type': {'readonly': True}, + } + + _attribute_map = { + 'reason': {'key': 'reason', 'type': 'str'}, + 'reason_type': {'key': 'reasonType', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(SecurityAlertPropertiesConfidenceReasonsItem, self).__init__(**kwargs) + self.reason = None + self.reason_type = None + + +class SecurityGroupEntity(Entity): + """Represents a security group entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar distinguished_name: The group distinguished name. + :vartype distinguished_name: str + :ivar object_guid: A single-value attribute that is the unique identifier for the object, + assigned by active directory. + :vartype object_guid: str + :ivar sid: The SID attribute is a single-value attribute that specifies the security identifier + (SID) of the group. + :vartype sid: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'distinguished_name': {'readonly': True}, + 'object_guid': {'readonly': True}, + 'sid': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'distinguished_name': {'key': 'properties.distinguishedName', 'type': 'str'}, + 'object_guid': {'key': 'properties.objectGuid', 'type': 'str'}, + 'sid': {'key': 'properties.sid', 'type': 'str'}, + } + + def __init__( + self, + *, + kind: Union[str, "EntityKindEnum"], + **kwargs + ): + super(SecurityGroupEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.distinguished_name = None + self.object_guid = None + self.sid = None + + +class SecurityGroupEntityProperties(EntityCommonProperties): + """SecurityGroup entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar distinguished_name: The group distinguished name. + :vartype distinguished_name: str + :ivar object_guid: A single-value attribute that is the unique identifier for the object, + assigned by active directory. + :vartype object_guid: str + :ivar sid: The SID attribute is a single-value attribute that specifies the security identifier + (SID) of the group. + :vartype sid: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'distinguished_name': {'readonly': True}, + 'object_guid': {'readonly': True}, + 'sid': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'distinguished_name': {'key': 'distinguishedName', 'type': 'str'}, + 'object_guid': {'key': 'objectGuid', 'type': 'str'}, + 'sid': {'key': 'sid', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(SecurityGroupEntityProperties, self).__init__(**kwargs) + self.distinguished_name = None + self.object_guid = None + self.sid = None + + +class SubmissionMailEntity(Entity): + """Represents a submission mail entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar network_message_id: The network message id of email to which submission belongs. + :vartype network_message_id: str + :ivar submission_id: The submission id. + :vartype submission_id: str + :ivar submitter: The submitter. + :vartype submitter: str + :ivar submission_date: The submission date. + :vartype submission_date: ~datetime.datetime + :ivar timestamp: The Time stamp when the message is received (Mail). + :vartype timestamp: ~datetime.datetime + :ivar recipient: The recipient of the mail. + :vartype recipient: str + :ivar sender: The sender of the mail. + :vartype sender: str + :ivar sender_ip: The sender's IP. + :vartype sender_ip: str + :ivar subject: The subject of submission mail. + :vartype subject: str + :ivar report_type: The submission type for the given instance. This maps to Junk, Phish, + Malware or NotJunk. + :vartype report_type: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'network_message_id': {'readonly': True}, + 'submission_id': {'readonly': True}, + 'submitter': {'readonly': True}, + 'submission_date': {'readonly': True}, + 'timestamp': {'readonly': True}, + 'recipient': {'readonly': True}, + 'sender': {'readonly': True}, + 'sender_ip': {'readonly': True}, + 'subject': {'readonly': True}, + 'report_type': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'network_message_id': {'key': 'properties.networkMessageId', 'type': 'str'}, + 'submission_id': {'key': 'properties.submissionId', 'type': 'str'}, + 'submitter': {'key': 'properties.submitter', 'type': 'str'}, + 'submission_date': {'key': 'properties.submissionDate', 'type': 'iso-8601'}, + 'timestamp': {'key': 'properties.timestamp', 'type': 'iso-8601'}, + 'recipient': {'key': 'properties.recipient', 'type': 'str'}, + 'sender': {'key': 'properties.sender', 'type': 'str'}, + 'sender_ip': {'key': 'properties.senderIp', 'type': 'str'}, + 'subject': {'key': 'properties.subject', 'type': 'str'}, + 'report_type': {'key': 'properties.reportType', 'type': 'str'}, + } + + def __init__( + self, + *, + kind: Union[str, "EntityKindEnum"], + **kwargs + ): + super(SubmissionMailEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.network_message_id = None + self.submission_id = None + self.submitter = None + self.submission_date = None + self.timestamp = None + self.recipient = None + self.sender = None + self.sender_ip = None + self.subject = None + self.report_type = None + + +class SubmissionMailEntityProperties(EntityCommonProperties): + """Submission mail entity property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar network_message_id: The network message id of email to which submission belongs. + :vartype network_message_id: str + :ivar submission_id: The submission id. + :vartype submission_id: str + :ivar submitter: The submitter. + :vartype submitter: str + :ivar submission_date: The submission date. + :vartype submission_date: ~datetime.datetime + :ivar timestamp: The Time stamp when the message is received (Mail). + :vartype timestamp: ~datetime.datetime + :ivar recipient: The recipient of the mail. + :vartype recipient: str + :ivar sender: The sender of the mail. + :vartype sender: str + :ivar sender_ip: The sender's IP. + :vartype sender_ip: str + :ivar subject: The subject of submission mail. + :vartype subject: str + :ivar report_type: The submission type for the given instance. This maps to Junk, Phish, + Malware or NotJunk. + :vartype report_type: str + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'network_message_id': {'readonly': True}, + 'submission_id': {'readonly': True}, + 'submitter': {'readonly': True}, + 'submission_date': {'readonly': True}, + 'timestamp': {'readonly': True}, + 'recipient': {'readonly': True}, + 'sender': {'readonly': True}, + 'sender_ip': {'readonly': True}, + 'subject': {'readonly': True}, + 'report_type': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'network_message_id': {'key': 'networkMessageId', 'type': 'str'}, + 'submission_id': {'key': 'submissionId', 'type': 'str'}, + 'submitter': {'key': 'submitter', 'type': 'str'}, + 'submission_date': {'key': 'submissionDate', 'type': 'iso-8601'}, + 'timestamp': {'key': 'timestamp', 'type': 'iso-8601'}, + 'recipient': {'key': 'recipient', 'type': 'str'}, + 'sender': {'key': 'sender', 'type': 'str'}, + 'sender_ip': {'key': 'senderIp', 'type': 'str'}, + 'subject': {'key': 'subject', 'type': 'str'}, + 'report_type': {'key': 'reportType', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(SubmissionMailEntityProperties, self).__init__(**kwargs) + self.network_message_id = None + self.submission_id = None + self.submitter = None + self.submission_date = None + self.timestamp = None + self.recipient = None + self.sender = None + self.sender_ip = None + self.subject = None + self.report_type = None + + +class SystemData(msrest.serialization.Model): + """Metadata pertaining to creation and last modification of the resource. + + :param created_by: The identity that created the resource. + :type created_by: str + :param created_by_type: The type of identity that created the resource. Possible values + include: "User", "Application", "ManagedIdentity", "Key". + :type created_by_type: str or ~security_insights.models.CreatedByType + :param created_at: The timestamp of resource creation (UTC). + :type created_at: ~datetime.datetime + :param last_modified_by: The identity that last modified the resource. + :type last_modified_by: str + :param last_modified_by_type: The type of identity that last modified the resource. Possible + values include: "User", "Application", "ManagedIdentity", "Key". + :type last_modified_by_type: str or ~security_insights.models.CreatedByType + :param last_modified_at: The timestamp of resource last modification (UTC). + :type last_modified_at: ~datetime.datetime + """ + + _attribute_map = { + 'created_by': {'key': 'createdBy', 'type': 'str'}, + 'created_by_type': {'key': 'createdByType', 'type': 'str'}, + 'created_at': {'key': 'createdAt', 'type': 'iso-8601'}, + 'last_modified_by': {'key': 'lastModifiedBy', 'type': 'str'}, + 'last_modified_by_type': {'key': 'lastModifiedByType', 'type': 'str'}, + 'last_modified_at': {'key': 'lastModifiedAt', 'type': 'iso-8601'}, + } + + def __init__( + self, + *, + created_by: Optional[str] = None, + created_by_type: Optional[Union[str, "CreatedByType"]] = None, + created_at: Optional[datetime.datetime] = None, + last_modified_by: Optional[str] = None, + last_modified_by_type: Optional[Union[str, "CreatedByType"]] = None, + last_modified_at: Optional[datetime.datetime] = None, + **kwargs + ): + super(SystemData, self).__init__(**kwargs) + self.created_by = created_by + self.created_by_type = created_by_type + self.created_at = created_at + self.last_modified_by = last_modified_by + self.last_modified_by_type = last_modified_by_type + self.last_modified_at = last_modified_at + + +class ThreatIntelligence(msrest.serialization.Model): + """ThreatIntelligence property bag. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar confidence: Confidence (must be between 0 and 1). + :vartype confidence: float + :ivar provider_name: Name of the provider from whom this Threat Intelligence information was + received. + :vartype provider_name: str + :ivar report_link: Report link. + :vartype report_link: str + :ivar threat_description: Threat description (free text). + :vartype threat_description: str + :ivar threat_name: Threat name (e.g. "Jedobot malware"). + :vartype threat_name: str + :ivar threat_type: Threat type (e.g. "Botnet"). + :vartype threat_type: str + """ + + _validation = { + 'confidence': {'readonly': True}, + 'provider_name': {'readonly': True}, + 'report_link': {'readonly': True}, + 'threat_description': {'readonly': True}, + 'threat_name': {'readonly': True}, + 'threat_type': {'readonly': True}, + } + + _attribute_map = { + 'confidence': {'key': 'confidence', 'type': 'float'}, + 'provider_name': {'key': 'providerName', 'type': 'str'}, + 'report_link': {'key': 'reportLink', 'type': 'str'}, + 'threat_description': {'key': 'threatDescription', 'type': 'str'}, + 'threat_name': {'key': 'threatName', 'type': 'str'}, + 'threat_type': {'key': 'threatType', 'type': 'str'}, + } + + def __init__( + self, + **kwargs + ): + super(ThreatIntelligence, self).__init__(**kwargs) + self.confidence = None + self.provider_name = None + self.report_link = None + self.threat_description = None + self.threat_name = None + self.threat_type = None + + +class ThreatIntelligenceAppendTags(msrest.serialization.Model): + """Array of tags to be appended to the threat intelligence indicator. + + :param threat_intelligence_tags: List of tags to be appended. + :type threat_intelligence_tags: list[str] + """ + + _attribute_map = { + 'threat_intelligence_tags': {'key': 'threatIntelligenceTags', 'type': '[str]'}, + } + + def __init__( + self, + *, + threat_intelligence_tags: Optional[List[str]] = None, + **kwargs + ): + super(ThreatIntelligenceAppendTags, self).__init__(**kwargs) + self.threat_intelligence_tags = threat_intelligence_tags + + +class ThreatIntelligenceExternalReference(msrest.serialization.Model): + """Describes external reference. + + :param description: External reference description. + :type description: str + :param external_id: External reference ID. + :type external_id: str + :param source_name: External reference source name. + :type source_name: str + :param url: External reference URL. + :type url: str + :param hashes: External reference hashes. + :type hashes: dict[str, str] + """ + + _attribute_map = { + 'description': {'key': 'description', 'type': 'str'}, + 'external_id': {'key': 'externalId', 'type': 'str'}, + 'source_name': {'key': 'sourceName', 'type': 'str'}, + 'url': {'key': 'url', 'type': 'str'}, + 'hashes': {'key': 'hashes', 'type': '{str}'}, + } + + def __init__( + self, + *, + description: Optional[str] = None, + external_id: Optional[str] = None, + source_name: Optional[str] = None, + url: Optional[str] = None, + hashes: Optional[Dict[str, str]] = None, + **kwargs + ): + super(ThreatIntelligenceExternalReference, self).__init__(**kwargs) + self.description = description + self.external_id = external_id + self.source_name = source_name + self.url = url + self.hashes = hashes + + +class ThreatIntelligenceFilteringCriteria(msrest.serialization.Model): + """Filtering criteria for querying threat intelligence indicators. + + :param page_size: Page size. + :type page_size: int + :param min_confidence: Minimum confidence. + :type min_confidence: int + :param max_confidence: Maximum confidence. + :type max_confidence: int + :param min_valid_until: Start time for ValidUntil filter. + :type min_valid_until: str + :param max_valid_until: End time for ValidUntil filter. + :type max_valid_until: str + :param include_disabled: Parameter to include/exclude disabled indicators. + :type include_disabled: bool + :param sort_by: Columns to sort by and sorting order. + :type sort_by: list[~security_insights.models.ThreatIntelligenceSortingCriteria] + :param sources: Sources of threat intelligence indicators. + :type sources: list[str] + :param pattern_types: Pattern types. + :type pattern_types: list[str] + :param threat_types: Threat types of threat intelligence indicators. + :type threat_types: list[str] + :param ids: Ids of threat intelligence indicators. + :type ids: list[str] + :param keywords: Keywords for searching threat intelligence indicators. + :type keywords: list[str] + :param skip_token: Skip token. + :type skip_token: str + """ + + _attribute_map = { + 'page_size': {'key': 'pageSize', 'type': 'int'}, + 'min_confidence': {'key': 'minConfidence', 'type': 'int'}, + 'max_confidence': {'key': 'maxConfidence', 'type': 'int'}, + 'min_valid_until': {'key': 'minValidUntil', 'type': 'str'}, + 'max_valid_until': {'key': 'maxValidUntil', 'type': 'str'}, + 'include_disabled': {'key': 'includeDisabled', 'type': 'bool'}, + 'sort_by': {'key': 'sortBy', 'type': '[ThreatIntelligenceSortingCriteria]'}, + 'sources': {'key': 'sources', 'type': '[str]'}, + 'pattern_types': {'key': 'patternTypes', 'type': '[str]'}, + 'threat_types': {'key': 'threatTypes', 'type': '[str]'}, + 'ids': {'key': 'ids', 'type': '[str]'}, + 'keywords': {'key': 'keywords', 'type': '[str]'}, + 'skip_token': {'key': 'skipToken', 'type': 'str'}, + } + + def __init__( + self, + *, + page_size: Optional[int] = None, + min_confidence: Optional[int] = None, + max_confidence: Optional[int] = None, + min_valid_until: Optional[str] = None, + max_valid_until: Optional[str] = None, + include_disabled: Optional[bool] = None, + sort_by: Optional[List["ThreatIntelligenceSortingCriteria"]] = None, + sources: Optional[List[str]] = None, + pattern_types: Optional[List[str]] = None, + threat_types: Optional[List[str]] = None, + ids: Optional[List[str]] = None, + keywords: Optional[List[str]] = None, + skip_token: Optional[str] = None, + **kwargs + ): + super(ThreatIntelligenceFilteringCriteria, self).__init__(**kwargs) + self.page_size = page_size + self.min_confidence = min_confidence + self.max_confidence = max_confidence + self.min_valid_until = min_valid_until + self.max_valid_until = max_valid_until + self.include_disabled = include_disabled + self.sort_by = sort_by + self.sources = sources + self.pattern_types = pattern_types + self.threat_types = threat_types + self.ids = ids + self.keywords = keywords + self.skip_token = skip_token + + +class ThreatIntelligenceGranularMarkingModel(msrest.serialization.Model): + """Describes threat granular marking model entity. + + :param language: Language granular marking model. + :type language: str + :param marking_ref: marking reference granular marking model. + :type marking_ref: int + :param selectors: granular marking model selectors. + :type selectors: list[str] + """ + + _attribute_map = { + 'language': {'key': 'language', 'type': 'str'}, + 'marking_ref': {'key': 'markingRef', 'type': 'int'}, + 'selectors': {'key': 'selectors', 'type': '[str]'}, + } + + def __init__( + self, + *, + language: Optional[str] = None, + marking_ref: Optional[int] = None, + selectors: Optional[List[str]] = None, + **kwargs + ): + super(ThreatIntelligenceGranularMarkingModel, self).__init__(**kwargs) + self.language = language + self.marking_ref = marking_ref + self.selectors = selectors + + +class ThreatIntelligenceResourceKind(msrest.serialization.Model): + """Describes an entity with kind. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "indicator". + :type kind: str or ~security_insights.models.ThreatIntelligenceResourceInnerKind + """ + + _validation = { + 'kind': {'required': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + } + + def __init__( + self, + *, + kind: Union[str, "ThreatIntelligenceResourceInnerKind"], + **kwargs + ): + super(ThreatIntelligenceResourceKind, self).__init__(**kwargs) + self.kind = kind + + +class ThreatIntelligenceInformation(ResourceWithEtag, ThreatIntelligenceResourceKind): + """Threat intelligence information object. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "indicator". + :type kind: str or ~security_insights.models.ThreatIntelligenceResourceInnerKind + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + } + + def __init__( + self, + *, + kind: Union[str, "ThreatIntelligenceResourceInnerKind"], + etag: Optional[str] = None, + **kwargs + ): + super(ThreatIntelligenceInformation, self).__init__(etag=etag, kind=kind, **kwargs) + self.kind = kind + self.id = None + self.name = None + self.type = None + self.system_data = None + self.etag = etag + + +class ThreatIntelligenceIndicatorModel(ThreatIntelligenceInformation): + """Threat intelligence indicator entity. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "indicator". + :type kind: str or ~security_insights.models.ThreatIntelligenceResourceInnerKind + :ivar id: Azure resource Id. + :vartype id: str + :ivar name: Azure resource name. + :vartype name: str + :ivar type: Azure resource type. + :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :param etag: Etag of the azure resource. + :type etag: str + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :param threat_intelligence_tags: List of tags. + :type threat_intelligence_tags: list[str] + :param last_updated_time_utc: Last updated time in UTC. + :type last_updated_time_utc: str + :param source: Source of a threat intelligence entity. + :type source: str + :param display_name: Display name of a threat intelligence entity. + :type display_name: str + :param description: Description of a threat intelligence entity. + :type description: str + :param indicator_types: Indicator types of threat intelligence entities. + :type indicator_types: list[str] + :param pattern: Pattern of a threat intelligence entity. + :type pattern: str + :param pattern_type: Pattern type of a threat intelligence entity. + :type pattern_type: str + :param pattern_version: Pattern version of a threat intelligence entity. + :type pattern_version: str + :param kill_chain_phases: Kill chain phases. + :type kill_chain_phases: list[~security_insights.models.ThreatIntelligenceKillChainPhase] + :param parsed_pattern: Parsed patterns. + :type parsed_pattern: list[~security_insights.models.ThreatIntelligenceParsedPattern] + :param external_id: External ID of threat intelligence entity. + :type external_id: str + :param created_by_ref: Created by reference of threat intelligence entity. + :type created_by_ref: str + :param defanged: Is threat intelligence entity defanged. + :type defanged: bool + :param external_last_updated_time_utc: External last updated time in UTC. + :type external_last_updated_time_utc: str + :param external_references: External References. + :type external_references: list[~security_insights.models.ThreatIntelligenceExternalReference] + :param granular_markings: Granular Markings. + :type granular_markings: list[~security_insights.models.ThreatIntelligenceGranularMarkingModel] + :param labels: Labels of threat intelligence entity. + :type labels: list[str] + :param revoked: Is threat intelligence entity revoked. + :type revoked: bool + :param confidence: Confidence of threat intelligence entity. + :type confidence: int + :param object_marking_refs: Threat intelligence entity object marking references. + :type object_marking_refs: list[str] + :param language: Language of threat intelligence entity. + :type language: str + :param threat_types: Threat types. + :type threat_types: list[str] + :param valid_from: Valid from. + :type valid_from: str + :param valid_until: Valid until. + :type valid_until: str + :param created: Created by. + :type created: str + :param modified: Modified by. + :type modified: str + :param extensions: Extensions map. + :type extensions: dict[str, object] + """ + + _validation = { + 'kind': {'required': True}, + 'id': {'readonly': True}, + 'name': {'readonly': True}, + 'type': {'readonly': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'id': {'key': 'id', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'etag': {'key': 'etag', 'type': 'str'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'threat_intelligence_tags': {'key': 'properties.threatIntelligenceTags', 'type': '[str]'}, + 'last_updated_time_utc': {'key': 'properties.lastUpdatedTimeUtc', 'type': 'str'}, + 'source': {'key': 'properties.source', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'indicator_types': {'key': 'properties.indicatorTypes', 'type': '[str]'}, + 'pattern': {'key': 'properties.pattern', 'type': 'str'}, + 'pattern_type': {'key': 'properties.patternType', 'type': 'str'}, + 'pattern_version': {'key': 'properties.patternVersion', 'type': 'str'}, + 'kill_chain_phases': {'key': 'properties.killChainPhases', 'type': '[ThreatIntelligenceKillChainPhase]'}, + 'parsed_pattern': {'key': 'properties.parsedPattern', 'type': '[ThreatIntelligenceParsedPattern]'}, + 'external_id': {'key': 'properties.externalId', 'type': 'str'}, + 'created_by_ref': {'key': 'properties.createdByRef', 'type': 'str'}, + 'defanged': {'key': 'properties.defanged', 'type': 'bool'}, + 'external_last_updated_time_utc': {'key': 'properties.externalLastUpdatedTimeUtc', 'type': 'str'}, + 'external_references': {'key': 'properties.externalReferences', 'type': '[ThreatIntelligenceExternalReference]'}, + 'granular_markings': {'key': 'properties.granularMarkings', 'type': '[ThreatIntelligenceGranularMarkingModel]'}, + 'labels': {'key': 'properties.labels', 'type': '[str]'}, + 'revoked': {'key': 'properties.revoked', 'type': 'bool'}, + 'confidence': {'key': 'properties.confidence', 'type': 'int'}, + 'object_marking_refs': {'key': 'properties.objectMarkingRefs', 'type': '[str]'}, + 'language': {'key': 'properties.language', 'type': 'str'}, + 'threat_types': {'key': 'properties.threatTypes', 'type': '[str]'}, + 'valid_from': {'key': 'properties.validFrom', 'type': 'str'}, + 'valid_until': {'key': 'properties.validUntil', 'type': 'str'}, + 'created': {'key': 'properties.created', 'type': 'str'}, + 'modified': {'key': 'properties.modified', 'type': 'str'}, + 'extensions': {'key': 'properties.extensions', 'type': '{object}'}, + } + + def __init__( + self, + *, + kind: Union[str, "ThreatIntelligenceResourceInnerKind"], + etag: Optional[str] = None, + threat_intelligence_tags: Optional[List[str]] = None, + last_updated_time_utc: Optional[str] = None, + source: Optional[str] = None, + display_name: Optional[str] = None, + description: Optional[str] = None, + indicator_types: Optional[List[str]] = None, + pattern: Optional[str] = None, + pattern_type: Optional[str] = None, + pattern_version: Optional[str] = None, + kill_chain_phases: Optional[List["ThreatIntelligenceKillChainPhase"]] = None, + parsed_pattern: Optional[List["ThreatIntelligenceParsedPattern"]] = None, + external_id: Optional[str] = None, + created_by_ref: Optional[str] = None, + defanged: Optional[bool] = None, + external_last_updated_time_utc: Optional[str] = None, + external_references: Optional[List["ThreatIntelligenceExternalReference"]] = None, + granular_markings: Optional[List["ThreatIntelligenceGranularMarkingModel"]] = None, + labels: Optional[List[str]] = None, + revoked: Optional[bool] = None, + confidence: Optional[int] = None, + object_marking_refs: Optional[List[str]] = None, + language: Optional[str] = None, + threat_types: Optional[List[str]] = None, + valid_from: Optional[str] = None, + valid_until: Optional[str] = None, + created: Optional[str] = None, + modified: Optional[str] = None, + extensions: Optional[Dict[str, object]] = None, + **kwargs + ): + super(ThreatIntelligenceIndicatorModel, self).__init__(kind=kind, etag=etag, **kwargs) + self.additional_data = None + self.friendly_name = None + self.threat_intelligence_tags = threat_intelligence_tags + self.last_updated_time_utc = last_updated_time_utc + self.source = source + self.display_name = display_name + self.description = description + self.indicator_types = indicator_types + self.pattern = pattern + self.pattern_type = pattern_type + self.pattern_version = pattern_version + self.kill_chain_phases = kill_chain_phases + self.parsed_pattern = parsed_pattern + self.external_id = external_id + self.created_by_ref = created_by_ref + self.defanged = defanged + self.external_last_updated_time_utc = external_last_updated_time_utc + self.external_references = external_references + self.granular_markings = granular_markings + self.labels = labels + self.revoked = revoked + self.confidence = confidence + self.object_marking_refs = object_marking_refs + self.language = language + self.threat_types = threat_types + self.valid_from = valid_from + self.valid_until = valid_until + self.created = created + self.modified = modified + self.extensions = extensions + + +class ThreatIntelligenceIndicatorModelForRequestBody(ThreatIntelligenceResourceKind): + """Threat intelligence indicator entity used in request body. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :param kind: Required. The kind of the entity. Possible values include: "indicator". + :type kind: str or ~security_insights.models.ThreatIntelligenceResourceInnerKind + :param etag: Etag of the azure resource. + :type etag: str + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :param threat_intelligence_tags: List of tags. + :type threat_intelligence_tags: list[str] + :param last_updated_time_utc: Last updated time in UTC. + :type last_updated_time_utc: str + :param source: Source of a threat intelligence entity. + :type source: str + :param display_name: Display name of a threat intelligence entity. + :type display_name: str + :param description: Description of a threat intelligence entity. + :type description: str + :param indicator_types: Indicator types of threat intelligence entities. + :type indicator_types: list[str] + :param pattern: Pattern of a threat intelligence entity. + :type pattern: str + :param pattern_type: Pattern type of a threat intelligence entity. + :type pattern_type: str + :param pattern_version: Pattern version of a threat intelligence entity. + :type pattern_version: str + :param kill_chain_phases: Kill chain phases. + :type kill_chain_phases: list[~security_insights.models.ThreatIntelligenceKillChainPhase] + :param parsed_pattern: Parsed patterns. + :type parsed_pattern: list[~security_insights.models.ThreatIntelligenceParsedPattern] + :param external_id: External ID of threat intelligence entity. + :type external_id: str + :param created_by_ref: Created by reference of threat intelligence entity. + :type created_by_ref: str + :param defanged: Is threat intelligence entity defanged. + :type defanged: bool + :param external_last_updated_time_utc: External last updated time in UTC. + :type external_last_updated_time_utc: str + :param external_references: External References. + :type external_references: list[~security_insights.models.ThreatIntelligenceExternalReference] + :param granular_markings: Granular Markings. + :type granular_markings: list[~security_insights.models.ThreatIntelligenceGranularMarkingModel] + :param labels: Labels of threat intelligence entity. + :type labels: list[str] + :param revoked: Is threat intelligence entity revoked. + :type revoked: bool + :param confidence: Confidence of threat intelligence entity. + :type confidence: int + :param object_marking_refs: Threat intelligence entity object marking references. + :type object_marking_refs: list[str] + :param language: Language of threat intelligence entity. + :type language: str + :param threat_types: Threat types. + :type threat_types: list[str] + :param valid_from: Valid from. + :type valid_from: str + :param valid_until: Valid until. + :type valid_until: str + :param created: Created by. + :type created: str + :param modified: Modified by. + :type modified: str + :param extensions: Extensions map. + :type extensions: dict[str, object] + """ + + _validation = { + 'kind': {'required': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + } + + _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, + 'etag': {'key': 'etag', 'type': 'str'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'threat_intelligence_tags': {'key': 'properties.threatIntelligenceTags', 'type': '[str]'}, + 'last_updated_time_utc': {'key': 'properties.lastUpdatedTimeUtc', 'type': 'str'}, + 'source': {'key': 'properties.source', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'indicator_types': {'key': 'properties.indicatorTypes', 'type': '[str]'}, + 'pattern': {'key': 'properties.pattern', 'type': 'str'}, + 'pattern_type': {'key': 'properties.patternType', 'type': 'str'}, + 'pattern_version': {'key': 'properties.patternVersion', 'type': 'str'}, + 'kill_chain_phases': {'key': 'properties.killChainPhases', 'type': '[ThreatIntelligenceKillChainPhase]'}, + 'parsed_pattern': {'key': 'properties.parsedPattern', 'type': '[ThreatIntelligenceParsedPattern]'}, + 'external_id': {'key': 'properties.externalId', 'type': 'str'}, + 'created_by_ref': {'key': 'properties.createdByRef', 'type': 'str'}, + 'defanged': {'key': 'properties.defanged', 'type': 'bool'}, + 'external_last_updated_time_utc': {'key': 'properties.externalLastUpdatedTimeUtc', 'type': 'str'}, + 'external_references': {'key': 'properties.externalReferences', 'type': '[ThreatIntelligenceExternalReference]'}, + 'granular_markings': {'key': 'properties.granularMarkings', 'type': '[ThreatIntelligenceGranularMarkingModel]'}, + 'labels': {'key': 'properties.labels', 'type': '[str]'}, + 'revoked': {'key': 'properties.revoked', 'type': 'bool'}, + 'confidence': {'key': 'properties.confidence', 'type': 'int'}, + 'object_marking_refs': {'key': 'properties.objectMarkingRefs', 'type': '[str]'}, + 'language': {'key': 'properties.language', 'type': 'str'}, + 'threat_types': {'key': 'properties.threatTypes', 'type': '[str]'}, + 'valid_from': {'key': 'properties.validFrom', 'type': 'str'}, + 'valid_until': {'key': 'properties.validUntil', 'type': 'str'}, + 'created': {'key': 'properties.created', 'type': 'str'}, + 'modified': {'key': 'properties.modified', 'type': 'str'}, + 'extensions': {'key': 'properties.extensions', 'type': '{object}'}, + } + + def __init__( + self, + *, + kind: Union[str, "ThreatIntelligenceResourceInnerKind"], + etag: Optional[str] = None, + threat_intelligence_tags: Optional[List[str]] = None, + last_updated_time_utc: Optional[str] = None, + source: Optional[str] = None, + display_name: Optional[str] = None, + description: Optional[str] = None, + indicator_types: Optional[List[str]] = None, + pattern: Optional[str] = None, + pattern_type: Optional[str] = None, + pattern_version: Optional[str] = None, + kill_chain_phases: Optional[List["ThreatIntelligenceKillChainPhase"]] = None, + parsed_pattern: Optional[List["ThreatIntelligenceParsedPattern"]] = None, + external_id: Optional[str] = None, + created_by_ref: Optional[str] = None, + defanged: Optional[bool] = None, + external_last_updated_time_utc: Optional[str] = None, + external_references: Optional[List["ThreatIntelligenceExternalReference"]] = None, + granular_markings: Optional[List["ThreatIntelligenceGranularMarkingModel"]] = None, + labels: Optional[List[str]] = None, + revoked: Optional[bool] = None, + confidence: Optional[int] = None, + object_marking_refs: Optional[List[str]] = None, + language: Optional[str] = None, + threat_types: Optional[List[str]] = None, + valid_from: Optional[str] = None, + valid_until: Optional[str] = None, + created: Optional[str] = None, + modified: Optional[str] = None, + extensions: Optional[Dict[str, object]] = None, + **kwargs + ): + super(ThreatIntelligenceIndicatorModelForRequestBody, self).__init__(kind=kind, **kwargs) + self.etag = etag + self.additional_data = None + self.friendly_name = None + self.threat_intelligence_tags = threat_intelligence_tags + self.last_updated_time_utc = last_updated_time_utc + self.source = source + self.display_name = display_name + self.description = description + self.indicator_types = indicator_types + self.pattern = pattern + self.pattern_type = pattern_type + self.pattern_version = pattern_version + self.kill_chain_phases = kill_chain_phases + self.parsed_pattern = parsed_pattern + self.external_id = external_id + self.created_by_ref = created_by_ref + self.defanged = defanged + self.external_last_updated_time_utc = external_last_updated_time_utc + self.external_references = external_references + self.granular_markings = granular_markings + self.labels = labels + self.revoked = revoked + self.confidence = confidence + self.object_marking_refs = object_marking_refs + self.language = language + self.threat_types = threat_types + self.valid_from = valid_from + self.valid_until = valid_until + self.created = created + self.modified = modified + self.extensions = extensions + + +class ThreatIntelligenceIndicatorProperties(EntityCommonProperties): + """Describes threat intelligence entity properties. + + Variables are only populated by the server, and will be ignored when sending a request. + + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :param threat_intelligence_tags: List of tags. + :type threat_intelligence_tags: list[str] + :param last_updated_time_utc: Last updated time in UTC. + :type last_updated_time_utc: str + :param source: Source of a threat intelligence entity. + :type source: str + :param display_name: Display name of a threat intelligence entity. + :type display_name: str + :param description: Description of a threat intelligence entity. + :type description: str + :param indicator_types: Indicator types of threat intelligence entities. + :type indicator_types: list[str] + :param pattern: Pattern of a threat intelligence entity. + :type pattern: str + :param pattern_type: Pattern type of a threat intelligence entity. + :type pattern_type: str + :param pattern_version: Pattern version of a threat intelligence entity. + :type pattern_version: str + :param kill_chain_phases: Kill chain phases. + :type kill_chain_phases: list[~security_insights.models.ThreatIntelligenceKillChainPhase] + :param parsed_pattern: Parsed patterns. + :type parsed_pattern: list[~security_insights.models.ThreatIntelligenceParsedPattern] + :param external_id: External ID of threat intelligence entity. + :type external_id: str + :param created_by_ref: Created by reference of threat intelligence entity. + :type created_by_ref: str + :param defanged: Is threat intelligence entity defanged. + :type defanged: bool + :param external_last_updated_time_utc: External last updated time in UTC. + :type external_last_updated_time_utc: str + :param external_references: External References. + :type external_references: list[~security_insights.models.ThreatIntelligenceExternalReference] + :param granular_markings: Granular Markings. + :type granular_markings: list[~security_insights.models.ThreatIntelligenceGranularMarkingModel] + :param labels: Labels of threat intelligence entity. + :type labels: list[str] + :param revoked: Is threat intelligence entity revoked. + :type revoked: bool + :param confidence: Confidence of threat intelligence entity. + :type confidence: int + :param object_marking_refs: Threat intelligence entity object marking references. + :type object_marking_refs: list[str] + :param language: Language of threat intelligence entity. + :type language: str + :param threat_types: Threat types. + :type threat_types: list[str] + :param valid_from: Valid from. + :type valid_from: str + :param valid_until: Valid until. + :type valid_until: str + :param created: Created by. + :type created: str + :param modified: Modified by. + :type modified: str + :param extensions: Extensions map. + :type extensions: dict[str, object] + """ + + _validation = { + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + } + + _attribute_map = { + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'threat_intelligence_tags': {'key': 'threatIntelligenceTags', 'type': '[str]'}, + 'last_updated_time_utc': {'key': 'lastUpdatedTimeUtc', 'type': 'str'}, + 'source': {'key': 'source', 'type': 'str'}, + 'display_name': {'key': 'displayName', 'type': 'str'}, + 'description': {'key': 'description', 'type': 'str'}, + 'indicator_types': {'key': 'indicatorTypes', 'type': '[str]'}, + 'pattern': {'key': 'pattern', 'type': 'str'}, + 'pattern_type': {'key': 'patternType', 'type': 'str'}, + 'pattern_version': {'key': 'patternVersion', 'type': 'str'}, + 'kill_chain_phases': {'key': 'killChainPhases', 'type': '[ThreatIntelligenceKillChainPhase]'}, + 'parsed_pattern': {'key': 'parsedPattern', 'type': '[ThreatIntelligenceParsedPattern]'}, + 'external_id': {'key': 'externalId', 'type': 'str'}, + 'created_by_ref': {'key': 'createdByRef', 'type': 'str'}, + 'defanged': {'key': 'defanged', 'type': 'bool'}, + 'external_last_updated_time_utc': {'key': 'externalLastUpdatedTimeUtc', 'type': 'str'}, + 'external_references': {'key': 'externalReferences', 'type': '[ThreatIntelligenceExternalReference]'}, + 'granular_markings': {'key': 'granularMarkings', 'type': '[ThreatIntelligenceGranularMarkingModel]'}, + 'labels': {'key': 'labels', 'type': '[str]'}, + 'revoked': {'key': 'revoked', 'type': 'bool'}, + 'confidence': {'key': 'confidence', 'type': 'int'}, + 'object_marking_refs': {'key': 'objectMarkingRefs', 'type': '[str]'}, + 'language': {'key': 'language', 'type': 'str'}, + 'threat_types': {'key': 'threatTypes', 'type': '[str]'}, + 'valid_from': {'key': 'validFrom', 'type': 'str'}, + 'valid_until': {'key': 'validUntil', 'type': 'str'}, + 'created': {'key': 'created', 'type': 'str'}, + 'modified': {'key': 'modified', 'type': 'str'}, + 'extensions': {'key': 'extensions', 'type': '{object}'}, + } + + def __init__( + self, + *, + threat_intelligence_tags: Optional[List[str]] = None, + last_updated_time_utc: Optional[str] = None, + source: Optional[str] = None, + display_name: Optional[str] = None, + description: Optional[str] = None, + indicator_types: Optional[List[str]] = None, + pattern: Optional[str] = None, + pattern_type: Optional[str] = None, + pattern_version: Optional[str] = None, + kill_chain_phases: Optional[List["ThreatIntelligenceKillChainPhase"]] = None, + parsed_pattern: Optional[List["ThreatIntelligenceParsedPattern"]] = None, + external_id: Optional[str] = None, + created_by_ref: Optional[str] = None, + defanged: Optional[bool] = None, + external_last_updated_time_utc: Optional[str] = None, + external_references: Optional[List["ThreatIntelligenceExternalReference"]] = None, + granular_markings: Optional[List["ThreatIntelligenceGranularMarkingModel"]] = None, + labels: Optional[List[str]] = None, + revoked: Optional[bool] = None, + confidence: Optional[int] = None, + object_marking_refs: Optional[List[str]] = None, + language: Optional[str] = None, + threat_types: Optional[List[str]] = None, + valid_from: Optional[str] = None, + valid_until: Optional[str] = None, + created: Optional[str] = None, + modified: Optional[str] = None, + extensions: Optional[Dict[str, object]] = None, + **kwargs + ): + super(ThreatIntelligenceIndicatorProperties, self).__init__(**kwargs) + self.threat_intelligence_tags = threat_intelligence_tags + self.last_updated_time_utc = last_updated_time_utc + self.source = source + self.display_name = display_name + self.description = description + self.indicator_types = indicator_types + self.pattern = pattern + self.pattern_type = pattern_type + self.pattern_version = pattern_version + self.kill_chain_phases = kill_chain_phases + self.parsed_pattern = parsed_pattern + self.external_id = external_id + self.created_by_ref = created_by_ref + self.defanged = defanged + self.external_last_updated_time_utc = external_last_updated_time_utc + self.external_references = external_references + self.granular_markings = granular_markings + self.labels = labels + self.revoked = revoked + self.confidence = confidence + self.object_marking_refs = object_marking_refs + self.language = language + self.threat_types = threat_types + self.valid_from = valid_from + self.valid_until = valid_until + self.created = created + self.modified = modified + self.extensions = extensions + + +class ThreatIntelligenceInformationList(msrest.serialization.Model): + """List of all the threat intelligence information objects. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar next_link: URL to fetch the next set of information objects. + :vartype next_link: str + :param value: Required. Array of threat intelligence information objects. + :type value: list[~security_insights.models.ThreatIntelligenceInformation] + """ + + _validation = { + 'next_link': {'readonly': True}, + 'value': {'required': True}, + } + + _attribute_map = { + 'next_link': {'key': 'nextLink', 'type': 'str'}, + 'value': {'key': 'value', 'type': '[ThreatIntelligenceInformation]'}, + } + + def __init__( + self, + *, + value: List["ThreatIntelligenceInformation"], + **kwargs + ): + super(ThreatIntelligenceInformationList, self).__init__(**kwargs) + self.next_link = None + self.value = value + + +class ThreatIntelligenceKillChainPhase(msrest.serialization.Model): + """Describes threat kill chain phase entity. + + :param kill_chain_name: Kill chainName name. + :type kill_chain_name: str + :param phase_name: Phase name. + :type phase_name: str + """ + + _attribute_map = { + 'kill_chain_name': {'key': 'killChainName', 'type': 'str'}, + 'phase_name': {'key': 'phaseName', 'type': 'str'}, + } + + def __init__( + self, + *, + kill_chain_name: Optional[str] = None, + phase_name: Optional[str] = None, + **kwargs + ): + super(ThreatIntelligenceKillChainPhase, self).__init__(**kwargs) + self.kill_chain_name = kill_chain_name + self.phase_name = phase_name + + +class ThreatIntelligenceMetric(msrest.serialization.Model): + """Describes threat intelligence metric. + + :param last_updated_time_utc: Last updated indicator metric. + :type last_updated_time_utc: str + :param threat_type_metrics: Threat type metrics. + :type threat_type_metrics: list[~security_insights.models.ThreatIntelligenceMetricEntity] + :param pattern_type_metrics: Pattern type metrics. + :type pattern_type_metrics: list[~security_insights.models.ThreatIntelligenceMetricEntity] + :param source_metrics: Source metrics. + :type source_metrics: list[~security_insights.models.ThreatIntelligenceMetricEntity] + """ + + _attribute_map = { + 'last_updated_time_utc': {'key': 'lastUpdatedTimeUtc', 'type': 'str'}, + 'threat_type_metrics': {'key': 'threatTypeMetrics', 'type': '[ThreatIntelligenceMetricEntity]'}, + 'pattern_type_metrics': {'key': 'patternTypeMetrics', 'type': '[ThreatIntelligenceMetricEntity]'}, + 'source_metrics': {'key': 'sourceMetrics', 'type': '[ThreatIntelligenceMetricEntity]'}, + } + + def __init__( + self, + *, + last_updated_time_utc: Optional[str] = None, + threat_type_metrics: Optional[List["ThreatIntelligenceMetricEntity"]] = None, + pattern_type_metrics: Optional[List["ThreatIntelligenceMetricEntity"]] = None, + source_metrics: Optional[List["ThreatIntelligenceMetricEntity"]] = None, + **kwargs + ): + super(ThreatIntelligenceMetric, self).__init__(**kwargs) + self.last_updated_time_utc = last_updated_time_utc + self.threat_type_metrics = threat_type_metrics + self.pattern_type_metrics = pattern_type_metrics + self.source_metrics = source_metrics + + +class ThreatIntelligenceMetricEntity(msrest.serialization.Model): + """Describes threat intelligence metric entity. + + :param metric_name: Metric name. + :type metric_name: str + :param metric_value: Metric value. + :type metric_value: int + """ + + _attribute_map = { + 'metric_name': {'key': 'metricName', 'type': 'str'}, + 'metric_value': {'key': 'metricValue', 'type': 'int'}, + } + + def __init__( + self, + *, + metric_name: Optional[str] = None, + metric_value: Optional[int] = None, + **kwargs + ): + super(ThreatIntelligenceMetricEntity, self).__init__(**kwargs) + self.metric_name = metric_name + self.metric_value = metric_value + + +class ThreatIntelligenceMetrics(msrest.serialization.Model): + """Threat intelligence metrics. + + :param properties: Threat intelligence metrics. + :type properties: ~security_insights.models.ThreatIntelligenceMetric + """ + + _attribute_map = { + 'properties': {'key': 'properties', 'type': 'ThreatIntelligenceMetric'}, + } + + def __init__( + self, + *, + properties: Optional["ThreatIntelligenceMetric"] = None, + **kwargs + ): + super(ThreatIntelligenceMetrics, self).__init__(**kwargs) + self.properties = properties + + +class ThreatIntelligenceMetricsList(msrest.serialization.Model): + """List of all the threat intelligence metric fields (type/threat type/source). + + All required parameters must be populated in order to send to Azure. + + :param value: Required. Array of threat intelligence metric fields (type/threat type/source). + :type value: list[~security_insights.models.ThreatIntelligenceMetrics] + """ + + _validation = { + 'value': {'required': True}, + } + + _attribute_map = { + 'value': {'key': 'value', 'type': '[ThreatIntelligenceMetrics]'}, + } + + def __init__( + self, + *, + value: List["ThreatIntelligenceMetrics"], + **kwargs + ): + super(ThreatIntelligenceMetricsList, self).__init__(**kwargs) + self.value = value + + +class ThreatIntelligenceParsedPattern(msrest.serialization.Model): + """Describes parsed pattern entity. + + :param pattern_type_key: Pattern type key. + :type pattern_type_key: str + :param pattern_type_values: Pattern type keys. + :type pattern_type_values: + list[~security_insights.models.ThreatIntelligenceParsedPatternTypeValue] """ - _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'created_date_utc': {'readonly': True}, + _attribute_map = { + 'pattern_type_key': {'key': 'patternTypeKey', 'type': 'str'}, + 'pattern_type_values': {'key': 'patternTypeValues', 'type': '[ThreatIntelligenceParsedPatternTypeValue]'}, } + def __init__( + self, + *, + pattern_type_key: Optional[str] = None, + pattern_type_values: Optional[List["ThreatIntelligenceParsedPatternTypeValue"]] = None, + **kwargs + ): + super(ThreatIntelligenceParsedPattern, self).__init__(**kwargs) + self.pattern_type_key = pattern_type_key + self.pattern_type_values = pattern_type_values + + +class ThreatIntelligenceParsedPatternTypeValue(msrest.serialization.Model): + """Describes threat kill chain phase entity. + + :param value_type: Type of the value. + :type value_type: str + :param value: Value of parsed pattern. + :type value: str + """ + _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'alert_rules_created_by_template_count': {'key': 'properties.alertRulesCreatedByTemplateCount', 'type': 'int'}, - 'created_date_utc': {'key': 'properties.createdDateUTC', 'type': 'iso-8601'}, - 'description': {'key': 'properties.description', 'type': 'str'}, - 'display_name': {'key': 'properties.displayName', 'type': 'str'}, - 'required_data_connectors': {'key': 'properties.requiredDataConnectors', 'type': '[AlertRuleTemplateDataSource]'}, - 'status': {'key': 'properties.status', 'type': 'str'}, - 'query': {'key': 'properties.query', 'type': 'str'}, - 'query_frequency': {'key': 'properties.queryFrequency', 'type': 'duration'}, - 'query_period': {'key': 'properties.queryPeriod', 'type': 'duration'}, - 'severity': {'key': 'properties.severity', 'type': 'str'}, - 'trigger_operator': {'key': 'properties.triggerOperator', 'type': 'str'}, - 'trigger_threshold': {'key': 'properties.triggerThreshold', 'type': 'int'}, - 'tactics': {'key': 'properties.tactics', 'type': '[str]'}, + 'value_type': {'key': 'valueType', 'type': 'str'}, + 'value': {'key': 'value', 'type': 'str'}, } def __init__( self, *, - alert_rules_created_by_template_count: Optional[int] = None, - description: Optional[str] = None, - display_name: Optional[str] = None, - required_data_connectors: Optional[List["AlertRuleTemplateDataSource"]] = None, - status: Optional[Union[str, "TemplateStatus"]] = None, - query: Optional[str] = None, - query_frequency: Optional[datetime.timedelta] = None, - query_period: Optional[datetime.timedelta] = None, - severity: Optional[Union[str, "AlertSeverity"]] = None, - trigger_operator: Optional[Union[str, "TriggerOperator"]] = None, - trigger_threshold: Optional[int] = None, - tactics: Optional[List[Union[str, "AttackTactic"]]] = None, + value_type: Optional[str] = None, + value: Optional[str] = None, **kwargs ): - super(ScheduledAlertRuleTemplate, self).__init__(**kwargs) - self.kind = 'Scheduled' # type: str - self.alert_rules_created_by_template_count = alert_rules_created_by_template_count - self.created_date_utc = None - self.description = description - self.display_name = display_name - self.required_data_connectors = required_data_connectors - self.status = status - self.query = query - self.query_frequency = query_frequency - self.query_period = query_period - self.severity = severity - self.trigger_operator = trigger_operator - self.trigger_threshold = trigger_threshold - self.tactics = tactics + super(ThreatIntelligenceParsedPatternTypeValue, self).__init__(**kwargs) + self.value_type = value_type + self.value = value -class Settings(ResourceWithEtag): - """The Settings. +class ThreatIntelligenceSortingCriteria(msrest.serialization.Model): + """List of available columns for sorting. - You probably want to use the sub-classes and not this class directly. Known - sub-classes are: ToggleSettings, UebaSettings. + :param item_key: Column name. + :type item_key: str + :param sort_order: Sorting order (ascending/descending/unsorted). Possible values include: + "unsorted", "ascending", "descending". + :type sort_order: str or ~security_insights.models.ThreatIntelligenceSortingOrder + """ + + _attribute_map = { + 'item_key': {'key': 'itemKey', 'type': 'str'}, + 'sort_order': {'key': 'sortOrder', 'type': 'str'}, + } + + def __init__( + self, + *, + item_key: Optional[str] = None, + sort_order: Optional[Union[str, "ThreatIntelligenceSortingOrder"]] = None, + **kwargs + ): + super(ThreatIntelligenceSortingCriteria, self).__init__(**kwargs) + self.item_key = item_key + self.sort_order = sort_order + + +class UrlEntity(Entity): + """Represents a url entity. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. + :param kind: Required. The kind of the entity. Possible values include: "Account", "Host", + "File", "AzureResource", "CloudApplication", "DnsResolution", "FileHash", "Ip", "Malware", + "Process", "RegistryKey", "RegistryValue", "SecurityGroup", "Url", "IoTDevice", + "SecurityAlert", "Bookmark", "MailCluster", "MailMessage", "Mailbox", "SubmissionMail". + :type kind: str or ~security_insights.models.EntityKindEnum :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar url: A full URL the entity points to. + :vartype url: str """ _validation = { + 'kind': {'required': True}, 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'url': {'readonly': True}, } _attribute_map = { + 'kind': {'key': 'kind', 'type': 'str'}, 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - } - - _subtype_map = { - 'kind': {'ToggleSettings': 'ToggleSettings', 'UebaSettings': 'UebaSettings'} + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, + 'additional_data': {'key': 'properties.additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'properties.friendlyName', 'type': 'str'}, + 'url': {'key': 'properties.url', 'type': 'str'}, } def __init__( self, *, - etag: Optional[str] = None, + kind: Union[str, "EntityKindEnum"], **kwargs ): - super(Settings, self).__init__(etag=etag, **kwargs) - self.kind = 'Settings' # type: str + super(UrlEntity, self).__init__(kind=kind, **kwargs) + self.additional_data = None + self.friendly_name = None + self.url = None -class ThreatIntelligence(msrest.serialization.Model): - """ThreatIntelligence property bag. +class UrlEntityProperties(EntityCommonProperties): + """Url entity property bag. Variables are only populated by the server, and will be ignored when sending a request. - :ivar confidence: Confidence (must be between 0 and 1). - :vartype confidence: float - :ivar provider_name: Name of the provider from whom this Threat Intelligence information was - received. - :vartype provider_name: str - :ivar report_link: Report link. - :vartype report_link: str - :ivar threat_description: Threat description (free text). - :vartype threat_description: str - :ivar threat_name: Threat name (e.g. "Jedobot malware"). - :vartype threat_name: str - :ivar threat_type: Threat type (e.g. "Botnet"). - :vartype threat_type: str + :ivar additional_data: A bag of custom fields that should be part of the entity and will be + presented to the user. + :vartype additional_data: dict[str, object] + :ivar friendly_name: The graph item display name which is a short humanly readable description + of the graph item instance. This property is optional and might be system generated. + :vartype friendly_name: str + :ivar url: A full URL the entity points to. + :vartype url: str """ _validation = { - 'confidence': {'readonly': True}, - 'provider_name': {'readonly': True}, - 'report_link': {'readonly': True}, - 'threat_description': {'readonly': True}, - 'threat_name': {'readonly': True}, - 'threat_type': {'readonly': True}, + 'additional_data': {'readonly': True}, + 'friendly_name': {'readonly': True}, + 'url': {'readonly': True}, } _attribute_map = { - 'confidence': {'key': 'confidence', 'type': 'float'}, - 'provider_name': {'key': 'providerName', 'type': 'str'}, - 'report_link': {'key': 'reportLink', 'type': 'str'}, - 'threat_description': {'key': 'threatDescription', 'type': 'str'}, - 'threat_name': {'key': 'threatName', 'type': 'str'}, - 'threat_type': {'key': 'threatType', 'type': 'str'}, + 'additional_data': {'key': 'additionalData', 'type': '{object}'}, + 'friendly_name': {'key': 'friendlyName', 'type': 'str'}, + 'url': {'key': 'url', 'type': 'str'}, } def __init__( self, **kwargs ): - super(ThreatIntelligence, self).__init__(**kwargs) - self.confidence = None - self.provider_name = None - self.report_link = None - self.threat_description = None - self.threat_name = None - self.threat_type = None + super(UrlEntityProperties, self).__init__(**kwargs) + self.url = None -class TIDataConnector(DataConnector): - """Represents threat intelligence data connector. +class UserInfo(msrest.serialization.Model): + """User information that made some action. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. + :ivar email: The email of the user. + :vartype email: str + :ivar name: The name of the user. + :vartype name: str + :param object_id: The object id of the user. + :type object_id: str + """ + + _validation = { + 'email': {'readonly': True}, + 'name': {'readonly': True}, + } + + _attribute_map = { + 'email': {'key': 'email', 'type': 'str'}, + 'name': {'key': 'name', 'type': 'str'}, + 'object_id': {'key': 'objectId', 'type': 'str'}, + } + + def __init__( + self, + *, + object_id: Optional[str] = None, + **kwargs + ): + super(UserInfo, self).__init__(**kwargs) + self.email = None + self.name = None + self.object_id = object_id + + +class Watchlist(ResourceWithEtag): + """Represents a Watchlist in Azure Security Insights. + + Variables are only populated by the server, and will be ignored when sending a request. :ivar id: Azure resource Id. :vartype id: str @@ -3005,180 +7367,300 @@ class TIDataConnector(DataConnector): :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", - "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", - "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection". - :type kind: str or ~security_insights.models.DataConnectorKind - :param tenant_id: The tenant id to connect to, and get the data from. + :param watchlist_id: The id (a Guid) of the watchlist. + :type watchlist_id: str + :param display_name: The display name of the watchlist. + :type display_name: str + :param provider: The provider of the watchlist. + :type provider: str + :param source: The source of the watchlist. Possible values include: "Local file", "Remote + storage". + :type source: str or ~security_insights.models.Source + :param created: The time the watchlist was created. + :type created: ~datetime.datetime + :param updated: The last time the watchlist was updated. + :type updated: ~datetime.datetime + :param created_by: Describes a user that created the watchlist. + :type created_by: ~security_insights.models.UserInfo + :param updated_by: Describes a user that updated the watchlist. + :type updated_by: ~security_insights.models.UserInfo + :param description: A description of the watchlist. + :type description: str + :param watchlist_type: The type of the watchlist. + :type watchlist_type: str + :param watchlist_alias: The alias of the watchlist. + :type watchlist_alias: str + :param is_deleted: A flag that indicates if the watchlist is deleted or not. + :type is_deleted: bool + :param labels: List of labels relevant to this watchlist. + :type labels: list[str] + :param default_duration: The default duration of a watchlist (in ISO 8601 duration format). + :type default_duration: ~datetime.timedelta + :param tenant_id: The tenantId where the watchlist belongs to. :type tenant_id: str - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState + :param number_of_lines_to_skip: The number of lines in a csv content to skip before the header. + :type number_of_lines_to_skip: int + :param raw_content: The raw content that represents to watchlist items to create. Example : + This line will be skipped + header1,header2 + value1,value2. + :type raw_content: str + :param items_search_key: The search key is used to optimize query performance when using + watchlists for joins with other data. For example, enable a column with IP addresses to be the + designated SearchKey field, then use this field as the key field when joining to other event + data by IP address. + :type items_search_key: str + :param content_type: The content type of the raw content. For now, only text/csv is valid. + :type content_type: str + :param upload_status: The status of the Watchlist upload : New, InProgress or Complete. + **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted. + :type upload_status: str """ _validation = { 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, + 'watchlist_id': {'key': 'properties.watchlistId', 'type': 'str'}, + 'display_name': {'key': 'properties.displayName', 'type': 'str'}, + 'provider': {'key': 'properties.provider', 'type': 'str'}, + 'source': {'key': 'properties.source', 'type': 'str'}, + 'created': {'key': 'properties.created', 'type': 'iso-8601'}, + 'updated': {'key': 'properties.updated', 'type': 'iso-8601'}, + 'created_by': {'key': 'properties.createdBy', 'type': 'UserInfo'}, + 'updated_by': {'key': 'properties.updatedBy', 'type': 'UserInfo'}, + 'description': {'key': 'properties.description', 'type': 'str'}, + 'watchlist_type': {'key': 'properties.watchlistType', 'type': 'str'}, + 'watchlist_alias': {'key': 'properties.watchlistAlias', 'type': 'str'}, + 'is_deleted': {'key': 'properties.isDeleted', 'type': 'bool'}, + 'labels': {'key': 'properties.labels', 'type': '[str]'}, + 'default_duration': {'key': 'properties.defaultDuration', 'type': 'duration'}, 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, - 'state': {'key': 'dataTypes.indicators.state', 'type': 'str'}, + 'number_of_lines_to_skip': {'key': 'properties.numberOfLinesToSkip', 'type': 'int'}, + 'raw_content': {'key': 'properties.rawContent', 'type': 'str'}, + 'items_search_key': {'key': 'properties.itemsSearchKey', 'type': 'str'}, + 'content_type': {'key': 'properties.contentType', 'type': 'str'}, + 'upload_status': {'key': 'properties.uploadStatus', 'type': 'str'}, } def __init__( self, *, etag: Optional[str] = None, + watchlist_id: Optional[str] = None, + display_name: Optional[str] = None, + provider: Optional[str] = None, + source: Optional[Union[str, "Source"]] = None, + created: Optional[datetime.datetime] = None, + updated: Optional[datetime.datetime] = None, + created_by: Optional["UserInfo"] = None, + updated_by: Optional["UserInfo"] = None, + description: Optional[str] = None, + watchlist_type: Optional[str] = None, + watchlist_alias: Optional[str] = None, + is_deleted: Optional[bool] = None, + labels: Optional[List[str]] = None, + default_duration: Optional[datetime.timedelta] = None, tenant_id: Optional[str] = None, - state: Optional[Union[str, "DataTypeState"]] = None, + number_of_lines_to_skip: Optional[int] = None, + raw_content: Optional[str] = None, + items_search_key: Optional[str] = None, + content_type: Optional[str] = None, + upload_status: Optional[str] = None, **kwargs ): - super(TIDataConnector, self).__init__(etag=etag, **kwargs) - self.kind = 'ThreatIntelligence' # type: str + super(Watchlist, self).__init__(etag=etag, **kwargs) + self.watchlist_id = watchlist_id + self.display_name = display_name + self.provider = provider + self.source = source + self.created = created + self.updated = updated + self.created_by = created_by + self.updated_by = updated_by + self.description = description + self.watchlist_type = watchlist_type + self.watchlist_alias = watchlist_alias + self.is_deleted = is_deleted + self.labels = labels + self.default_duration = default_duration self.tenant_id = tenant_id - self.state = state + self.number_of_lines_to_skip = number_of_lines_to_skip + self.raw_content = raw_content + self.items_search_key = items_search_key + self.content_type = content_type + self.upload_status = upload_status -class TIDataConnectorDataTypesIndicators(DataConnectorDataTypeCommon): - """Data type for indicators connection. - - :param state: Describe whether this data type connection is enabled or not. Possible values - include: "Enabled", "Disabled". - :type state: str or ~security_insights.models.DataTypeState - """ - - _attribute_map = { - 'state': {'key': 'state', 'type': 'str'}, - } - - def __init__( - self, - *, - state: Optional[Union[str, "DataTypeState"]] = None, - **kwargs - ): - super(TIDataConnectorDataTypesIndicators, self).__init__(state=state, **kwargs) - - -class ToggleSettings(Settings): - """Settings with single toggle. +class WatchlistItem(ResourceWithEtag): + """Represents a Watchlist Item in Azure Security Insights. Variables are only populated by the server, and will be ignored when sending a request. - All required parameters must be populated in order to send to Azure. - :ivar id: Azure resource Id. :vartype id: str :ivar name: Azure resource name. :vartype name: str :ivar type: Azure resource type. :vartype type: str + :ivar system_data: Azure Resource Manager metadata containing createdBy and modifiedBy + information. + :vartype system_data: ~security_insights.models.SystemData :param etag: Etag of the azure resource. :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind - :param is_enabled: Determines whether the setting is enable or disabled. - :type is_enabled: bool + :param watchlist_item_type: The type of the watchlist item. + :type watchlist_item_type: str + :param watchlist_item_id: The id (a Guid) of the watchlist item. + :type watchlist_item_id: str + :param tenant_id: The tenantId to which the watchlist item belongs to. + :type tenant_id: str + :param is_deleted: A flag that indicates if the watchlist item is deleted or not. + :type is_deleted: bool + :param created: The time the watchlist item was created. + :type created: ~datetime.datetime + :param updated: The last time the watchlist item was updated. + :type updated: ~datetime.datetime + :param created_by: Describes a user that created the watchlist item. + :type created_by: ~security_insights.models.UserInfo + :param updated_by: Describes a user that updated the watchlist item. + :type updated_by: ~security_insights.models.UserInfo + :param items_key_value: key-value pairs for a watchlist item. + :type items_key_value: object + :param entity_mapping: key-value pairs for a watchlist item entity mapping. + :type entity_mapping: object """ _validation = { 'id': {'readonly': True}, 'name': {'readonly': True}, 'type': {'readonly': True}, - 'kind': {'required': True}, + 'system_data': {'readonly': True}, } _attribute_map = { 'id': {'key': 'id', 'type': 'str'}, 'name': {'key': 'name', 'type': 'str'}, 'type': {'key': 'type', 'type': 'str'}, + 'system_data': {'key': 'systemData', 'type': 'SystemData'}, 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'}, + 'watchlist_item_type': {'key': 'properties.watchlistItemType', 'type': 'str'}, + 'watchlist_item_id': {'key': 'properties.watchlistItemId', 'type': 'str'}, + 'tenant_id': {'key': 'properties.tenantId', 'type': 'str'}, + 'is_deleted': {'key': 'properties.isDeleted', 'type': 'bool'}, + 'created': {'key': 'properties.created', 'type': 'iso-8601'}, + 'updated': {'key': 'properties.updated', 'type': 'iso-8601'}, + 'created_by': {'key': 'properties.createdBy', 'type': 'UserInfo'}, + 'updated_by': {'key': 'properties.updatedBy', 'type': 'UserInfo'}, + 'items_key_value': {'key': 'properties.itemsKeyValue', 'type': 'object'}, + 'entity_mapping': {'key': 'properties.entityMapping', 'type': 'object'}, } def __init__( self, *, etag: Optional[str] = None, - is_enabled: Optional[bool] = None, + watchlist_item_type: Optional[str] = None, + watchlist_item_id: Optional[str] = None, + tenant_id: Optional[str] = None, + is_deleted: Optional[bool] = None, + created: Optional[datetime.datetime] = None, + updated: Optional[datetime.datetime] = None, + created_by: Optional["UserInfo"] = None, + updated_by: Optional["UserInfo"] = None, + items_key_value: Optional[object] = None, + entity_mapping: Optional[object] = None, **kwargs ): - super(ToggleSettings, self).__init__(etag=etag, **kwargs) - self.kind = 'ToggleSettings' # type: str - self.is_enabled = is_enabled + super(WatchlistItem, self).__init__(etag=etag, **kwargs) + self.watchlist_item_type = watchlist_item_type + self.watchlist_item_id = watchlist_item_id + self.tenant_id = tenant_id + self.is_deleted = is_deleted + self.created = created + self.updated = updated + self.created_by = created_by + self.updated_by = updated_by + self.items_key_value = items_key_value + self.entity_mapping = entity_mapping -class UebaSettings(Settings): - """Represents settings for User and Entity Behavior Analytics enablement. +class WatchlistItemList(msrest.serialization.Model): + """List all the watchlist items. Variables are only populated by the server, and will be ignored when sending a request. All required parameters must be populated in order to send to Azure. - :ivar id: Azure resource Id. - :vartype id: str - :ivar name: Azure resource name. - :vartype name: str - :ivar type: Azure resource type. - :vartype type: str - :param etag: Etag of the azure resource. - :type etag: str - :param kind: Required. The data connector kind.Constant filled by server. Possible values - include: "UebaSettings", "ToggleSettings". - :type kind: str or ~security_insights.models.SettingKind - :ivar atp_license_status: Determines whether the tenant has ATP (Advanced Threat Protection) - license. Possible values include: "Enabled", "Disabled". - :vartype atp_license_status: str or ~security_insights.models.LicenseStatus - :param is_enabled: Determines whether User and Entity Behavior Analytics is enabled for this - workspace. - :type is_enabled: bool - :ivar status_in_mcas: Determines whether User and Entity Behavior Analytics is enabled from - MCAS (Microsoft Cloud App Security). Possible values include: "Enabled", "Disabled". - :vartype status_in_mcas: str or ~security_insights.models.StatusInMCAS + :ivar next_link: URL to fetch the next set of watchlist items. + :vartype next_link: str + :param value: Required. Array of watchlist items. + :type value: list[~security_insights.models.WatchlistItem] """ _validation = { - 'id': {'readonly': True}, - 'name': {'readonly': True}, - 'type': {'readonly': True}, - 'kind': {'required': True}, - 'atp_license_status': {'readonly': True}, - 'status_in_mcas': {'readonly': True}, + 'next_link': {'readonly': True}, + 'value': {'required': True}, } _attribute_map = { - 'id': {'key': 'id', 'type': 'str'}, - 'name': {'key': 'name', 'type': 'str'}, - 'type': {'key': 'type', 'type': 'str'}, - 'etag': {'key': 'etag', 'type': 'str'}, - 'kind': {'key': 'kind', 'type': 'str'}, - 'atp_license_status': {'key': 'properties.atpLicenseStatus', 'type': 'str'}, - 'is_enabled': {'key': 'properties.isEnabled', 'type': 'bool'}, - 'status_in_mcas': {'key': 'properties.statusInMcas', 'type': 'str'}, + 'next_link': {'key': 'nextLink', 'type': 'str'}, + 'value': {'key': 'value', 'type': '[WatchlistItem]'}, } def __init__( self, *, - etag: Optional[str] = None, - is_enabled: Optional[bool] = None, + value: List["WatchlistItem"], + **kwargs + ): + super(WatchlistItemList, self).__init__(**kwargs) + self.next_link = None + self.value = value + + +class WatchlistList(msrest.serialization.Model): + """List all the watchlists. + + Variables are only populated by the server, and will be ignored when sending a request. + + All required parameters must be populated in order to send to Azure. + + :ivar next_link: URL to fetch the next set of watchlists. + :vartype next_link: str + :param value: Required. Array of watchlist. + :type value: list[~security_insights.models.Watchlist] + """ + + _validation = { + 'next_link': {'readonly': True}, + 'value': {'required': True}, + } + + _attribute_map = { + 'next_link': {'key': 'nextLink', 'type': 'str'}, + 'value': {'key': 'value', 'type': '[Watchlist]'}, + } + + def __init__( + self, + *, + value: List["Watchlist"], **kwargs ): - super(UebaSettings, self).__init__(etag=etag, **kwargs) - self.kind = 'UebaSettings' # type: str - self.atp_license_status = None - self.is_enabled = is_enabled - self.status_in_mcas = None + super(WatchlistList, self).__init__(**kwargs) + self.next_link = None + self.value = value diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_security_insights_enums.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_security_insights_enums.py index ff1e2d1db57..5ed163bf0d8 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_security_insights_enums.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/models/_security_insights_enums.py @@ -43,6 +43,25 @@ class AlertSeverity(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): LOW = "Low" #: Low severity. INFORMATIONAL = "Informational" #: Informational severity. +class AlertStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The lifecycle status of the alert. + """ + + UNKNOWN = "Unknown" #: Unknown value. + NEW = "New" #: New alert. + RESOLVED = "Resolved" #: Alert closed after handling. + DISMISSED = "Dismissed" #: Alert dismissed as false positive. + IN_PROGRESS = "InProgress" #: Alert is being handled. + +class AntispamMailDirection(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The directionality of this mail message + """ + + UNKNOWN = "Unknown" #: Unknown. + INBOUND = "Inbound" #: Inbound. + OUTBOUND = "Outbound" #: Outbound. + INTRAORG = "Intraorg" #: Intraorg. + class AttackTactic(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): """The severity for alerts created by this alert rule. """ @@ -70,25 +89,100 @@ class CaseSeverity(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): LOW = "Low" #: Low severity. INFORMATIONAL = "Informational" #: Informational severity. -class DataConnectorKind(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The kind of the data connector +class ConfidenceLevel(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The confidence level of this alert. + """ + + UNKNOWN = "Unknown" #: Unknown confidence, the is the default value. + LOW = "Low" #: Low confidence, meaning we have some doubts this is indeed malicious or part of an attack. + HIGH = "High" #: High confidence that the alert is true positive malicious. + +class ConfidenceScoreStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The confidence score calculation status, i.e. indicating if score calculation is pending for + this alert, not applicable or final. + """ + + NOT_APPLICABLE = "NotApplicable" #: Score will not be calculated for this alert as it is not supported by virtual analyst. + IN_PROCESS = "InProcess" #: No score was set yet and calculation is in progress. + NOT_FINAL = "NotFinal" #: Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data. + FINAL = "Final" #: Final score was calculated and available. + +class CreatedByType(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The type of identity that created the resource. + """ + + USER = "User" + APPLICATION = "Application" + MANAGED_IDENTITY = "ManagedIdentity" + KEY = "Key" + +class DeliveryAction(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The delivery action of this mail message like Delivered, Blocked, Replaced etc + """ + + UNKNOWN = "Unknown" #: Unknown. + DELIVERED_AS_SPAM = "DeliveredAsSpam" #: DeliveredAsSpam. + DELIVERED = "Delivered" #: Delivered. + BLOCKED = "Blocked" #: Blocked. + REPLACED = "Replaced" #: Replaced. + +class DeliveryLocation(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The delivery location of this mail message like Inbox, JunkFolder etc + """ + + UNKNOWN = "Unknown" #: Unknown. + INBOX = "Inbox" #: Inbox. + JUNK_FOLDER = "JunkFolder" #: JunkFolder. + DELETED_FOLDER = "DeletedFolder" #: DeletedFolder. + QUARANTINE = "Quarantine" #: Quarantine. + EXTERNAL = "External" #: External. + FAILED = "Failed" #: Failed. + DROPPED = "Dropped" #: Dropped. + FORWARDED = "Forwarded" #: Forwarded. + +class ElevationToken(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The elevation token associated with the process. """ - AZURE_ACTIVE_DIRECTORY = "AzureActiveDirectory" - AZURE_SECURITY_CENTER = "AzureSecurityCenter" - MICROSOFT_CLOUD_APP_SECURITY = "MicrosoftCloudAppSecurity" - THREAT_INTELLIGENCE = "ThreatIntelligence" - OFFICE365 = "Office365" - AMAZON_WEB_SERVICES_CLOUD_TRAIL = "AmazonWebServicesCloudTrail" - AZURE_ADVANCED_THREAT_PROTECTION = "AzureAdvancedThreatProtection" - MICROSOFT_DEFENDER_ADVANCED_THREAT_PROTECTION = "MicrosoftDefenderAdvancedThreatProtection" + DEFAULT = "Default" #: Default elevation token. + FULL = "Full" #: Full elevation token. + LIMITED = "Limited" #: Limited elevation token. -class DataTypeState(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """Describe whether this data type connection is enabled or not. +class EntityKindEnum(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The kind of the entity """ - ENABLED = "Enabled" - DISABLED = "Disabled" + ACCOUNT = "Account" #: Entity represents account in the system. + HOST = "Host" #: Entity represents host in the system. + FILE = "File" #: Entity represents file in the system. + AZURE_RESOURCE = "AzureResource" #: Entity represents azure resource in the system. + CLOUD_APPLICATION = "CloudApplication" #: Entity represents cloud application in the system. + DNS_RESOLUTION = "DnsResolution" #: Entity represents dns resolution in the system. + FILE_HASH = "FileHash" #: Entity represents file hash in the system. + IP = "Ip" #: Entity represents ip in the system. + MALWARE = "Malware" #: Entity represents malware in the system. + PROCESS = "Process" #: Entity represents process in the system. + REGISTRY_KEY = "RegistryKey" #: Entity represents registry key in the system. + REGISTRY_VALUE = "RegistryValue" #: Entity represents registry value in the system. + SECURITY_GROUP = "SecurityGroup" #: Entity represents security group in the system. + URL = "Url" #: Entity represents url in the system. + IO_T_DEVICE = "IoTDevice" #: Entity represents IoT device in the system. + SECURITY_ALERT = "SecurityAlert" #: Entity represents security alert in the system. + BOOKMARK = "Bookmark" #: Entity represents bookmark in the system. + MAIL_CLUSTER = "MailCluster" #: Entity represents mail cluster in the system. + MAIL_MESSAGE = "MailMessage" #: Entity represents mail message in the system. + MAILBOX = "Mailbox" #: Entity represents mailbox in the system. + SUBMISSION_MAIL = "SubmissionMail" #: Entity represents submission mail in the system. + +class FileHashAlgorithm(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The hash algorithm type. + """ + + UNKNOWN = "Unknown" #: Unknown hash algorithm. + MD5 = "MD5" #: MD5 hash type. + SHA1 = "SHA1" #: SHA1 hash type. + SHA256 = "SHA256" #: SHA256 hash type. + SHA256_AC = "SHA256AC" #: SHA256 Authenticode hash type. class IncidentClassification(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): """The reason the incident was closed @@ -132,12 +226,24 @@ class IncidentStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): ACTIVE = "Active" #: An active incident which is being handled. CLOSED = "Closed" #: A non-active incident. -class LicenseStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """Determines whether the tenant has ATP (Advanced Threat Protection) license. +class KillChainIntent(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """Holds the alert intent stage(s) mapping for this alert. """ - ENABLED = "Enabled" - DISABLED = "Disabled" + UNKNOWN = "Unknown" #: The default value. + PROBING = "Probing" #: Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in. + EXPLOITATION = "Exploitation" #: Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage. + PERSISTENCE = "Persistence" #: Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access. + PRIVILEGE_ESCALATION = "PrivilegeEscalation" #: Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege. + DEFENSE_EVASION = "DefenseEvasion" #: Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. + CREDENTIAL_ACCESS = "CredentialAccess" #: Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment. + DISCOVERY = "Discovery" #: Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase. + LATERAL_MOVEMENT = "LateralMovement" #: Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect. + EXECUTION = "Execution" #: The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network. + COLLECTION = "Collection" #: Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. + EXFILTRATION = "Exfiltration" #: Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. + COMMAND_AND_CONTROL = "CommandAndControl" #: The command and control tactic represents how adversaries communicate with systems under their control within a target network. + IMPACT = "Impact" #: The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others. class MicrosoftSecurityProductName(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): """The alerts' productName on which the cases will be generated @@ -149,20 +255,51 @@ class MicrosoftSecurityProductName(with_metaclass(_CaseInsensitiveEnumMeta, str, AZURE_ACTIVE_DIRECTORY_IDENTITY_PROTECTION = "Azure Active Directory Identity Protection" AZURE_SECURITY_CENTER_FOR_IO_T = "Azure Security Center for IoT" -class SettingKind(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """The kind of the setting +class OsFamily(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The operating system type. + """ + + LINUX = "Linux" #: Host with Linux operating system. + WINDOWS = "Windows" #: Host with Windows operating system. + ANDROID = "Android" #: Host with Android operating system. + IOS = "IOS" #: Host with IOS operating system. + UNKNOWN = "Unknown" #: Host with Unknown operating system. + +class RegistryHive(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """the hive that holds the registry key. """ - UEBA_SETTINGS = "UebaSettings" - TOGGLE_SETTINGS = "ToggleSettings" + HKEY_LOCAL_MACHINE = "HKEY_LOCAL_MACHINE" #: HKEY_LOCAL_MACHINE. + HKEY_CLASSES_ROOT = "HKEY_CLASSES_ROOT" #: HKEY_CLASSES_ROOT. + HKEY_CURRENT_CONFIG = "HKEY_CURRENT_CONFIG" #: HKEY_CURRENT_CONFIG. + HKEY_USERS = "HKEY_USERS" #: HKEY_USERS. + HKEY_CURRENT_USER_LOCAL_SETTINGS = "HKEY_CURRENT_USER_LOCAL_SETTINGS" #: HKEY_CURRENT_USER_LOCAL_SETTINGS. + HKEY_PERFORMANCE_DATA = "HKEY_PERFORMANCE_DATA" #: HKEY_PERFORMANCE_DATA. + HKEY_PERFORMANCE_NLSTEXT = "HKEY_PERFORMANCE_NLSTEXT" #: HKEY_PERFORMANCE_NLSTEXT. + HKEY_PERFORMANCE_TEXT = "HKEY_PERFORMANCE_TEXT" #: HKEY_PERFORMANCE_TEXT. + HKEY_A = "HKEY_A" #: HKEY_A. + HKEY_CURRENT_USER = "HKEY_CURRENT_USER" #: HKEY_CURRENT_USER. + +class RegistryValueKind(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """Specifies the data types to use when storing values in the registry, or identifies the data + type of a value in the registry. + """ -class StatusInMCAS(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): - """Determines whether User and Entity Behavior Analytics is enabled from MCAS (Microsoft Cloud App - Security). + NONE = "None" #: None. + UNKNOWN = "Unknown" #: Unknown value type. + STRING = "String" #: String value type. + EXPAND_STRING = "ExpandString" #: ExpandString value type. + BINARY = "Binary" #: Binary value type. + D_WORD = "DWord" #: DWord value type. + MULTI_STRING = "MultiString" #: MultiString value type. + Q_WORD = "QWord" #: QWord value type. + +class Source(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The source of the watchlist """ - ENABLED = "Enabled" - DISABLED = "Disabled" + LOCAL_FILE = "Local file" + REMOTE_STORAGE = "Remote storage" class TemplateStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): """The alert rule template status. @@ -172,6 +309,20 @@ class TemplateStatus(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): AVAILABLE = "Available" #: Alert rule template is available. NOT_AVAILABLE = "NotAvailable" #: Alert rule template is not available. +class ThreatIntelligenceResourceInnerKind(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """The kind of the threat intelligence entity + """ + + INDICATOR = "indicator" #: Entity represents threat intelligence indicator in the system. + +class ThreatIntelligenceSortingOrder(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): + """Sorting order (ascending/descending/unsorted). + """ + + UNSORTED = "unsorted" + ASCENDING = "ascending" + DESCENDING = "descending" + class TriggerOperator(with_metaclass(_CaseInsensitiveEnumMeta, str, Enum)): """The operation against the threshold that triggers alert rule. """ diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/__init__.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/__init__.py index 5e67996dcd4..ac1147562ea 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/__init__.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/__init__.py @@ -6,22 +6,30 @@ # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- -from ._operation_operations import OperationOperations -from ._alert_rule_operations import AlertRuleOperations -from ._action_operations import ActionOperations -from ._alert_rule_template_operations import AlertRuleTemplateOperations -from ._bookmark_operations import BookmarkOperations -from ._data_connector_operations import DataConnectorOperations -from ._incident_operations import IncidentOperations -from ._incident_comment_operations import IncidentCommentOperations +from ._incidents_operations import IncidentsOperations +from ._incident_comments_operations import IncidentCommentsOperations +from ._incident_relations_operations import IncidentRelationsOperations +from ._threat_intelligence_indicator_operations import ThreatIntelligenceIndicatorOperations +from ._threat_intelligence_indicators_operations import ThreatIntelligenceIndicatorsOperations +from ._threat_intelligence_indicator_metrics_operations import ThreatIntelligenceIndicatorMetricsOperations +from ._watchlists_operations import WatchlistsOperations +from ._watchlist_items_operations import WatchlistItemsOperations +from ._operations import Operations +from ._alert_rules_operations import AlertRulesOperations +from ._actions_operations import ActionsOperations +from ._alert_rule_templates_operations import AlertRuleTemplatesOperations __all__ = [ - 'OperationOperations', - 'AlertRuleOperations', - 'ActionOperations', - 'AlertRuleTemplateOperations', - 'BookmarkOperations', - 'DataConnectorOperations', - 'IncidentOperations', - 'IncidentCommentOperations', + 'IncidentsOperations', + 'IncidentCommentsOperations', + 'IncidentRelationsOperations', + 'ThreatIntelligenceIndicatorOperations', + 'ThreatIntelligenceIndicatorsOperations', + 'ThreatIntelligenceIndicatorMetricsOperations', + 'WatchlistsOperations', + 'WatchlistItemsOperations', + 'Operations', + 'AlertRulesOperations', + 'ActionsOperations', + 'AlertRuleTemplatesOperations', ] diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_bookmark_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_actions_operations.py similarity index 72% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_bookmark_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_actions_operations.py index 0121790c420..3dbfa7a3bd6 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_bookmark_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_actions_operations.py @@ -5,7 +5,6 @@ # Code generated by Microsoft (R) AutoRest Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- -import datetime from typing import TYPE_CHECKING import warnings @@ -19,13 +18,13 @@ if TYPE_CHECKING: # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, List, Optional, TypeVar, Union + from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar, Union T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] -class BookmarkOperations(object): - """BookmarkOperations operations. +class ActionsOperations(object): + """ActionsOperations operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -46,31 +45,33 @@ def __init__(self, client, config, serializer, deserializer): self._deserialize = deserializer self._config = config - def list( + def list_by_alert_rule( self, resource_group_name, # type: str workspace_name, # type: str + rule_id, # type: str **kwargs # type: Any ): - # type: (...) -> Iterable["models.BookmarkList"] - """Gets all bookmarks. + # type: (...) -> Iterable["models.ActionsList"] + """Gets all actions of alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str + :param rule_id: Alert rule ID. + :type rule_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either BookmarkList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.BookmarkList] + :return: An iterator like instance of either ActionsList or the result of cls(response) + :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.ActionsList] :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.BookmarkList"] + cls = kwargs.pop('cls', None) # type: ClsType["models.ActionsList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -80,11 +81,12 @@ def prepare_request(next_link=None): if not next_link: # Construct URL - url = self.list.metadata['url'] # type: ignore + url = self.list_by_alert_rule.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) # Construct parameters @@ -99,7 +101,7 @@ def prepare_request(next_link=None): return request def extract_data(pipeline_response): - deserialized = self._deserialize('BookmarkList', pipeline_response) + deserialized = self._deserialize('ActionsList', pipeline_response) list_of_elem = deserialized.value if cls: list_of_elem = cls(list_of_elem) @@ -120,45 +122,48 @@ def get_next(next_link=None): return ItemPaged( get_next, extract_data ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks'} # type: ignore + list_by_alert_rule.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions'} # type: ignore def get( self, resource_group_name, # type: str workspace_name, # type: str - bookmark_id, # type: str + rule_id, # type: str + action_id, # type: str **kwargs # type: Any ): - # type: (...) -> "models.Bookmark" - """Gets a bookmark. + # type: (...) -> "models.ActionResponse" + """Gets the action of alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str + :param rule_id: Alert rule ID. + :type rule_id: str + :param action_id: Action ID. + :type action_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: Bookmark, or the result of cls(response) - :rtype: ~security_insights.models.Bookmark + :return: ActionResponse, or the result of cls(response) + :rtype: ~security_insights.models.ActionResponse :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"] + cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL url = self.get.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'actionId': self._serialize.url("action_id", action_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -178,74 +183,47 @@ def get( map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('Bookmark', pipeline_response) + deserialized = self._deserialize('ActionResponse', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore def create_or_update( self, resource_group_name, # type: str workspace_name, # type: str - bookmark_id, # type: str - etag=None, # type: Optional[str] - created=None, # type: Optional[datetime.datetime] - display_name=None, # type: Optional[str] - labels=None, # type: Optional[List[str]] - notes=None, # type: Optional[str] - query=None, # type: Optional[str] - query_result=None, # type: Optional[str] - updated=None, # type: Optional[datetime.datetime] - incident_info=None, # type: Optional["models.IncidentInfo"] - object_id=None, # type: Optional[str] + rule_id, # type: str + action_id, # type: str + action, # type: "models.ActionRequest" **kwargs # type: Any ): - # type: (...) -> "models.Bookmark" - """Creates or updates the bookmark. + # type: (...) -> "models.ActionResponse" + """Creates or updates the action of alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param created: The time the bookmark was created. - :type created: ~datetime.datetime - :param display_name: The display name of the bookmark. - :type display_name: str - :param labels: List of labels relevant to this bookmark. - :type labels: list[str] - :param notes: The notes of the bookmark. - :type notes: str - :param query: The query of the bookmark. - :type query: str - :param query_result: The query result of the bookmark. - :type query_result: str - :param updated: The last time the bookmark was updated. - :type updated: ~datetime.datetime - :param incident_info: Describes an incident that relates to bookmark. - :type incident_info: ~security_insights.models.IncidentInfo - :param object_id: The object id of the user. - :type object_id: str + :param rule_id: Alert rule ID. + :type rule_id: str + :param action_id: Action ID. + :type action_id: str + :param action: The action. + :type action: ~security_insights.models.ActionRequest :keyword callable cls: A custom type or function that will be passed the direct response - :return: Bookmark, or the result of cls(response) - :rtype: ~security_insights.models.Bookmark + :return: ActionResponse, or the result of cls(response) + :rtype: ~security_insights.models.ActionResponse :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Bookmark"] + cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - - bookmark = models.Bookmark(etag=etag, created=created, display_name=display_name, labels=labels, notes=notes, query=query, query_result=query_result, updated=updated, incident_info=incident_info, object_id_updated_by_object_id=object_id) - api_version = "2020-01-01" + api_version = "2021-10-01" content_type = kwargs.pop("content_type", "application/json") accept = "application/json" @@ -253,9 +231,10 @@ def create_or_update( url = self.create_or_update.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'actionId': self._serialize.url("action_id", action_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -269,7 +248,7 @@ def create_or_update( header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(bookmark, 'Bookmark') + body_content = self._serialize.body(action, 'ActionRequest') body_content_kwargs['content'] = body_content request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) @@ -280,34 +259,36 @@ def create_or_update( raise HttpResponseError(response=response, error_format=ARMErrorFormat) if response.status_code == 200: - deserialized = self._deserialize('Bookmark', pipeline_response) + deserialized = self._deserialize('ActionResponse', pipeline_response) if response.status_code == 201: - deserialized = self._deserialize('Bookmark', pipeline_response) + deserialized = self._deserialize('ActionResponse', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore + create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore def delete( self, resource_group_name, # type: str workspace_name, # type: str - bookmark_id, # type: str + rule_id, # type: str + action_id, # type: str **kwargs # type: Any ): # type: (...) -> None - """Delete the bookmark. + """Delete the action of alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param bookmark_id: Bookmark ID. - :type bookmark_id: str + :param rule_id: Alert rule ID. + :type rule_id: str + :param action_id: Action ID. + :type action_id: str :keyword callable cls: A custom type or function that will be passed the direct response :return: None, or the result of cls(response) :rtype: None @@ -318,16 +299,17 @@ def delete( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL url = self.delete.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'bookmarkId': self._serialize.url("bookmark_id", bookmark_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'actionId': self._serialize.url("action_id", action_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -350,4 +332,4 @@ def delete( if cls: return cls(pipeline_response, None, {}) - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks/{bookmarkId}'} # type: ignore + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_template_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_templates_operations.py similarity index 95% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_template_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_templates_operations.py index 2dad458b3f7..17467b33513 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_template_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_templates_operations.py @@ -23,8 +23,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] -class AlertRuleTemplateOperations(object): - """AlertRuleTemplateOperations operations. +class AlertRuleTemplatesOperations(object): + """AlertRuleTemplatesOperations operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -54,8 +54,7 @@ def list( # type: (...) -> Iterable["models.AlertRuleTemplatesList"] """Gets all alert rule templates. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str @@ -69,7 +68,7 @@ def list( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -82,7 +81,7 @@ def prepare_request(next_link=None): url = self.list.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), } url = self._client.format_url(url, **path_format_arguments) @@ -131,8 +130,7 @@ def get( # type: (...) -> "models.AlertRuleTemplate" """Gets the alert rule template. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str @@ -148,14 +146,14 @@ def get( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL url = self.get.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), 'alertRuleTemplateId': self._serialize.url("alert_rule_template_id", alert_rule_template_id, 'str'), } diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_data_connector_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rules_operations.py similarity index 80% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_data_connector_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rules_operations.py index cce78e5ae84..576a58c9026 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_data_connector_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rules_operations.py @@ -23,8 +23,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] -class DataConnectorOperations(object): - """DataConnectorOperations operations. +class AlertRulesOperations(object): + """AlertRulesOperations operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -51,25 +51,24 @@ def list( workspace_name, # type: str **kwargs # type: Any ): - # type: (...) -> Iterable["models.DataConnectorList"] - """Gets all data connectors. + # type: (...) -> Iterable["models.AlertRulesList"] + """Gets all alert rules. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either DataConnectorList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.DataConnectorList] + :return: An iterator like instance of either AlertRulesList or the result of cls(response) + :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.AlertRulesList] :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnectorList"] + cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRulesList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -82,7 +81,7 @@ def prepare_request(next_link=None): url = self.list.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), } url = self._client.format_url(url, **path_format_arguments) @@ -98,7 +97,7 @@ def prepare_request(next_link=None): return request def extract_data(pipeline_response): - deserialized = self._deserialize('DataConnectorList', pipeline_response) + deserialized = self._deserialize('AlertRulesList', pipeline_response) list_of_elem = deserialized.value if cls: list_of_elem = cls(list_of_elem) @@ -119,45 +118,44 @@ def get_next(next_link=None): return ItemPaged( get_next, extract_data ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors'} # type: ignore + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules'} # type: ignore def get( self, resource_group_name, # type: str workspace_name, # type: str - data_connector_id, # type: str + rule_id, # type: str **kwargs # type: Any ): - # type: (...) -> "models.DataConnector" - """Gets a data connector. + # type: (...) -> "models.AlertRule" + """Gets the alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str + :param rule_id: Alert rule ID. + :type rule_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: DataConnector, or the result of cls(response) - :rtype: ~security_insights.models.DataConnector + :return: AlertRule, or the result of cls(response) + :rtype: ~security_insights.models.AlertRule :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"] + cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL url = self.get.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -177,45 +175,44 @@ def get( map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('DataConnector', pipeline_response) + deserialized = self._deserialize('AlertRule', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore def create_or_update( self, resource_group_name, # type: str workspace_name, # type: str - data_connector_id, # type: str - data_connector, # type: "models.DataConnector" + rule_id, # type: str + alert_rule, # type: "models.AlertRule" **kwargs # type: Any ): - # type: (...) -> "models.DataConnector" - """Creates or updates the data connector. + # type: (...) -> "models.AlertRule" + """Creates or updates the alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str - :param data_connector: The data connector. - :type data_connector: ~security_insights.models.DataConnector + :param rule_id: Alert rule ID. + :type rule_id: str + :param alert_rule: The alert rule. + :type alert_rule: ~security_insights.models.AlertRule :keyword callable cls: A custom type or function that will be passed the direct response - :return: DataConnector, or the result of cls(response) - :rtype: ~security_insights.models.DataConnector + :return: AlertRule, or the result of cls(response) + :rtype: ~security_insights.models.AlertRule :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.DataConnector"] + cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" content_type = kwargs.pop("content_type", "application/json") accept = "application/json" @@ -223,12 +220,11 @@ def create_or_update( url = self.create_or_update.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) - print(url) # Construct parameters query_parameters = {} # type: Dict[str, Any] @@ -240,7 +236,7 @@ def create_or_update( header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(data_connector, 'DataConnector') + body_content = self._serialize.body(alert_rule, 'AlertRule') body_content_kwargs['content'] = body_content request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) @@ -251,34 +247,33 @@ def create_or_update( raise HttpResponseError(response=response, error_format=ARMErrorFormat) if response.status_code == 200: - deserialized = self._deserialize('DataConnector', pipeline_response) + deserialized = self._deserialize('AlertRule', pipeline_response) if response.status_code == 201: - deserialized = self._deserialize('DataConnector', pipeline_response) + deserialized = self._deserialize('AlertRule', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore + create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore def delete( self, resource_group_name, # type: str workspace_name, # type: str - data_connector_id, # type: str + rule_id, # type: str **kwargs # type: Any ): # type: (...) -> None - """Delete the data connector. + """Delete the alert rule. - :param resource_group_name: The name of the resource group within the user's subscription. The - name is case insensitive. + :param resource_group_name: The name of the resource group. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param data_connector_id: Connector ID. - :type data_connector_id: str + :param rule_id: Alert rule ID. + :type rule_id: str :keyword callable cls: A custom type or function that will be passed the direct response :return: None, or the result of cls(response) :rtype: None @@ -289,16 +284,16 @@ def delete( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL url = self.delete.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), - 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'dataConnectorId': self._serialize.url("data_connector_id", data_connector_id, 'str'), + 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -321,4 +316,4 @@ def delete( if cls: return cls(pipeline_response, None, {}) - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}'} # type: ignore + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comment_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comments_operations.py similarity index 77% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comment_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comments_operations.py index ebed41e74ae..2e1d528ab6a 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comment_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_comments_operations.py @@ -18,13 +18,13 @@ if TYPE_CHECKING: # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar + from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar, Union T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] -class IncidentCommentOperations(object): - """IncidentCommentOperations operations. +class IncidentCommentsOperations(object): + """IncidentCommentsOperations operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -57,7 +57,7 @@ def list_by_incident( **kwargs # type: Any ): # type: (...) -> Iterable["models.IncidentCommentList"] - """Gets all incident comments. + """Gets all comments for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -86,7 +86,7 @@ def list_by_incident( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -156,7 +156,7 @@ def get( **kwargs # type: Any ): # type: (...) -> "models.IncidentComment" - """Gets an incident comment. + """Gets a comment for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -177,7 +177,7 @@ def get( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL @@ -221,11 +221,11 @@ def create_comment( workspace_name, # type: str incident_id, # type: str incident_comment_id, # type: str - message=None, # type: Optional[str] + incident_comment, # type: "models.IncidentComment" **kwargs # type: Any ): # type: (...) -> "models.IncidentComment" - """Creates the incident comment. + """Creates or updates a comment for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -236,8 +236,8 @@ def create_comment( :type incident_id: str :param incident_comment_id: Incident comment ID. :type incident_comment_id: str - :param message: The comment message. - :type message: str + :param incident_comment: The incident comment. + :type incident_comment: ~security_insights.models.IncidentComment :keyword callable cls: A custom type or function that will be passed the direct response :return: IncidentComment, or the result of cls(response) :rtype: ~security_insights.models.IncidentComment @@ -248,9 +248,7 @@ def create_comment( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - - incident_comment = models.IncidentComment(message=message) - api_version = "2020-01-01" + api_version = "2021-10-01" content_type = kwargs.pop("content_type", "application/json") accept = "application/json" @@ -281,14 +279,83 @@ def create_comment( pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) response = pipeline_response.http_response - if response.status_code not in [201]: + if response.status_code not in [200, 201]: map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('IncidentComment', pipeline_response) + if response.status_code == 200: + deserialized = self._deserialize('IncidentComment', pipeline_response) + + if response.status_code == 201: + deserialized = self._deserialize('IncidentComment', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized create_comment.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore + + def delete_comment( + self, + resource_group_name, # type: str + workspace_name, # type: str + incident_id, # type: str + incident_comment_id, # type: str + **kwargs # type: Any + ): + # type: (...) -> None + """Deletes a comment for a given incident. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param incident_id: Incident ID. + :type incident_id: str + :param incident_comment_id: Incident comment ID. + :type incident_comment_id: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: None, or the result of cls(response) + :rtype: None + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType[None] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.delete_comment.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), + 'incidentCommentId': self._serialize.url("incident_comment_id", incident_comment_id, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.delete(url, query_parameters, header_parameters) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 204]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if cls: + return cls(pipeline_response, None, {}) + + delete_comment.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_relations_operations.py similarity index 73% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_relations_operations.py index 0a2071ac198..adb54021752 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incident_relations_operations.py @@ -5,7 +5,6 @@ # Code generated by Microsoft (R) AutoRest Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- -import datetime from typing import TYPE_CHECKING import warnings @@ -19,13 +18,13 @@ if TYPE_CHECKING: # pylint: disable=unused-import,ungrouped-imports - from typing import Any, Callable, Dict, Generic, Iterable, List, Optional, TypeVar, Union + from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar, Union T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] -class IncidentOperations(object): - """IncidentOperations operations. +class IncidentRelationsOperations(object): + """IncidentRelationsOperations operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -50,20 +49,23 @@ def list( self, resource_group_name, # type: str workspace_name, # type: str + incident_id, # type: str filter=None, # type: Optional[str] orderby=None, # type: Optional[str] top=None, # type: Optional[int] skip_token=None, # type: Optional[str] **kwargs # type: Any ): - # type: (...) -> Iterable["models.IncidentList"] - """Gets all incidents. + # type: (...) -> Iterable["models.RelationList"] + """Gets all relations for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str + :param incident_id: Incident ID. + :type incident_id: str :param filter: Filters the results, based on a Boolean condition. Optional. :type filter: str :param orderby: Sorts the results. Optional. @@ -75,16 +77,16 @@ def list( a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. :type skip_token: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either IncidentList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.IncidentList] + :return: An iterator like instance of either RelationList or the result of cls(response) + :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.RelationList] :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentList"] + cls = kwargs.pop('cls', None) # type: ClsType["models.RelationList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -99,6 +101,7 @@ def prepare_request(next_link=None): 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) # Construct parameters @@ -121,7 +124,7 @@ def prepare_request(next_link=None): return request def extract_data(pipeline_response): - deserialized = self._deserialize('IncidentList', pipeline_response) + deserialized = self._deserialize('RelationList', pipeline_response) list_of_elem = deserialized.value if cls: list_of_elem = cls(list_of_elem) @@ -142,17 +145,18 @@ def get_next(next_link=None): return ItemPaged( get_next, extract_data ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents'} # type: ignore + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations'} # type: ignore - def get( + def get_relation( self, resource_group_name, # type: str workspace_name, # type: str incident_id, # type: str + relation_name, # type: str **kwargs # type: Any ): - # type: (...) -> "models.Incident" - """Gets an incident. + # type: (...) -> "models.Relation" + """Gets a relation for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -161,26 +165,29 @@ def get( :type workspace_name: str :param incident_id: Incident ID. :type incident_id: str + :param relation_name: Relation Name. + :type relation_name: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: Incident, or the result of cls(response) - :rtype: ~security_insights.models.Incident + :return: Relation, or the result of cls(response) + :rtype: ~security_insights.models.Relation :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] + cls = kwargs.pop('cls', None) # type: ClsType["models.Relation"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL - url = self.get.metadata['url'] # type: ignore + url = self.get_relation.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), + 'relationName': self._serialize.url("relation_name", relation_name, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -200,35 +207,25 @@ def get( map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('Incident', pipeline_response) + deserialized = self._deserialize('Relation', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore + get_relation.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}'} # type: ignore - def create_or_update( + def create_or_update_relation( self, resource_group_name, # type: str workspace_name, # type: str incident_id, # type: str - etag=None, # type: Optional[str] - classification=None, # type: Optional[Union[str, "models.IncidentClassification"]] - classification_comment=None, # type: Optional[str] - classification_reason=None, # type: Optional[Union[str, "models.IncidentClassificationReason"]] - description=None, # type: Optional[str] - first_activity_time_utc=None, # type: Optional[datetime.datetime] - labels=None, # type: Optional[List["models.IncidentLabel"]] - last_activity_time_utc=None, # type: Optional[datetime.datetime] - owner=None, # type: Optional["models.IncidentOwnerInfo"] - severity=None, # type: Optional[Union[str, "models.IncidentSeverity"]] - status=None, # type: Optional[Union[str, "models.IncidentStatus"]] - title=None, # type: Optional[str] + relation_name, # type: str + relation, # type: "models.Relation" **kwargs # type: Any ): - # type: (...) -> "models.Incident" - """Creates or updates the incident. + # type: (...) -> "models.Relation" + """Creates or updates a relation for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -237,53 +234,32 @@ def create_or_update( :type workspace_name: str :param incident_id: Incident ID. :type incident_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param classification: The reason the incident was closed. - :type classification: str or ~security_insights.models.IncidentClassification - :param classification_comment: Describes the reason the incident was closed. - :type classification_comment: str - :param classification_reason: The classification reason the incident was closed with. - :type classification_reason: str or ~security_insights.models.IncidentClassificationReason - :param description: The description of the incident. - :type description: str - :param first_activity_time_utc: The time of the first activity in the incident. - :type first_activity_time_utc: ~datetime.datetime - :param labels: List of labels relevant to this incident. - :type labels: list[~security_insights.models.IncidentLabel] - :param last_activity_time_utc: The time of the last activity in the incident. - :type last_activity_time_utc: ~datetime.datetime - :param owner: Describes a user that the incident is assigned to. - :type owner: ~security_insights.models.IncidentOwnerInfo - :param severity: The severity of the incident. - :type severity: str or ~security_insights.models.IncidentSeverity - :param status: The status of the incident. - :type status: str or ~security_insights.models.IncidentStatus - :param title: The title of the incident. - :type title: str + :param relation_name: Relation Name. + :type relation_name: str + :param relation: The relation model. + :type relation: ~security_insights.models.Relation :keyword callable cls: A custom type or function that will be passed the direct response - :return: Incident, or the result of cls(response) - :rtype: ~security_insights.models.Incident + :return: Relation, or the result of cls(response) + :rtype: ~security_insights.models.Relation :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] + cls = kwargs.pop('cls', None) # type: ClsType["models.Relation"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - - incident = models.Incident(etag=etag, classification=classification, classification_comment=classification_comment, classification_reason=classification_reason, description=description, first_activity_time_utc=first_activity_time_utc, labels=labels, last_activity_time_utc=last_activity_time_utc, owner=owner, severity=severity, status=status, title=title) - api_version = "2020-01-01" + api_version = "2021-10-01" content_type = kwargs.pop("content_type", "application/json") accept = "application/json" # Construct URL - url = self.create_or_update.metadata['url'] # type: ignore + url = self.create_or_update_relation.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), + 'relationName': self._serialize.url("relation_name", relation_name, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -297,7 +273,7 @@ def create_or_update( header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(incident, 'Incident') + body_content = self._serialize.body(relation, 'Relation') body_content_kwargs['content'] = body_content request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) @@ -308,26 +284,27 @@ def create_or_update( raise HttpResponseError(response=response, error_format=ARMErrorFormat) if response.status_code == 200: - deserialized = self._deserialize('Incident', pipeline_response) + deserialized = self._deserialize('Relation', pipeline_response) if response.status_code == 201: - deserialized = self._deserialize('Incident', pipeline_response) + deserialized = self._deserialize('Relation', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore + create_or_update_relation.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}'} # type: ignore - def delete( + def delete_relation( self, resource_group_name, # type: str workspace_name, # type: str incident_id, # type: str + relation_name, # type: str **kwargs # type: Any ): # type: (...) -> None - """Delete the incident. + """Deletes a relation for a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. @@ -336,6 +313,8 @@ def delete( :type workspace_name: str :param incident_id: Incident ID. :type incident_id: str + :param relation_name: Relation Name. + :type relation_name: str :keyword callable cls: A custom type or function that will be passed the direct response :return: None, or the result of cls(response) :rtype: None @@ -346,16 +325,17 @@ def delete( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL - url = self.delete.metadata['url'] # type: ignore + url = self.delete_relation.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), + 'relationName': self._serialize.url("relation_name", relation_name, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -378,4 +358,4 @@ def delete( if cls: return cls(pipeline_response, None, {}) - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore + delete_relation.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incidents_operations.py similarity index 73% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incidents_operations.py index f91eef2b673..bfc95cfcb5e 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_alert_rule_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_incidents_operations.py @@ -23,8 +23,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] -class AlertRuleOperations(object): - """AlertRuleOperations operations. +class IncidentsOperations(object): + """IncidentsOperations operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -49,27 +49,41 @@ def list( self, resource_group_name, # type: str workspace_name, # type: str + filter=None, # type: Optional[str] + orderby=None, # type: Optional[str] + top=None, # type: Optional[int] + skip_token=None, # type: Optional[str] **kwargs # type: Any ): - # type: (...) -> Iterable["models.AlertRulesList"] - """Gets all alert rules. + # type: (...) -> Iterable["models.IncidentList"] + """Gets all incidents. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str + :param filter: Filters the results, based on a Boolean condition. Optional. + :type filter: str + :param orderby: Sorts the results. Optional. + :type orderby: str + :param top: Returns only the first n results. Optional. + :type top: int + :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If + a previous response contains a nextLink element, the value of the nextLink element will include + a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. + :type skip_token: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either AlertRulesList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.AlertRulesList] + :return: An iterator like instance of either IncidentList or the result of cls(response) + :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.IncidentList] :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRulesList"] + cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -89,6 +103,14 @@ def prepare_request(next_link=None): # Construct parameters query_parameters = {} # type: Dict[str, Any] query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + if filter is not None: + query_parameters['$filter'] = self._serialize.query("filter", filter, 'str') + if orderby is not None: + query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str') + if top is not None: + query_parameters['$top'] = self._serialize.query("top", top, 'int') + if skip_token is not None: + query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') request = self._client.get(url, query_parameters, header_parameters) else: @@ -98,7 +120,7 @@ def prepare_request(next_link=None): return request def extract_data(pipeline_response): - deserialized = self._deserialize('AlertRulesList', pipeline_response) + deserialized = self._deserialize('IncidentList', pipeline_response) list_of_elem = deserialized.value if cls: list_of_elem = cls(list_of_elem) @@ -119,36 +141,36 @@ def get_next(next_link=None): return ItemPaged( get_next, extract_data ) - list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules'} # type: ignore + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents'} # type: ignore def get( self, resource_group_name, # type: str workspace_name, # type: str - rule_id, # type: str + incident_id, # type: str **kwargs # type: Any ): - # type: (...) -> "models.AlertRule" - """Gets the alert rule. + # type: (...) -> "models.Incident" + """Gets a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str + :param incident_id: Incident ID. + :type incident_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: AlertRule, or the result of cls(response) - :rtype: ~security_insights.models.AlertRule + :return: Incident, or the result of cls(response) + :rtype: ~security_insights.models.Incident :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] + cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL @@ -157,7 +179,7 @@ def get( 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -177,45 +199,45 @@ def get( map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('AlertRule', pipeline_response) + deserialized = self._deserialize('Incident', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore def create_or_update( self, resource_group_name, # type: str workspace_name, # type: str - rule_id, # type: str - alert_rule, # type: "models.AlertRule" + incident_id, # type: str + incident, # type: "models.Incident" **kwargs # type: Any ): - # type: (...) -> "models.AlertRule" - """Creates or updates the alert rule. + # type: (...) -> "models.Incident" + """Creates or updates an incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param alert_rule: The alert rule. - :type alert_rule: ~security_insights.models.AlertRule + :param incident_id: Incident ID. + :type incident_id: str + :param incident: The incident. + :type incident: ~security_insights.models.Incident :keyword callable cls: A custom type or function that will be passed the direct response - :return: AlertRule, or the result of cls(response) - :rtype: ~security_insights.models.AlertRule + :return: Incident, or the result of cls(response) + :rtype: ~security_insights.models.Incident :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.AlertRule"] + cls = kwargs.pop('cls', None) # type: ClsType["models.Incident"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" content_type = kwargs.pop("content_type", "application/json") accept = "application/json" @@ -225,7 +247,7 @@ def create_or_update( 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -239,7 +261,7 @@ def create_or_update( header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(alert_rule, 'AlertRule') + body_content = self._serialize.body(incident, 'Incident') body_content_kwargs['content'] = body_content request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) @@ -250,34 +272,34 @@ def create_or_update( raise HttpResponseError(response=response, error_format=ARMErrorFormat) if response.status_code == 200: - deserialized = self._deserialize('AlertRule', pipeline_response) + deserialized = self._deserialize('Incident', pipeline_response) if response.status_code == 201: - deserialized = self._deserialize('AlertRule', pipeline_response) + deserialized = self._deserialize('Incident', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore + create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore def delete( self, resource_group_name, # type: str workspace_name, # type: str - rule_id, # type: str + incident_id, # type: str **kwargs # type: Any ): # type: (...) -> None - """Delete the alert rule. + """Deletes a given incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str + :param incident_id: Incident ID. + :type incident_id: str :keyword callable cls: A custom type or function that will be passed the direct response :return: None, or the result of cls(response) :rtype: None @@ -288,7 +310,7 @@ def delete( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL @@ -297,7 +319,7 @@ def delete( 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -320,49 +342,45 @@ def delete( if cls: return cls(pipeline_response, None, {}) - delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}'} # type: ignore + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}'} # type: ignore - def get_action( + def list_of_alerts( self, resource_group_name, # type: str workspace_name, # type: str - rule_id, # type: str - action_id, # type: str + incident_id, # type: str **kwargs # type: Any ): - # type: (...) -> "models.ActionResponse" - """Gets the action of alert rule. + # type: (...) -> "models.IncidentAlertList" + """Gets all alerts for an incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str + :param incident_id: Incident ID. + :type incident_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: ActionResponse, or the result of cls(response) - :rtype: ~security_insights.models.ActionResponse + :return: IncidentAlertList, or the result of cls(response) + :rtype: ~security_insights.models.IncidentAlertList :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] + cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentAlertList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL - url = self.get_action.metadata['url'] # type: ignore + url = self.list_of_alerts.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -374,7 +392,7 @@ def get_action( header_parameters = {} # type: Dict[str, Any] header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - request = self._client.get(url, query_parameters, header_parameters) + request = self._client.post(url, query_parameters, header_parameters) pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) response = pipeline_response.http_response @@ -382,69 +400,51 @@ def get_action( map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - deserialized = self._deserialize('ActionResponse', pipeline_response) + deserialized = self._deserialize('IncidentAlertList', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - get_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore + list_of_alerts.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts'} # type: ignore - def create_or_update_action( + def list_of_bookmarks( self, resource_group_name, # type: str workspace_name, # type: str - rule_id, # type: str - action_id, # type: str - etag=None, # type: Optional[str] - logic_app_resource_id=None, # type: Optional[str] - trigger_uri=None, # type: Optional[str] + incident_id, # type: str **kwargs # type: Any ): - # type: (...) -> "models.ActionResponse" - """Creates or updates the action of alert rule. + # type: (...) -> "models.IncidentBookmarkList" + """Gets all bookmarks for an incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str - :param etag: Etag of the azure resource. - :type etag: str - :param logic_app_resource_id: Logic App Resource Id, /subscriptions/{my- - subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my- - workflow-id}. - :type logic_app_resource_id: str - :param trigger_uri: Logic App Callback URL for this specific workflow. - :type trigger_uri: str + :param incident_id: Incident ID. + :type incident_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: ActionResponse, or the result of cls(response) - :rtype: ~security_insights.models.ActionResponse + :return: IncidentBookmarkList, or the result of cls(response) + :rtype: ~security_insights.models.IncidentBookmarkList :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionResponse"] + cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentBookmarkList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - - action = models.ActionRequest(etag=etag, logic_app_resource_id=logic_app_resource_id, trigger_uri=trigger_uri) - api_version = "2020-01-01" - content_type = kwargs.pop("content_type", "application/json") + api_version = "2021-10-01" accept = "application/json" # Construct URL - url = self.create_or_update_action.metadata['url'] # type: ignore + url = self.list_of_bookmarks.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -454,73 +454,61 @@ def create_or_update_action( # Construct headers header_parameters = {} # type: Dict[str, Any] - header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - body_content_kwargs = {} # type: Dict[str, Any] - body_content = self._serialize.body(action, 'ActionRequest') - body_content_kwargs['content'] = body_content - request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) + request = self._client.post(url, query_parameters, header_parameters) pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) response = pipeline_response.http_response - if response.status_code not in [200, 201]: + if response.status_code not in [200]: map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) - if response.status_code == 200: - deserialized = self._deserialize('ActionResponse', pipeline_response) - - if response.status_code == 201: - deserialized = self._deserialize('ActionResponse', pipeline_response) + deserialized = self._deserialize('IncidentBookmarkList', pipeline_response) if cls: return cls(pipeline_response, deserialized, {}) return deserialized - create_or_update_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore + list_of_bookmarks.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks'} # type: ignore - def delete_action( + def list_of_entities( self, resource_group_name, # type: str workspace_name, # type: str - rule_id, # type: str - action_id, # type: str + incident_id, # type: str **kwargs # type: Any ): - # type: (...) -> None - """Delete the action of alert rule. + # type: (...) -> "models.IncidentEntitiesResponse" + """Gets all entities for an incident. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str - :param action_id: Action ID. - :type action_id: str + :param incident_id: Incident ID. + :type incident_id: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: None, or the result of cls(response) - :rtype: None + :return: IncidentEntitiesResponse, or the result of cls(response) + :rtype: ~security_insights.models.IncidentEntitiesResponse :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType[None] + cls = kwargs.pop('cls', None) # type: ClsType["models.IncidentEntitiesResponse"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" # Construct URL - url = self.delete_action.metadata['url'] # type: ignore + url = self.list_of_entities.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), - 'actionId': self._serialize.url("action_id", action_id, 'str'), + 'incidentId': self._serialize.url("incident_id", incident_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) @@ -532,15 +520,18 @@ def delete_action( header_parameters = {} # type: Dict[str, Any] header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') - request = self._client.delete(url, query_parameters, header_parameters) + request = self._client.post(url, query_parameters, header_parameters) pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) response = pipeline_response.http_response - if response.status_code not in [200, 204]: + if response.status_code not in [200]: map_error(status_code=response.status_code, response=response, error_map=error_map) raise HttpResponseError(response=response, error_format=ARMErrorFormat) + deserialized = self._deserialize('IncidentEntitiesResponse', pipeline_response) + if cls: - return cls(pipeline_response, None, {}) + return cls(pipeline_response, deserialized, {}) - delete_action.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}'} # type: ignore + return deserialized + list_of_entities.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operation_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operations.py similarity index 97% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operation_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operations.py index b1d3c09bbf3..cd605ece51f 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operation_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_operations.py @@ -23,8 +23,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] -class OperationOperations(object): - """OperationOperations operations. +class Operations(object): + """Operations operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -62,7 +62,7 @@ def list( 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicator_metrics_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicator_metrics_operations.py new file mode 100644 index 00000000000..2425c5bc9f3 --- /dev/null +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicator_metrics_operations.py @@ -0,0 +1,110 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) AutoRest Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +from typing import TYPE_CHECKING +import warnings + +from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error +from azure.core.pipeline import PipelineResponse +from azure.core.pipeline.transport import HttpRequest, HttpResponse +from azure.mgmt.core.exceptions import ARMErrorFormat + +from .. import models + +if TYPE_CHECKING: + # pylint: disable=unused-import,ungrouped-imports + from typing import Any, Callable, Dict, Generic, Optional, TypeVar + + T = TypeVar('T') + ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] + +class ThreatIntelligenceIndicatorMetricsOperations(object): + """ThreatIntelligenceIndicatorMetricsOperations operations. + + You should not instantiate this class directly. Instead, you should create a Client instance that + instantiates it for you and attaches it as an attribute. + + :ivar models: Alias to model classes used in this operation group. + :type models: ~security_insights.models + :param client: Client for service requests. + :param config: Configuration of service client. + :param serializer: An object model serializer. + :param deserializer: An object model deserializer. + """ + + models = models + + def __init__(self, client, config, serializer, deserializer): + self._client = client + self._serialize = serializer + self._deserialize = deserializer + self._config = config + + def list( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + **kwargs # type: Any + ): + # type: (...) -> "models.ThreatIntelligenceMetricsList" + """Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: ThreatIntelligenceMetricsList, or the result of cls(response) + :rtype: ~security_insights.models.ThreatIntelligenceMetricsList + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceMetricsList"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.list.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + deserialized = self._deserialize('ThreatIntelligenceMetricsList', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicator_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicator_operations.py new file mode 100644 index 00000000000..ad4bfe39c21 --- /dev/null +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicator_operations.py @@ -0,0 +1,586 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) AutoRest Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +from typing import TYPE_CHECKING +import warnings + +from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error +from azure.core.paging import ItemPaged +from azure.core.pipeline import PipelineResponse +from azure.core.pipeline.transport import HttpRequest, HttpResponse +from azure.mgmt.core.exceptions import ARMErrorFormat + +from .. import models + +if TYPE_CHECKING: + # pylint: disable=unused-import,ungrouped-imports + from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar, Union + + T = TypeVar('T') + ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] + +class ThreatIntelligenceIndicatorOperations(object): + """ThreatIntelligenceIndicatorOperations operations. + + You should not instantiate this class directly. Instead, you should create a Client instance that + instantiates it for you and attaches it as an attribute. + + :ivar models: Alias to model classes used in this operation group. + :type models: ~security_insights.models + :param client: Client for service requests. + :param config: Configuration of service client. + :param serializer: An object model serializer. + :param deserializer: An object model deserializer. + """ + + models = models + + def __init__(self, client, config, serializer, deserializer): + self._client = client + self._serialize = serializer + self._deserialize = deserializer + self._config = config + + def create_indicator( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + threat_intelligence_properties, # type: "models.ThreatIntelligenceIndicatorModelForRequestBody" + **kwargs # type: Any + ): + # type: (...) -> "models.ThreatIntelligenceInformation" + """Create a new threat intelligence indicator. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param threat_intelligence_properties: Properties of threat intelligence indicators to create + and update. + :type threat_intelligence_properties: ~security_insights.models.ThreatIntelligenceIndicatorModelForRequestBody + :keyword callable cls: A custom type or function that will be passed the direct response + :return: ThreatIntelligenceInformation, or the result of cls(response) + :rtype: ~security_insights.models.ThreatIntelligenceInformation + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformation"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.create_indicator.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_properties, 'ThreatIntelligenceIndicatorModelForRequestBody') + body_content_kwargs['content'] = body_content + request = self._client.post(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 201]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if response.status_code == 200: + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if response.status_code == 201: + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + create_indicator.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator'} # type: ignore + + def get( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + name, # type: str + **kwargs # type: Any + ): + # type: (...) -> "models.ThreatIntelligenceInformation" + """View a threat intelligence indicator by name. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param name: Threat intelligence indicator name field. + :type name: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: ThreatIntelligenceInformation, or the result of cls(response) + :rtype: ~security_insights.models.ThreatIntelligenceInformation + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformation"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.get.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'name': self._serialize.url("name", name, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}'} # type: ignore + + def create( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + name, # type: str + threat_intelligence_properties, # type: "models.ThreatIntelligenceIndicatorModelForRequestBody" + **kwargs # type: Any + ): + # type: (...) -> "models.ThreatIntelligenceInformation" + """Update a threat Intelligence indicator. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param name: Threat intelligence indicator name field. + :type name: str + :param threat_intelligence_properties: Properties of threat intelligence indicators to create + and update. + :type threat_intelligence_properties: ~security_insights.models.ThreatIntelligenceIndicatorModelForRequestBody + :keyword callable cls: A custom type or function that will be passed the direct response + :return: ThreatIntelligenceInformation, or the result of cls(response) + :rtype: ~security_insights.models.ThreatIntelligenceInformation + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformation"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.create.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'name': self._serialize.url("name", name, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_properties, 'ThreatIntelligenceIndicatorModelForRequestBody') + body_content_kwargs['content'] = body_content + request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 201]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if response.status_code == 200: + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if response.status_code == 201: + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + create.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}'} # type: ignore + + def delete( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + name, # type: str + **kwargs # type: Any + ): + # type: (...) -> None + """Delete a threat intelligence indicator. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param name: Threat intelligence indicator name field. + :type name: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: None, or the result of cls(response) + :rtype: None + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType[None] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.delete.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'name': self._serialize.url("name", name, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.delete(url, query_parameters, header_parameters) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 204]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if cls: + return cls(pipeline_response, None, {}) + + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}'} # type: ignore + + def query_indicators( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + threat_intelligence_filtering_criteria, # type: "models.ThreatIntelligenceFilteringCriteria" + **kwargs # type: Any + ): + # type: (...) -> Iterable["models.ThreatIntelligenceInformationList"] + """Query threat intelligence indicators as per filtering criteria. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param threat_intelligence_filtering_criteria: Filtering criteria for querying threat + intelligence indicators. + :type threat_intelligence_filtering_criteria: ~security_insights.models.ThreatIntelligenceFilteringCriteria + :keyword callable cls: A custom type or function that will be passed the direct response + :return: An iterator like instance of either ThreatIntelligenceInformationList or the result of cls(response) + :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.ThreatIntelligenceInformationList] + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformationList"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = "application/json" + accept = "application/json" + + def prepare_request(next_link=None): + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + if not next_link: + # Construct URL + url = self.query_indicators.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + } + url = self._client.format_url(url, **path_format_arguments) + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_filtering_criteria, 'ThreatIntelligenceFilteringCriteria') + body_content_kwargs['content'] = body_content + request = self._client.post(url, query_parameters, header_parameters, **body_content_kwargs) + else: + url = next_link + query_parameters = {} # type: Dict[str, Any] + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_filtering_criteria, 'ThreatIntelligenceFilteringCriteria') + body_content_kwargs['content'] = body_content + request = self._client.get(url, query_parameters, header_parameters, **body_content_kwargs) + return request + + def extract_data(pipeline_response): + deserialized = self._deserialize('ThreatIntelligenceInformationList', pipeline_response) + list_of_elem = deserialized.value + if cls: + list_of_elem = cls(list_of_elem) + return deserialized.next_link or None, iter(list_of_elem) + + def get_next(next_link=None): + request = prepare_request(next_link) + + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + return pipeline_response + + return ItemPaged( + get_next, extract_data + ) + query_indicators.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators'} # type: ignore + + def append_tags( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + name, # type: str + threat_intelligence_append_tags, # type: "models.ThreatIntelligenceAppendTags" + **kwargs # type: Any + ): + # type: (...) -> None + """Append tags to a threat intelligence indicator. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param name: Threat intelligence indicator name field. + :type name: str + :param threat_intelligence_append_tags: The threat intelligence append tags request body. + :type threat_intelligence_append_tags: ~security_insights.models.ThreatIntelligenceAppendTags + :keyword callable cls: A custom type or function that will be passed the direct response + :return: None, or the result of cls(response) + :rtype: None + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType[None] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.append_tags.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'name': self._serialize.url("name", name, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_append_tags, 'ThreatIntelligenceAppendTags') + body_content_kwargs['content'] = body_content + request = self._client.post(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if cls: + return cls(pipeline_response, None, {}) + + append_tags.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/appendTags'} # type: ignore + + def replace_tags( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + name, # type: str + threat_intelligence_replace_tags, # type: "models.ThreatIntelligenceIndicatorModelForRequestBody" + **kwargs # type: Any + ): + # type: (...) -> "models.ThreatIntelligenceInformation" + """Replace tags added to a threat intelligence indicator. + + :param resource_group_name: The name of the resource group within the user's subscription. The + name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param name: Threat intelligence indicator name field. + :type name: str + :param threat_intelligence_replace_tags: Tags in the threat intelligence indicator to be + replaced. + :type threat_intelligence_replace_tags: ~security_insights.models.ThreatIntelligenceIndicatorModelForRequestBody + :keyword callable cls: A custom type or function that will be passed the direct response + :return: ThreatIntelligenceInformation, or the result of cls(response) + :rtype: ~security_insights.models.ThreatIntelligenceInformation + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformation"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.replace_tags.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'name': self._serialize.url("name", name, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(threat_intelligence_replace_tags, 'ThreatIntelligenceIndicatorModelForRequestBody') + body_content_kwargs['content'] = body_content + request = self._client.post(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + deserialized = self._deserialize('ThreatIntelligenceInformation', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + replace_tags.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}/replaceTags'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_action_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicators_operations.py similarity index 64% rename from src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_action_operations.py rename to src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicators_operations.py index a0eaa43cf9a..f447b51bd2f 100644 --- a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_action_operations.py +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_threat_intelligence_indicators_operations.py @@ -23,8 +23,8 @@ T = TypeVar('T') ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] -class ActionOperations(object): - """ActionOperations operations. +class ThreatIntelligenceIndicatorsOperations(object): + """ThreatIntelligenceIndicatorsOperations operations. You should not instantiate this class directly. Instead, you should create a Client instance that instantiates it for you and attaches it as an attribute. @@ -45,34 +45,49 @@ def __init__(self, client, config, serializer, deserializer): self._deserialize = deserializer self._config = config - def list_by_alert_rule( + def list( self, resource_group_name, # type: str + operational_insights_resource_provider, # type: str workspace_name, # type: str - rule_id, # type: str + filter=None, # type: Optional[str] + top=None, # type: Optional[int] + skip_token=None, # type: Optional[str] + orderby=None, # type: Optional[str] **kwargs # type: Any ): - # type: (...) -> Iterable["models.ActionsList"] - """Gets all actions of alert rule. + # type: (...) -> Iterable["models.ThreatIntelligenceInformationList"] + """Get all threat intelligence indicators. :param resource_group_name: The name of the resource group within the user's subscription. The name is case insensitive. :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str :param workspace_name: The name of the workspace. :type workspace_name: str - :param rule_id: Alert rule ID. - :type rule_id: str + :param filter: Filters the results, based on a Boolean condition. Optional. + :type filter: str + :param top: Returns only the first n results. Optional. + :type top: int + :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If + a previous response contains a nextLink element, the value of the nextLink element will include + a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. + :type skip_token: str + :param orderby: Sorts the results. Optional. + :type orderby: str :keyword callable cls: A custom type or function that will be passed the direct response - :return: An iterator like instance of either ActionsList or the result of cls(response) - :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.ActionsList] + :return: An iterator like instance of either ThreatIntelligenceInformationList or the result of cls(response) + :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.ThreatIntelligenceInformationList] :raises: ~azure.core.exceptions.HttpResponseError """ - cls = kwargs.pop('cls', None) # type: ClsType["models.ActionsList"] + cls = kwargs.pop('cls', None) # type: ClsType["models.ThreatIntelligenceInformationList"] error_map = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError } error_map.update(kwargs.pop('error_map', {})) - api_version = "2020-01-01" + api_version = "2021-10-01" accept = "application/json" def prepare_request(next_link=None): @@ -82,17 +97,25 @@ def prepare_request(next_link=None): if not next_link: # Construct URL - url = self.list_by_alert_rule.metadata['url'] # type: ignore + url = self.list.metadata['url'] # type: ignore path_format_arguments = { 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1, pattern=r'^[-\w\._\(\)]+$'), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), - 'ruleId': self._serialize.url("rule_id", rule_id, 'str'), } url = self._client.format_url(url, **path_format_arguments) # Construct parameters query_parameters = {} # type: Dict[str, Any] query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + if filter is not None: + query_parameters['$filter'] = self._serialize.query("filter", filter, 'str') + if top is not None: + query_parameters['$top'] = self._serialize.query("top", top, 'int') + if skip_token is not None: + query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') + if orderby is not None: + query_parameters['$orderby'] = self._serialize.query("orderby", orderby, 'str') request = self._client.get(url, query_parameters, header_parameters) else: @@ -102,7 +125,7 @@ def prepare_request(next_link=None): return request def extract_data(pipeline_response): - deserialized = self._deserialize('ActionsList', pipeline_response) + deserialized = self._deserialize('ThreatIntelligenceInformationList', pipeline_response) list_of_elem = deserialized.value if cls: list_of_elem = cls(list_of_elem) @@ -123,4 +146,4 @@ def get_next(next_link=None): return ItemPaged( get_next, extract_data ) - list_by_alert_rule.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions'} # type: ignore + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_watchlist_items_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_watchlist_items_operations.py new file mode 100644 index 00000000000..90bb60386e9 --- /dev/null +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_watchlist_items_operations.py @@ -0,0 +1,362 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) AutoRest Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +from typing import TYPE_CHECKING +import warnings + +from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error +from azure.core.paging import ItemPaged +from azure.core.pipeline import PipelineResponse +from azure.core.pipeline.transport import HttpRequest, HttpResponse +from azure.mgmt.core.exceptions import ARMErrorFormat + +from .. import models + +if TYPE_CHECKING: + # pylint: disable=unused-import,ungrouped-imports + from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar, Union + + T = TypeVar('T') + ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] + +class WatchlistItemsOperations(object): + """WatchlistItemsOperations operations. + + You should not instantiate this class directly. Instead, you should create a Client instance that + instantiates it for you and attaches it as an attribute. + + :ivar models: Alias to model classes used in this operation group. + :type models: ~security_insights.models + :param client: Client for service requests. + :param config: Configuration of service client. + :param serializer: An object model serializer. + :param deserializer: An object model deserializer. + """ + + models = models + + def __init__(self, client, config, serializer, deserializer): + self._client = client + self._serialize = serializer + self._deserialize = deserializer + self._config = config + + def list( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + watchlist_alias, # type: str + skip_token=None, # type: Optional[str] + **kwargs # type: Any + ): + # type: (...) -> Iterable["models.WatchlistItemList"] + """Get all watchlist Items. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If + a previous response contains a nextLink element, the value of the nextLink element will include + a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. + :type skip_token: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: An iterator like instance of either WatchlistItemList or the result of cls(response) + :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.WatchlistItemList] + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.WatchlistItemList"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + def prepare_request(next_link=None): + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + if not next_link: + # Construct URL + url = self.list.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + if skip_token is not None: + query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + else: + url = next_link + query_parameters = {} # type: Dict[str, Any] + request = self._client.get(url, query_parameters, header_parameters) + return request + + def extract_data(pipeline_response): + deserialized = self._deserialize('WatchlistItemList', pipeline_response) + list_of_elem = deserialized.value + if cls: + list_of_elem = cls(list_of_elem) + return deserialized.next_link or None, iter(list_of_elem) + + def get_next(next_link=None): + request = prepare_request(next_link) + + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + return pipeline_response + + return ItemPaged( + get_next, extract_data + ) + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems'} # type: ignore + + def get( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + watchlist_alias, # type: str + watchlist_item_id, # type: str + **kwargs # type: Any + ): + # type: (...) -> "models.WatchlistItem" + """Get a watchlist item. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :param watchlist_item_id: The watchlist item id (GUID). + :type watchlist_item_id: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: WatchlistItem, or the result of cls(response) + :rtype: ~security_insights.models.WatchlistItem + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.WatchlistItem"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.get.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + 'watchlistItemId': self._serialize.url("watchlist_item_id", watchlist_item_id, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + deserialized = self._deserialize('WatchlistItem', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}'} # type: ignore + + def delete( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + watchlist_alias, # type: str + watchlist_item_id, # type: str + **kwargs # type: Any + ): + # type: (...) -> None + """Delete a watchlist item. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :param watchlist_item_id: The watchlist item id (GUID). + :type watchlist_item_id: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: None, or the result of cls(response) + :rtype: None + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType[None] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.delete.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + 'watchlistItemId': self._serialize.url("watchlist_item_id", watchlist_item_id, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.delete(url, query_parameters, header_parameters) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 204]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if cls: + return cls(pipeline_response, None, {}) + + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}'} # type: ignore + + def create_or_update( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + watchlist_alias, # type: str + watchlist_item_id, # type: str + watchlist_item, # type: "models.WatchlistItem" + **kwargs # type: Any + ): + # type: (...) -> "models.WatchlistItem" + """Create or update a watchlist item. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :param watchlist_item_id: The watchlist item id (GUID). + :type watchlist_item_id: str + :param watchlist_item: The watchlist item. + :type watchlist_item: ~security_insights.models.WatchlistItem + :keyword callable cls: A custom type or function that will be passed the direct response + :return: WatchlistItem, or the result of cls(response) + :rtype: ~security_insights.models.WatchlistItem + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.WatchlistItem"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.create_or_update.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + 'watchlistItemId': self._serialize.url("watchlist_item_id", watchlist_item_id, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(watchlist_item, 'WatchlistItem') + body_content_kwargs['content'] = body_content + request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 201]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if response.status_code == 200: + deserialized = self._deserialize('WatchlistItem', pipeline_response) + + if response.status_code == 201: + deserialized = self._deserialize('WatchlistItem', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}'} # type: ignore diff --git a/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_watchlists_operations.py b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_watchlists_operations.py new file mode 100644 index 00000000000..d151cd48cb1 --- /dev/null +++ b/src/securityinsight/azext_sentinel/vendored_sdks/securityinsight/operations/_watchlists_operations.py @@ -0,0 +1,348 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) AutoRest Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +from typing import TYPE_CHECKING +import warnings + +from azure.core.exceptions import ClientAuthenticationError, HttpResponseError, ResourceExistsError, ResourceNotFoundError, map_error +from azure.core.paging import ItemPaged +from azure.core.pipeline import PipelineResponse +from azure.core.pipeline.transport import HttpRequest, HttpResponse +from azure.mgmt.core.exceptions import ARMErrorFormat + +from .. import models + +if TYPE_CHECKING: + # pylint: disable=unused-import,ungrouped-imports + from typing import Any, Callable, Dict, Generic, Iterable, Optional, TypeVar, Union + + T = TypeVar('T') + ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] + +class WatchlistsOperations(object): + """WatchlistsOperations operations. + + You should not instantiate this class directly. Instead, you should create a Client instance that + instantiates it for you and attaches it as an attribute. + + :ivar models: Alias to model classes used in this operation group. + :type models: ~security_insights.models + :param client: Client for service requests. + :param config: Configuration of service client. + :param serializer: An object model serializer. + :param deserializer: An object model deserializer. + """ + + models = models + + def __init__(self, client, config, serializer, deserializer): + self._client = client + self._serialize = serializer + self._deserialize = deserializer + self._config = config + + def list( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + skip_token=None, # type: Optional[str] + **kwargs # type: Any + ): + # type: (...) -> Iterable["models.WatchlistList"] + """Get all watchlists, without watchlist items. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param skip_token: Skiptoken is only used if a previous operation returned a partial result. If + a previous response contains a nextLink element, the value of the nextLink element will include + a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. + :type skip_token: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: An iterator like instance of either WatchlistList or the result of cls(response) + :rtype: ~azure.core.paging.ItemPaged[~security_insights.models.WatchlistList] + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.WatchlistList"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + def prepare_request(next_link=None): + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + if not next_link: + # Construct URL + url = self.list.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + } + url = self._client.format_url(url, **path_format_arguments) + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + if skip_token is not None: + query_parameters['$skipToken'] = self._serialize.query("skip_token", skip_token, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + else: + url = next_link + query_parameters = {} # type: Dict[str, Any] + request = self._client.get(url, query_parameters, header_parameters) + return request + + def extract_data(pipeline_response): + deserialized = self._deserialize('WatchlistList', pipeline_response) + list_of_elem = deserialized.value + if cls: + list_of_elem = cls(list_of_elem) + return deserialized.next_link or None, iter(list_of_elem) + + def get_next(next_link=None): + request = prepare_request(next_link) + + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + return pipeline_response + + return ItemPaged( + get_next, extract_data + ) + list.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists'} # type: ignore + + def get( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + watchlist_alias, # type: str + **kwargs # type: Any + ): + # type: (...) -> "models.Watchlist" + """Get a watchlist, without its watchlist items. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: Watchlist, or the result of cls(response) + :rtype: ~security_insights.models.Watchlist + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.Watchlist"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.get.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.get(url, query_parameters, header_parameters) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + deserialized = self._deserialize('Watchlist', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + get.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}'} # type: ignore + + def delete( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + watchlist_alias, # type: str + **kwargs # type: Any + ): + # type: (...) -> None + """Delete a watchlist. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :keyword callable cls: A custom type or function that will be passed the direct response + :return: None, or the result of cls(response) + :rtype: None + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType[None] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + accept = "application/json" + + # Construct URL + url = self.delete.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + request = self._client.delete(url, query_parameters, header_parameters) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 204]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if cls: + return cls(pipeline_response, None, {}) + + delete.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}'} # type: ignore + + def create_or_update( + self, + resource_group_name, # type: str + operational_insights_resource_provider, # type: str + workspace_name, # type: str + watchlist_alias, # type: str + watchlist, # type: "models.Watchlist" + **kwargs # type: Any + ): + # type: (...) -> "models.Watchlist" + """Create or update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv + content type). To create a Watchlist and its Items, we should call this endpoint with + rawContent and contentType properties. + + :param resource_group_name: The name of the resource group. The name is case insensitive. + :type resource_group_name: str + :param operational_insights_resource_provider: The namespace of workspaces resource provider- + Microsoft.OperationalInsights. + :type operational_insights_resource_provider: str + :param workspace_name: The name of the workspace. + :type workspace_name: str + :param watchlist_alias: The watchlist alias. + :type watchlist_alias: str + :param watchlist: The watchlist. + :type watchlist: ~security_insights.models.Watchlist + :keyword callable cls: A custom type or function that will be passed the direct response + :return: Watchlist, or the result of cls(response) + :rtype: ~security_insights.models.Watchlist + :raises: ~azure.core.exceptions.HttpResponseError + """ + cls = kwargs.pop('cls', None) # type: ClsType["models.Watchlist"] + error_map = { + 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError + } + error_map.update(kwargs.pop('error_map', {})) + api_version = "2021-10-01" + content_type = kwargs.pop("content_type", "application/json") + accept = "application/json" + + # Construct URL + url = self.create_or_update.metadata['url'] # type: ignore + path_format_arguments = { + 'subscriptionId': self._serialize.url("self._config.subscription_id", self._config.subscription_id, 'str', pattern=r'^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$'), + 'resourceGroupName': self._serialize.url("resource_group_name", resource_group_name, 'str', max_length=90, min_length=1), + 'operationalInsightsResourceProvider': self._serialize.url("operational_insights_resource_provider", operational_insights_resource_provider, 'str'), + 'workspaceName': self._serialize.url("workspace_name", workspace_name, 'str', max_length=90, min_length=1), + 'watchlistAlias': self._serialize.url("watchlist_alias", watchlist_alias, 'str'), + } + url = self._client.format_url(url, **path_format_arguments) + + # Construct parameters + query_parameters = {} # type: Dict[str, Any] + query_parameters['api-version'] = self._serialize.query("api_version", api_version, 'str') + + # Construct headers + header_parameters = {} # type: Dict[str, Any] + header_parameters['Content-Type'] = self._serialize.header("content_type", content_type, 'str') + header_parameters['Accept'] = self._serialize.header("accept", accept, 'str') + + body_content_kwargs = {} # type: Dict[str, Any] + body_content = self._serialize.body(watchlist, 'Watchlist') + body_content_kwargs['content'] = body_content + request = self._client.put(url, query_parameters, header_parameters, **body_content_kwargs) + pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs) + response = pipeline_response.http_response + + if response.status_code not in [200, 201]: + map_error(status_code=response.status_code, response=response, error_map=error_map) + raise HttpResponseError(response=response, error_format=ARMErrorFormat) + + if response.status_code == 200: + deserialized = self._deserialize('Watchlist', pipeline_response) + + if response.status_code == 201: + deserialized = self._deserialize('Watchlist', pipeline_response) + + if cls: + return cls(pipeline_response, deserialized, {}) + + return deserialized + create_or_update.metadata = {'url': '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}'} # type: ignore diff --git a/src/securityinsight/gen.zip b/src/securityinsight/gen.zip deleted file mode 100644 index a6dbc93f1dd0ce17bd4dff9ffe244d39383b1b0f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 18866 zcmeHPOLODK5nd-w4!R_V_GrHvsV<2=KM?u4IS16iJ}Fr_s~X-P6-E=b!)d*GZ9;tV04W>d* znYJVsV-|RReKLDY=$*ax9+MM)G7G%HRY(r_A$jHTz?Z%o;(9Rg0~UJzxK56TLlOZ= z5(p`R8{yP}`_cnjQaEHfc0@qJD?whJT_%_7x4QQ@V$Ts|AjSf$pdovfWAWhiAvvCg{%eQ|`~vWK4Cn`nyOS$69tcTB zY(_YnN&)KJ4+7P+Ew0#&=Ldw19dhg8@oYhcKInLE#3NVaJP9&^NSjww?@ab|Z_gV+ z#3AwJo*Vch!oHmbqRxk2JyJX8n#=(%=DmN32aQ4N_2ga{%&ZX`PucJZ3798^<+)Gr zyhCnr{{~_kh&9w9K7Sf;@jURSlk-4KSRjJEy}iq)7nj!Q*=y1VhxG{yujhmD^ z{f+O9(;vxA%W}P;u&l!;WWQeDKRg7j$K>hwhDZ@kCwre}EblqOjjtZ4N5&Hj4v+Q- zUK1u|jQ7{$SLZLE9+Ac|SIQ_G0}(c!i;yt%8jG(H-^EV>Sq9Ugs4q7Wiiu^-fh`b- z-XM@(^Ia<K3MZWlz;McPM<=690$%Lz<_ZqCo#$*~cP6D9}7{LgcPMqi~BhRK19k7X@ z6)`19X@S^=!c;g^ArT%mULqWUBA*{LVE5PTYV;p}Y8JqM~EsfN-6)mN26Z9xN?cc%iQ z#6eLx=ZnIsM~u-(Z@}5If_(K=t=ZPJUPsI|LxaX7I?{Gox9ch$0obz4;jNr04=IdV zD1v@16%08U`csD-PbP45v5acO@gy{BHdicVH@xv6xvIwJ_n z|F9}`0qf&{7iVh|V%(hq$%KhgEzt~3vt6w>wAY0fJ9~Amassi<7Ag{n1mnk8nmvM1s13z?U&s#4hz0wfW_VK(y!J zTJscF4eeD8eh2OxnEl!d#B0ln8X`g)h=BUQWuXsMeI6Oo;1YpQjU>0jD_Ev0f9Uiz z;t0tDZ=(3`L-iMxSE)^Njk?O|WCC)^FHmP1hl|OBkSo1%Z4|;@vp@n*u14WSB+K}Cu4DVSCm5F!9pefVTG~l@x%6eZWxv79v z5fWaQFUGd! z9}I&?VQ-a?%!baYE_$HB+vPlIm(Ktv;w4E&PpuG~VR2$9$sA{Zm4H;zoo1J@vRTWf9d@@ap-kR+ zXPL@;z1Lh2_tx3KOy2jwWq#)S*CU3Mdv&7Ro`Y1WVRAo8k6UrNTUvf#&2#M*vl5UE z!-@pFI(L2-Gy9lRC^Dv~NRjFIf2kWsdh5v0{#K^A`GgXwy_%7P&oba4v&B%7+9ez4 zYwja0Rh;QkIz}oE=+AttMiNHkR8BnZ`AEvCP~irdvofqG3rA|nj2u(F*{TNEa&YcHMg&F@r2vRL=C*s{gmYCe6XxrML`(>pIL0Kw| z^};9wWT`;5mB*@BED`d<8LX!)WGDW3jAaiWdD*Jf;xYM?>!PZ|XtxL!kQw0#PL<#l zR0_1k%CW+uDPpw;^do*~0X$wo-X`OX8JUv)l$gKDA#mR2Ho*8o{xuxWSGM2frZ8+{0g;^D&FG9s4ZyRn8 z{X}`wF(~?~iH;NKT+Wf=@AVkdO9PMh>MKtnl9NOtxv3C&b#i>Mv&=V}0ximH3(4BO zwxj8$L+utv83jY=*h9qyW$aOc6l#=>i+dv3)8otYf@muym`XyazDASF4QD$$ zi&ksf2IqE{>PFY3CUliD!8^3uYPxNw)zPt#bALs9c~+3?hRz`~6QTE>tpqpBmhGCD z#J5l$ zly-?q;NnQ%T*$5OIU0D-7WAFxHE><+?^(dRF0y{eaH}v)e`hhr^mY>Ts`>h&WqCL= zwX`PGAE}zU#d$jx5R)QWLsp-Ia_qZ*n=5(2DI84JtWF@h8sl|VccM7mZnd z%SzT;>+IPMhOF9v-Njm4t~47eB2Y|UG{h*qG1vU7==o!VKl-!7_=i0XFBSa#L6m#EN3 zEz;2ti*9rp^5Qb1rd2I7;*mGOuUw||Z?V6S__o@Wh%uz{x@OxI0vn1<%|X7(Y}1}- z+O((hX3x}ZmvykAsF>-c*pm{M=#z>PeL%$91ZoJ=v2n7D1~vy^50qLgO@?N|;>Ys~jdB!Yj8XRN|HkD|_0E{F-|5$`(@F zos~7_t@j$dwI#*n`0?;r_i#(2HDfV1UdvioC~RBZ%mQe+S|r5)k#cQZ7nb8IBaro1 za;^MHlDmuUHM?5+Oxf*%h{8Gpi@50$dQAglVp=uK9K%)4iNcCommand groups in `az sentinel` extension |CLI Command Group|Group Swagger name|Commands| |---------|------------|--------| +|az sentinel incident|Incidents|[commands](#CommandsInIncidents)| +|az sentinel incident-comment|IncidentComments|[commands](#CommandsInIncidentComments)| +|az sentinel incident-relation|IncidentRelations|[commands](#CommandsInIncidentRelations)| +|az sentinel threat-intelligence-indicator|ThreatIntelligenceIndicator|[commands](#CommandsInThreatIntelligenceIndicator)| +|az sentinel threat-intelligence-indicator|ThreatIntelligenceIndicators|[commands](#CommandsInThreatIntelligenceIndicators)| +|az sentinel threat-intelligence-indicator-metric|ThreatIntelligenceIndicatorMetrics|[commands](#CommandsInThreatIntelligenceIndicatorMetrics)| +|az sentinel watchlist|Watchlists|[commands](#CommandsInWatchlists)| +|az sentinel watchlist-item|WatchlistItems|[commands](#CommandsInWatchlistItems)| |az sentinel alert-rule|AlertRules|[commands](#CommandsInAlertRules)| |az sentinel action|Actions|[commands](#CommandsInActions)| |az sentinel alert-rule-template|AlertRuleTemplates|[commands](#CommandsInAlertRuleTemplates)| -|az sentinel bookmark|Bookmarks|[commands](#CommandsInBookmarks)| -|az sentinel data-connector|DataConnectors|[commands](#CommandsInDataConnectors)| -|az sentinel incident|Incidents|[commands](#CommandsInIncidents)| -|az sentinel incident-comment|IncidentComments|[commands](#CommandsInIncidentComments)| ## COMMANDS ### Commands in `az sentinel action` group |CLI Command|Operation Swagger name|Parameters|Examples| |---------|------------|--------|-----------| |[az sentinel action list](#ActionsListByAlertRule)|ListByAlertRule|[Parameters](#ParametersActionsListByAlertRule)|[Example](#ExamplesActionsListByAlertRule)| +|[az sentinel action show](#ActionsGet)|Get|[Parameters](#ParametersActionsGet)|[Example](#ExamplesActionsGet)| +|[az sentinel action create](#ActionsCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersActionsCreateOrUpdate#Create)|[Example](#ExamplesActionsCreateOrUpdate#Create)| +|[az sentinel action update](#ActionsCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersActionsCreateOrUpdate#Update)|Not Found| +|[az sentinel action delete](#ActionsDelete)|Delete|[Parameters](#ParametersActionsDelete)|[Example](#ExamplesActionsDelete)| ### Commands in `az sentinel alert-rule` group |CLI Command|Operation Swagger name|Parameters|Examples| |---------|------------|--------|-----------| |[az sentinel alert-rule list](#AlertRulesList)|List|[Parameters](#ParametersAlertRulesList)|[Example](#ExamplesAlertRulesList)| |[az sentinel alert-rule show](#AlertRulesGet)|Get|[Parameters](#ParametersAlertRulesGet)|[Example](#ExamplesAlertRulesGet)| -|[az sentinel alert-rule create](#AlertRulesCreateOrUpdateAction)|CreateOrUpdateAction|[Parameters](#ParametersAlertRulesCreateOrUpdateAction)|[Example](#ExamplesAlertRulesCreateOrUpdateAction)| |[az sentinel alert-rule create](#AlertRulesCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersAlertRulesCreateOrUpdate#Create)|[Example](#ExamplesAlertRulesCreateOrUpdate#Create)| |[az sentinel alert-rule update](#AlertRulesCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersAlertRulesCreateOrUpdate#Update)|Not Found| -|[az sentinel alert-rule delete](#AlertRulesDeleteAction)|DeleteAction|[Parameters](#ParametersAlertRulesDeleteAction)|[Example](#ExamplesAlertRulesDeleteAction)| |[az sentinel alert-rule delete](#AlertRulesDelete)|Delete|[Parameters](#ParametersAlertRulesDelete)|[Example](#ExamplesAlertRulesDelete)| -|[az sentinel alert-rule get-action](#AlertRulesGetAction)|GetAction|[Parameters](#ParametersAlertRulesGetAction)|[Example](#ExamplesAlertRulesGetAction)| ### Commands in `az sentinel alert-rule-template` group |CLI Command|Operation Swagger name|Parameters|Examples| @@ -41,24 +46,6 @@ |[az sentinel alert-rule-template list](#AlertRuleTemplatesList)|List|[Parameters](#ParametersAlertRuleTemplatesList)|[Example](#ExamplesAlertRuleTemplatesList)| |[az sentinel alert-rule-template show](#AlertRuleTemplatesGet)|Get|[Parameters](#ParametersAlertRuleTemplatesGet)|[Example](#ExamplesAlertRuleTemplatesGet)| -### Commands in `az sentinel bookmark` group -|CLI Command|Operation Swagger name|Parameters|Examples| -|---------|------------|--------|-----------| -|[az sentinel bookmark list](#BookmarksList)|List|[Parameters](#ParametersBookmarksList)|[Example](#ExamplesBookmarksList)| -|[az sentinel bookmark show](#BookmarksGet)|Get|[Parameters](#ParametersBookmarksGet)|[Example](#ExamplesBookmarksGet)| -|[az sentinel bookmark create](#BookmarksCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersBookmarksCreateOrUpdate#Create)|[Example](#ExamplesBookmarksCreateOrUpdate#Create)| -|[az sentinel bookmark update](#BookmarksCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersBookmarksCreateOrUpdate#Update)|Not Found| -|[az sentinel bookmark delete](#BookmarksDelete)|Delete|[Parameters](#ParametersBookmarksDelete)|[Example](#ExamplesBookmarksDelete)| - -### Commands in `az sentinel data-connector` group -|CLI Command|Operation Swagger name|Parameters|Examples| -|---------|------------|--------|-----------| -|[az sentinel data-connector list](#DataConnectorsList)|List|[Parameters](#ParametersDataConnectorsList)|[Example](#ExamplesDataConnectorsList)| -|[az sentinel data-connector show](#DataConnectorsGet)|Get|[Parameters](#ParametersDataConnectorsGet)|[Example](#ExamplesDataConnectorsGet)| -|[az sentinel data-connector create](#DataConnectorsCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersDataConnectorsCreateOrUpdate#Create)|[Example](#ExamplesDataConnectorsCreateOrUpdate#Create)| -|[az sentinel data-connector update](#DataConnectorsCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersDataConnectorsCreateOrUpdate#Update)|Not Found| -|[az sentinel data-connector delete](#DataConnectorsDelete)|Delete|[Parameters](#ParametersDataConnectorsDelete)|[Example](#ExamplesDataConnectorsDelete)| - ### Commands in `az sentinel incident` group |CLI Command|Operation Swagger name|Parameters|Examples| |---------|------------|--------|-----------| @@ -67,6 +54,9 @@ |[az sentinel incident create](#IncidentsCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersIncidentsCreateOrUpdate#Create)|[Example](#ExamplesIncidentsCreateOrUpdate#Create)| |[az sentinel incident update](#IncidentsCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersIncidentsCreateOrUpdate#Update)|Not Found| |[az sentinel incident delete](#IncidentsDelete)|Delete|[Parameters](#ParametersIncidentsDelete)|[Example](#ExamplesIncidentsDelete)| +|[az sentinel incident list-of-alert](#IncidentsListOfAlerts)|ListOfAlerts|[Parameters](#ParametersIncidentsListOfAlerts)|[Example](#ExamplesIncidentsListOfAlerts)| +|[az sentinel incident list-of-bookmark](#IncidentsListOfBookmarks)|ListOfBookmarks|[Parameters](#ParametersIncidentsListOfBookmarks)|[Example](#ExamplesIncidentsListOfBookmarks)| +|[az sentinel incident list-of-entity](#IncidentsListOfEntities)|ListOfEntities|[Parameters](#ParametersIncidentsListOfEntities)|[Example](#ExamplesIncidentsListOfEntities)| ### Commands in `az sentinel incident-comment` group |CLI Command|Operation Swagger name|Parameters|Examples| @@ -74,6 +64,54 @@ |[az sentinel incident-comment list](#IncidentCommentsListByIncident)|ListByIncident|[Parameters](#ParametersIncidentCommentsListByIncident)|[Example](#ExamplesIncidentCommentsListByIncident)| |[az sentinel incident-comment show](#IncidentCommentsGet)|Get|[Parameters](#ParametersIncidentCommentsGet)|[Example](#ExamplesIncidentCommentsGet)| |[az sentinel incident-comment create](#IncidentCommentsCreateComment)|CreateComment|[Parameters](#ParametersIncidentCommentsCreateComment)|[Example](#ExamplesIncidentCommentsCreateComment)| +|[az sentinel incident-comment delete](#IncidentCommentsDeleteComment)|DeleteComment|[Parameters](#ParametersIncidentCommentsDeleteComment)|[Example](#ExamplesIncidentCommentsDeleteComment)| + +### Commands in `az sentinel incident-relation` group +|CLI Command|Operation Swagger name|Parameters|Examples| +|---------|------------|--------|-----------| +|[az sentinel incident-relation list](#IncidentRelationsList)|List|[Parameters](#ParametersIncidentRelationsList)|[Example](#ExamplesIncidentRelationsList)| +|[az sentinel incident-relation create](#IncidentRelationsCreateOrUpdateRelation)|CreateOrUpdateRelation|[Parameters](#ParametersIncidentRelationsCreateOrUpdateRelation)|[Example](#ExamplesIncidentRelationsCreateOrUpdateRelation)| +|[az sentinel incident-relation delete](#IncidentRelationsDeleteRelation)|DeleteRelation|[Parameters](#ParametersIncidentRelationsDeleteRelation)|[Example](#ExamplesIncidentRelationsDeleteRelation)| +|[az sentinel incident-relation show-relation](#IncidentRelationsGetRelation)|GetRelation|[Parameters](#ParametersIncidentRelationsGetRelation)|[Example](#ExamplesIncidentRelationsGetRelation)| + +### Commands in `az sentinel threat-intelligence-indicator` group +|CLI Command|Operation Swagger name|Parameters|Examples| +|---------|------------|--------|-----------| +|[az sentinel threat-intelligence-indicator show](#ThreatIntelligenceIndicatorGet)|Get|[Parameters](#ParametersThreatIntelligenceIndicatorGet)|[Example](#ExamplesThreatIntelligenceIndicatorGet)| +|[az sentinel threat-intelligence-indicator create](#ThreatIntelligenceIndicatorCreate)|Create|[Parameters](#ParametersThreatIntelligenceIndicatorCreate)|[Example](#ExamplesThreatIntelligenceIndicatorCreate)| +|[az sentinel threat-intelligence-indicator delete](#ThreatIntelligenceIndicatorDelete)|Delete|[Parameters](#ParametersThreatIntelligenceIndicatorDelete)|[Example](#ExamplesThreatIntelligenceIndicatorDelete)| +|[az sentinel threat-intelligence-indicator append-tag](#ThreatIntelligenceIndicatorAppendTags)|AppendTags|[Parameters](#ParametersThreatIntelligenceIndicatorAppendTags)|[Example](#ExamplesThreatIntelligenceIndicatorAppendTags)| +|[az sentinel threat-intelligence-indicator create-indicator](#ThreatIntelligenceIndicatorCreateIndicator)|CreateIndicator|[Parameters](#ParametersThreatIntelligenceIndicatorCreateIndicator)|[Example](#ExamplesThreatIntelligenceIndicatorCreateIndicator)| +|[az sentinel threat-intelligence-indicator query-indicator](#ThreatIntelligenceIndicatorQueryIndicators)|QueryIndicators|[Parameters](#ParametersThreatIntelligenceIndicatorQueryIndicators)|[Example](#ExamplesThreatIntelligenceIndicatorQueryIndicators)| +|[az sentinel threat-intelligence-indicator replace-tag](#ThreatIntelligenceIndicatorReplaceTags)|ReplaceTags|[Parameters](#ParametersThreatIntelligenceIndicatorReplaceTags)|[Example](#ExamplesThreatIntelligenceIndicatorReplaceTags)| + +### Commands in `az sentinel threat-intelligence-indicator` group +|CLI Command|Operation Swagger name|Parameters|Examples| +|---------|------------|--------|-----------| +|[az sentinel threat-intelligence-indicator list](#ThreatIntelligenceIndicatorsList)|List|[Parameters](#ParametersThreatIntelligenceIndicatorsList)|[Example](#ExamplesThreatIntelligenceIndicatorsList)| + +### Commands in `az sentinel threat-intelligence-indicator-metric` group +|CLI Command|Operation Swagger name|Parameters|Examples| +|---------|------------|--------|-----------| +|[az sentinel threat-intelligence-indicator-metric list](#ThreatIntelligenceIndicatorMetricsList)|List|[Parameters](#ParametersThreatIntelligenceIndicatorMetricsList)|[Example](#ExamplesThreatIntelligenceIndicatorMetricsList)| + +### Commands in `az sentinel watchlist` group +|CLI Command|Operation Swagger name|Parameters|Examples| +|---------|------------|--------|-----------| +|[az sentinel watchlist list](#WatchlistsList)|List|[Parameters](#ParametersWatchlistsList)|[Example](#ExamplesWatchlistsList)| +|[az sentinel watchlist show](#WatchlistsGet)|Get|[Parameters](#ParametersWatchlistsGet)|[Example](#ExamplesWatchlistsGet)| +|[az sentinel watchlist create](#WatchlistsCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersWatchlistsCreateOrUpdate#Create)|[Example](#ExamplesWatchlistsCreateOrUpdate#Create)| +|[az sentinel watchlist update](#WatchlistsCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersWatchlistsCreateOrUpdate#Update)|Not Found| +|[az sentinel watchlist delete](#WatchlistsDelete)|Delete|[Parameters](#ParametersWatchlistsDelete)|[Example](#ExamplesWatchlistsDelete)| + +### Commands in `az sentinel watchlist-item` group +|CLI Command|Operation Swagger name|Parameters|Examples| +|---------|------------|--------|-----------| +|[az sentinel watchlist-item list](#WatchlistItemsList)|List|[Parameters](#ParametersWatchlistItemsList)|[Example](#ExamplesWatchlistItemsList)| +|[az sentinel watchlist-item show](#WatchlistItemsGet)|Get|[Parameters](#ParametersWatchlistItemsGet)|[Example](#ExamplesWatchlistItemsGet)| +|[az sentinel watchlist-item create](#WatchlistItemsCreateOrUpdate#Create)|CreateOrUpdate#Create|[Parameters](#ParametersWatchlistItemsCreateOrUpdate#Create)|[Example](#ExamplesWatchlistItemsCreateOrUpdate#Create)| +|[az sentinel watchlist-item update](#WatchlistItemsCreateOrUpdate#Update)|CreateOrUpdate#Update|[Parameters](#ParametersWatchlistItemsCreateOrUpdate#Update)|Not Found| +|[az sentinel watchlist-item delete](#WatchlistItemsDelete)|Delete|[Parameters](#ParametersWatchlistItemsDelete)|[Example](#ExamplesWatchlistItemsDelete)| ## COMMAND DETAILS @@ -89,9 +127,74 @@ az sentinel action list --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a1 ##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--rule-id**|string|Alert rule ID|rule_id|ruleId| + +#### Command `az sentinel action show` + +##### Example +``` +az sentinel action show --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id \ +"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--rule-id**|string|Alert rule ID|rule_id|ruleId| +|**--action-id**|string|Action ID|action_id|actionId| + +#### Command `az sentinel action create` + +##### Example +``` +az sentinel action create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --logic-app-resource-id \ +"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" \ +--trigger-uri "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/m\ +anual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" --action-id \ +"912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ +--workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--rule-id**|string|Alert rule ID|rule_id|ruleId| +|**--action-id**|string|Action ID|action_id|actionId| +|**--etag**|string|Etag of the azure resource|etag|etag| +|**--logic-app-resource-id**|string|Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.|logic_app_resource_id|logicAppResourceId| +|**--trigger-uri**|string|Logic App Callback URL for this specific workflow.|trigger_uri|triggerUri| + +#### Command `az sentinel action update` + +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--rule-id**|string|Alert rule ID|rule_id|ruleId| +|**--action-id**|string|Action ID|action_id|actionId| +|**--etag**|string|Etag of the azure resource|etag|etag| +|**--logic-app-resource-id**|string|Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.|logic_app_resource_id|logicAppResourceId| +|**--trigger-uri**|string|Logic App Callback URL for this specific workflow.|trigger_uri|triggerUri| + +#### Command `az sentinel action delete` + +##### Example +``` +az sentinel action delete --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id \ +"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| |**--rule-id**|string|Alert rule ID|rule_id|ruleId| +|**--action-id**|string|Action ID|action_id|actionId| ### group `az sentinel alert-rule` #### Command `az sentinel alert-rule list` @@ -103,7 +206,7 @@ az sentinel alert-rule list --resource-group "myRg" --workspace-name "myWorkspac ##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| #### Command `az sentinel alert-rule show` @@ -125,31 +228,9 @@ az sentinel alert-rule show --resource-group "myRg" --rule-id "73e01a99-5cd7-413 ##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--rule-id**|string|Alert rule ID|rule_id|ruleId| - -#### Command `az sentinel alert-rule create` - -##### Example -``` -az sentinel alert-rule create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --logic-app-resource-id \ -"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" \ ---trigger-uri "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/m\ -anual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" --action-id \ -"912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ ---workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| |**--rule-id**|string|Alert rule ID|rule_id|ruleId| -|**--action-id**|string|Action ID|action_id|actionId| -|**--etag**|string|Etag of the azure resource|etag|etag| -|**--logic-app-resource-id**|string|Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.|logic_app_resource_id|logicAppResourceId| -|**--trigger-uri**|string|Logic App Callback URL for this specific workflow.|trigger_uri|triggerUri| #### Command `az sentinel alert-rule create` @@ -177,6 +258,9 @@ tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-i ##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--rule-id**|string|Alert rule ID|rule_id|ruleId| |**--fusion-alert-rule**|object|Represents Fusion alert rule.|fusion_alert_rule|FusionAlertRule| |**--microsoft-security-incident-creation-alert-rule**|object|Represents MicrosoftSecurityIncidentCreation rule.|microsoft_security_incident_creation_alert_rule|MicrosoftSecurityIncidentCreationAlertRule| |**--scheduled-alert-rule**|object|Represents scheduled alert rule.|scheduled_alert_rule|ScheduledAlertRule| @@ -186,28 +270,13 @@ tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-i ##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| |**--rule-id**|string|Alert rule ID|rule_id|ruleId| |**--fusion-alert-rule**|object|Represents Fusion alert rule.|fusion_alert_rule|FusionAlertRule| |**--microsoft-security-incident-creation-alert-rule**|object|Represents MicrosoftSecurityIncidentCreation rule.|microsoft_security_incident_creation_alert_rule|MicrosoftSecurityIncidentCreationAlertRule| |**--scheduled-alert-rule**|object|Represents scheduled alert rule.|scheduled_alert_rule|ScheduledAlertRule| -#### Command `az sentinel alert-rule delete` - -##### Example -``` -az sentinel alert-rule delete --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id \ -"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| -|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--rule-id**|string|Alert rule ID|rule_id|ruleId| -|**--action-id**|string|Action ID|action_id|actionId| - #### Command `az sentinel alert-rule delete` ##### Example @@ -218,20 +287,9 @@ az sentinel alert-rule delete --resource-group "myRg" --rule-id "73e01a99-5cd7-4 ##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| -#### Command `az sentinel alert-rule get-action` - -##### Example -``` -az sentinel alert-rule get-action --action-id "912bec42-cb66-4c03-ac63-1761b6898c3e" --resource-group "myRg" --rule-id \ -"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --workspace-name "myWorkspace" -``` -##### Parameters -|Option|Type|Description|Path (SDK)|Swagger name| -|------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| |**--rule-id**|string|Alert rule ID|rule_id|ruleId| -|**--action-id**|string|Action ID|action_id|actionId| ### group `az sentinel alert-rule-template` #### Command `az sentinel alert-rule-template list` @@ -243,7 +301,7 @@ az sentinel alert-rule-template list --resource-group "myRg" --workspace-name "m ##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| #### Command `az sentinel alert-rule-template show` @@ -256,355 +314,758 @@ az sentinel alert-rule-template show --alert-rule-template-id "65360bb0-8986-4ad ##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| |**--alert-rule-template-id**|string|Alert rule template ID|alert_rule_template_id|alertRuleTemplateId| -### group `az sentinel bookmark` -#### Command `az sentinel bookmark list` +### group `az sentinel incident` +#### Command `az sentinel incident list` -##### Example +##### Example ``` -az sentinel bookmark list --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel incident list --orderby "properties/createdTimeUtc desc" --top 1 --resource-group "myRg" --workspace-name \ +"myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--filter**|string|Filters the results, based on a Boolean condition. Optional.|filter|$filter| +|**--orderby**|string|Sorts the results. Optional.|orderby|$orderby| +|**--top**|integer|Returns only the first n results. Optional.|top|$top| +|**--skip-token**|string|Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.|skip_token|$skipToken| -#### Command `az sentinel bookmark show` +#### Command `az sentinel incident show` -##### Example +##### Example ``` -az sentinel bookmark show --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ +az sentinel incident show --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId| +|**--incident-id**|string|Incident ID|incident_id|incidentId| -#### Command `az sentinel bookmark create` +#### Command `az sentinel incident create` -##### Example +##### Example ``` -az sentinel bookmark create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --created "2019-01-01T13:15:30Z" \ ---display-name "My bookmark" --labels "Tag1" --labels "Tag2" --notes "Found a suspicious activity" --query \ -"SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)" --query-result "Security Event query \ -result" --updated "2019-01-01T13:15:30Z" --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" +az sentinel incident create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --description "This is a demo \ +incident" --classification "FalsePositive" --classification-comment "Not a malicious activity" --classification-reason \ +"IncorrectAlertLogic" --first-activity-time-utc "2019-01-01T13:00:30Z" --last-activity-time-utc "2019-01-01T13:05:30Z" \ +--owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" --severity "High" --status "Closed" --title "My incident" \ +--incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId| +|**--incident-id**|string|Incident ID|incident_id|incidentId| |**--etag**|string|Etag of the azure resource|etag|etag| -|**--created**|date-time|The time the bookmark was created|created|created| -|**--display-name**|string|The display name of the bookmark|display_name|displayName| -|**--labels**|array|List of labels relevant to this bookmark|labels|labels| -|**--notes**|string|The notes of the bookmark|notes|notes| -|**--query**|string|The query of the bookmark.|query|query| -|**--query-result**|string|The query result of the bookmark.|query_result|queryResult| -|**--updated**|date-time|The last time the bookmark was updated|updated|updated| -|**--incident-info**|object|Describes an incident that relates to bookmark|incident_info|incidentInfo| -|**--updated-by-object-id**|uuid|The object id of the user.|object_id|objectId| +|**--classification**|choice|The reason the incident was closed|classification|classification| +|**--classification-comment**|string|Describes the reason the incident was closed|classification_comment|classificationComment| +|**--classification-reason**|choice|The classification reason the incident was closed with|classification_reason|classificationReason| +|**--description**|string|The description of the incident|description|description| +|**--first-activity-time-utc**|date-time|The time of the first activity in the incident|first_activity_time_utc|firstActivityTimeUtc| +|**--labels**|array|List of labels relevant to this incident|labels|labels| +|**--last-activity-time-utc**|date-time|The time of the last activity in the incident|last_activity_time_utc|lastActivityTimeUtc| +|**--owner**|object|Describes a user that the incident is assigned to|owner|owner| +|**--severity**|choice|The severity of the incident|severity|severity| +|**--status**|choice|The status of the incident|status|status| +|**--title**|string|The title of the incident|title|title| -#### Command `az sentinel bookmark update` +#### Command `az sentinel incident update` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId| +|**--incident-id**|string|Incident ID|incident_id|incidentId| |**--etag**|string|Etag of the azure resource|etag|etag| -|**--created**|date-time|The time the bookmark was created|created|created| -|**--display-name**|string|The display name of the bookmark|display_name|displayName| -|**--labels**|array|List of labels relevant to this bookmark|labels|labels| -|**--notes**|string|The notes of the bookmark|notes|notes| -|**--query**|string|The query of the bookmark.|query|query| -|**--query-result**|string|The query result of the bookmark.|query_result|queryResult| -|**--updated**|date-time|The last time the bookmark was updated|updated|updated| -|**--incident-info**|object|Describes an incident that relates to bookmark|incident_info|incidentInfo| -|**--updated-by-object-id**|uuid|The object id of the user.|object_id|objectId| +|**--classification**|choice|The reason the incident was closed|classification|classification| +|**--classification-comment**|string|Describes the reason the incident was closed|classification_comment|classificationComment| +|**--classification-reason**|choice|The classification reason the incident was closed with|classification_reason|classificationReason| +|**--description**|string|The description of the incident|description|description| +|**--first-activity-time-utc**|date-time|The time of the first activity in the incident|first_activity_time_utc|firstActivityTimeUtc| +|**--labels**|array|List of labels relevant to this incident|labels|labels| +|**--last-activity-time-utc**|date-time|The time of the last activity in the incident|last_activity_time_utc|lastActivityTimeUtc| +|**--owner**|object|Describes a user that the incident is assigned to|owner|owner| +|**--severity**|choice|The severity of the incident|severity|severity| +|**--status**|choice|The status of the incident|status|status| +|**--title**|string|The title of the incident|title|title| -#### Command `az sentinel bookmark delete` +#### Command `az sentinel incident delete` -##### Example +##### Example ``` -az sentinel bookmark delete --bookmark-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ +az sentinel incident delete --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--bookmark-id**|string|Bookmark ID|bookmark_id|bookmarkId| +|**--incident-id**|string|Incident ID|incident_id|incidentId| -### group `az sentinel data-connector` -#### Command `az sentinel data-connector list` +#### Command `az sentinel incident list-of-alert` -##### Example +##### Example ``` -az sentinel data-connector list --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel incident list-of-alert --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" --resource-group "myRg" \ +--workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--incident-id**|string|Incident ID|incident_id|incidentId| -#### Command `az sentinel data-connector show` +#### Command `az sentinel incident list-of-bookmark` -##### Example -``` -az sentinel data-connector show --data-connector-id "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel data-connector show --data-connector-id "b96d014d-b5c2-4a01-9aba-a8058f629d42" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example +##### Example ``` -az sentinel data-connector show --data-connector-id "06b3ccb8-1384-4bcc-aec7-852f6d57161b" --resource-group "myRg" \ +az sentinel incident list-of-bookmark --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" --resource-group "myRg" \ --workspace-name "myWorkspace" ``` -##### Example -``` -az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel data-connector show --data-connector-id "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example -``` -az sentinel data-connector show --data-connector-id "07e42cb3-e658-4e90-801c-efa0f29d3d44" --resource-group "myRg" \ ---workspace-name "myWorkspace" -``` -##### Example +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--incident-id**|string|Incident ID|incident_id|incidentId| + +#### Command `az sentinel incident list-of-entity` + +##### Example ``` -az sentinel data-connector show --data-connector-id "c345bf40-8509-4ed2-b947-50cb773aaf04" --resource-group "myRg" \ +az sentinel incident list-of-entity --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" --resource-group "myRg" \ --workspace-name "myWorkspace" ``` -##### Example +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--incident-id**|string|Incident ID|incident_id|incidentId| + +### group `az sentinel incident-comment` +#### Command `az sentinel incident-comment list` + +##### Example ``` -az sentinel data-connector show --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ +az sentinel incident-comment list --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId| +|**--incident-id**|string|Incident ID|incident_id|incidentId| +|**--filter**|string|Filters the results, based on a Boolean condition. Optional.|filter|$filter| +|**--orderby**|string|Sorts the results. Optional.|orderby|$orderby| +|**--top**|integer|Returns only the first n results. Optional.|top|$top| +|**--skip-token**|string|Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.|skip_token|$skipToken| -#### Command `az sentinel data-connector create` +#### Command `az sentinel incident-comment show` -##### Example +##### Example ``` -az sentinel data-connector create --office-data-connector etag="\\"0300bf09-0000-0000-0000-5c37296e0000\\"" \ -tenant-id="2070ecc9-b4d5-4ae4-adaa-936fa1954fa8" --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" \ ---resource-group "myRg" --workspace-name "myWorkspace" +az sentinel incident-comment show --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id \ +"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId| -|**--aad-data-connector**|object|Represents AAD (Azure Active Directory) data connector.|aad_data_connector|AADDataConnector| -|**--aatp-data-connector**|object|Represents AATP (Azure Advanced Threat Protection) data connector.|aatp_data_connector|AATPDataConnector| -|**--asc-data-connector**|object|Represents ASC (Azure Security Center) data connector.|asc_data_connector|ASCDataConnector| -|**--aws-cloud-trail-data-connector**|object|Represents Amazon Web Services CloudTrail data connector.|aws_cloud_trail_data_connector|AwsCloudTrailDataConnector| -|**--mcas-data-connector**|object|Represents MCAS (Microsoft Cloud App Security) data connector.|mcas_data_connector|MCASDataConnector| -|**--mdatp-data-connector**|object|Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.|mdatp_data_connector|MDATPDataConnector| -|**--office-data-connector**|object|Represents office data connector.|office_data_connector|OfficeDataConnector| -|**--ti-data-connector**|object|Represents threat intelligence data connector.|ti_data_connector|TIDataConnector| +|**--incident-id**|string|Incident ID|incident_id|incidentId| +|**--incident-comment-id**|string|Incident comment ID|incident_comment_id|incidentCommentId| -#### Command `az sentinel data-connector update` +#### Command `az sentinel incident-comment create` -##### Parameters +##### Example +``` +az sentinel incident-comment create --message "Some message" --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da001\ +4" --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" +``` +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId| -|**--aad-data-connector**|object|Represents AAD (Azure Active Directory) data connector.|aad_data_connector|AADDataConnector| -|**--aatp-data-connector**|object|Represents AATP (Azure Advanced Threat Protection) data connector.|aatp_data_connector|AATPDataConnector| -|**--asc-data-connector**|object|Represents ASC (Azure Security Center) data connector.|asc_data_connector|ASCDataConnector| -|**--aws-cloud-trail-data-connector**|object|Represents Amazon Web Services CloudTrail data connector.|aws_cloud_trail_data_connector|AwsCloudTrailDataConnector| -|**--mcas-data-connector**|object|Represents MCAS (Microsoft Cloud App Security) data connector.|mcas_data_connector|MCASDataConnector| -|**--mdatp-data-connector**|object|Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.|mdatp_data_connector|MDATPDataConnector| -|**--office-data-connector**|object|Represents office data connector.|office_data_connector|OfficeDataConnector| -|**--ti-data-connector**|object|Represents threat intelligence data connector.|ti_data_connector|TIDataConnector| +|**--incident-id**|string|Incident ID|incident_id|incidentId| +|**--incident-comment-id**|string|Incident comment ID|incident_comment_id|incidentCommentId| +|**--etag**|string|Etag of the azure resource|etag|etag| +|**--message**|string|The comment message|message|message| -#### Command `az sentinel data-connector delete` +#### Command `az sentinel incident-comment delete` -##### Example +##### Example ``` -az sentinel data-connector delete --data-connector-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" +az sentinel incident-comment delete --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id \ +"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--data-connector-id**|string|Connector ID|data_connector_id|dataConnectorId| +|**--incident-id**|string|Incident ID|incident_id|incidentId| +|**--incident-comment-id**|string|Incident comment ID|incident_comment_id|incidentCommentId| -### group `az sentinel incident` -#### Command `az sentinel incident list` +### group `az sentinel incident-relation` +#### Command `az sentinel incident-relation list` -##### Example +##### Example ``` -az sentinel incident list --orderby "properties/createdTimeUtc desc" --top 1 --resource-group "myRg" --workspace-name \ -"myWorkspace" +az sentinel incident-relation list --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" --resource-group "myRg" \ +--workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--incident-id**|string|Incident ID|incident_id|incidentId| |**--filter**|string|Filters the results, based on a Boolean condition. Optional.|filter|$filter| |**--orderby**|string|Sorts the results. Optional.|orderby|$orderby| |**--top**|integer|Returns only the first n results. Optional.|top|$top| |**--skip-token**|string|Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.|skip_token|$skipToken| -#### Command `az sentinel incident show` +#### Command `az sentinel incident-relation create` -##### Example +##### Example ``` -az sentinel incident show --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" +az sentinel incident-relation create --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" --related-resource-id \ +"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/worksp\ +aces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096" --relation-name \ +"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --resource-group "myRg" --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| |**--incident-id**|string|Incident ID|incident_id|incidentId| +|**--relation-name**|string|Relation Name|relation_name|relationName| +|**--etag**|string|Etag of the azure resource|etag|etag| +|**--related-resource-id**|string|The resource ID of the related resource|related_resource_id|relatedResourceId| -#### Command `az sentinel incident create` +#### Command `az sentinel incident-relation delete` -##### Example +##### Example ``` -az sentinel incident create --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --description "This is a demo \ -incident" --classification "FalsePositive" --classification-comment "Not a malicious activity" --classification-reason \ -"IncorrectAlertLogic" --first-activity-time-utc "2019-01-01T13:00:30Z" --last-activity-time-utc "2019-01-01T13:05:30Z" \ ---owner object-id="2046feea-040d-4a46-9e2b-91c2941bfa70" --severity "High" --status "Closed" --title "My incident" \ ---incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel incident-relation delete --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" --relation-name \ +"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --resource-group "myRg" --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| |**--incident-id**|string|Incident ID|incident_id|incidentId| -|**--etag**|string|Etag of the azure resource|etag|etag| -|**--classification**|choice|The reason the incident was closed|classification|classification| -|**--classification-comment**|string|Describes the reason the incident was closed|classification_comment|classificationComment| -|**--classification-reason**|choice|The classification reason the incident was closed with|classification_reason|classificationReason| -|**--description**|string|The description of the incident|description|description| -|**--first-activity-time-utc**|date-time|The time of the first activity in the incident|first_activity_time_utc|firstActivityTimeUtc| -|**--labels**|array|List of labels relevant to this incident|labels|labels| -|**--last-activity-time-utc**|date-time|The time of the last activity in the incident|last_activity_time_utc|lastActivityTimeUtc| -|**--owner**|object|Describes a user that the incident is assigned to|owner|owner| -|**--severity**|choice|The severity of the incident|severity|severity| -|**--status**|choice|The status of the incident|status|status| -|**--title**|string|The title of the incident|title|title| +|**--relation-name**|string|Relation Name|relation_name|relationName| -#### Command `az sentinel incident update` +#### Command `az sentinel incident-relation show-relation` -##### Parameters +##### Example +``` +az sentinel incident-relation show-relation --incident-id "afbd324f-6c48-459c-8710-8d1e1cd03812" --relation-name \ +"4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --resource-group "myRg" --workspace-name "myWorkspace" +``` +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| |**--incident-id**|string|Incident ID|incident_id|incidentId| +|**--relation-name**|string|Relation Name|relation_name|relationName| + +### group `az sentinel threat-intelligence-indicator` +#### Command `az sentinel threat-intelligence-indicator show` + +##### Example +``` +az sentinel threat-intelligence-indicator show --name "e16ef847-962e-d7b6-9c8b-a33e4bd30e47" \ +--operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name \ +"myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--name**|string|Threat intelligence indicator name field.|name|name| + +#### Command `az sentinel threat-intelligence-indicator create` + +##### Example +``` +az sentinel threat-intelligence-indicator create --name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" --description \ +"debugging indicators" --confidence 78 --created-by-ref "contoso@contoso.com" --display-name "new schema" \ +--external-references "[]" --modified "" --pattern "[url:value = \'https://www.contoso.com\']" --pattern-type "url" \ +--revoked false --source "Azure Sentinel" --threat-intelligence-tags "new schema" --threat-types "compromised" \ +--valid-from "2020-04-15T17:44:00.114052Z" --valid-until "" --operational-insights-resource-provider \ +"Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--name**|string|Threat intelligence indicator name field.|name|name| |**--etag**|string|Etag of the azure resource|etag|etag| -|**--classification**|choice|The reason the incident was closed|classification|classification| -|**--classification-comment**|string|Describes the reason the incident was closed|classification_comment|classificationComment| -|**--classification-reason**|choice|The classification reason the incident was closed with|classification_reason|classificationReason| -|**--description**|string|The description of the incident|description|description| -|**--first-activity-time-utc**|date-time|The time of the first activity in the incident|first_activity_time_utc|firstActivityTimeUtc| -|**--labels**|array|List of labels relevant to this incident|labels|labels| -|**--last-activity-time-utc**|date-time|The time of the last activity in the incident|last_activity_time_utc|lastActivityTimeUtc| -|**--owner**|object|Describes a user that the incident is assigned to|owner|owner| -|**--severity**|choice|The severity of the incident|severity|severity| -|**--status**|choice|The status of the incident|status|status| -|**--title**|string|The title of the incident|title|title| +|**--threat-intelligence-tags**|array|List of tags|threat_intelligence_tags|threatIntelligenceTags| +|**--last-updated-time-utc**|string|Last updated time in UTC|last_updated_time_utc|lastUpdatedTimeUtc| +|**--source**|string|Source of a threat intelligence entity|source|source| +|**--display-name**|string|Display name of a threat intelligence entity|display_name|displayName| +|**--description**|string|Description of a threat intelligence entity|description|description| +|**--indicator-types**|array|Indicator types of threat intelligence entities|indicator_types|indicatorTypes| +|**--pattern**|string|Pattern of a threat intelligence entity|pattern|pattern| +|**--pattern-type**|string|Pattern type of a threat intelligence entity|pattern_type|patternType| +|**--pattern-version**|string|Pattern version of a threat intelligence entity|pattern_version|patternVersion| +|**--kill-chain-phases**|array|Kill chain phases|kill_chain_phases|killChainPhases| +|**--parsed-pattern**|array|Parsed patterns|parsed_pattern|parsedPattern| +|**--external-id**|string|External ID of threat intelligence entity|external_id|externalId| +|**--created-by-ref**|string|Created by reference of threat intelligence entity|created_by_ref|createdByRef| +|**--defanged**|boolean|Is threat intelligence entity defanged|defanged|defanged| +|**--external-last-updated-time-utc**|string|External last updated time in UTC|external_last_updated_time_utc|externalLastUpdatedTimeUtc| +|**--external-references**|array|External References|external_references|externalReferences| +|**--granular-markings**|array|Granular Markings|granular_markings|granularMarkings| +|**--labels**|array|Labels of threat intelligence entity|labels|labels| +|**--revoked**|boolean|Is threat intelligence entity revoked|revoked|revoked| +|**--confidence**|integer|Confidence of threat intelligence entity|confidence|confidence| +|**--object-marking-refs**|array|Threat intelligence entity object marking references|object_marking_refs|objectMarkingRefs| +|**--language**|string|Language of threat intelligence entity|language|language| +|**--threat-types**|array|Threat types|threat_types|threatTypes| +|**--valid-from**|string|Valid from|valid_from|validFrom| +|**--valid-until**|string|Valid until|valid_until|validUntil| +|**--created**|string|Created by|created|created| +|**--modified**|string|Modified by|modified|modified| +|**--extensions**|dictionary|Extensions map|extensions|extensions| + +#### Command `az sentinel threat-intelligence-indicator delete` + +##### Example +``` +az sentinel threat-intelligence-indicator delete --name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" \ +--operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name \ +"myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--name**|string|Threat intelligence indicator name field.|name|name| -#### Command `az sentinel incident delete` +#### Command `az sentinel threat-intelligence-indicator append-tag` -##### Example +##### Example ``` -az sentinel incident delete --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ ---workspace-name "myWorkspace" +az sentinel threat-intelligence-indicator append-tag --name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" \ +--threat-intelligence-tags "tag1" "tag2" --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| +|**--name**|string|Threat intelligence indicator name field.|name|name| +|**--threat-intelligence-tags**|array|List of tags to be appended.|threat_intelligence_tags|threatIntelligenceTags| -### group `az sentinel incident-comment` -#### Command `az sentinel incident-comment list` +#### Command `az sentinel threat-intelligence-indicator create-indicator` -##### Example +##### Example ``` -az sentinel incident-comment list --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" \ +az sentinel threat-intelligence-indicator create-indicator --description "debugging indicators" --confidence 78 \ +--created-by-ref "contoso@contoso.com" --display-name "new schema" --external-references "[]" --modified "" --pattern \ +"[url:value = \'https://www.contoso.com\']" --pattern-type "url" --revoked false --source "Azure Sentinel" \ +--threat-intelligence-tags "new schema" --threat-types "compromised" --valid-from "2020-04-15T17:44:00.114052Z" \ +--valid-until "" --operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group "myRg" \ --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--etag**|string|Etag of the azure resource|etag|etag| +|**--threat-intelligence-tags**|array|List of tags|threat_intelligence_tags|threatIntelligenceTags| +|**--last-updated-time-utc**|string|Last updated time in UTC|last_updated_time_utc|lastUpdatedTimeUtc| +|**--source**|string|Source of a threat intelligence entity|source|source| +|**--display-name**|string|Display name of a threat intelligence entity|display_name|displayName| +|**--description**|string|Description of a threat intelligence entity|description|description| +|**--indicator-types**|array|Indicator types of threat intelligence entities|indicator_types|indicatorTypes| +|**--pattern**|string|Pattern of a threat intelligence entity|pattern|pattern| +|**--pattern-type**|string|Pattern type of a threat intelligence entity|pattern_type|patternType| +|**--pattern-version**|string|Pattern version of a threat intelligence entity|pattern_version|patternVersion| +|**--kill-chain-phases**|array|Kill chain phases|kill_chain_phases|killChainPhases| +|**--parsed-pattern**|array|Parsed patterns|parsed_pattern|parsedPattern| +|**--external-id**|string|External ID of threat intelligence entity|external_id|externalId| +|**--created-by-ref**|string|Created by reference of threat intelligence entity|created_by_ref|createdByRef| +|**--defanged**|boolean|Is threat intelligence entity defanged|defanged|defanged| +|**--external-last-updated-time-utc**|string|External last updated time in UTC|external_last_updated_time_utc|externalLastUpdatedTimeUtc| +|**--external-references**|array|External References|external_references|externalReferences| +|**--granular-markings**|array|Granular Markings|granular_markings|granularMarkings| +|**--labels**|array|Labels of threat intelligence entity|labels|labels| +|**--revoked**|boolean|Is threat intelligence entity revoked|revoked|revoked| +|**--confidence**|integer|Confidence of threat intelligence entity|confidence|confidence| +|**--object-marking-refs**|array|Threat intelligence entity object marking references|object_marking_refs|objectMarkingRefs| +|**--language**|string|Language of threat intelligence entity|language|language| +|**--threat-types**|array|Threat types|threat_types|threatTypes| +|**--valid-from**|string|Valid from|valid_from|validFrom| +|**--valid-until**|string|Valid until|valid_until|validUntil| +|**--created**|string|Created by|created|created| +|**--modified**|string|Modified by|modified|modified| +|**--extensions**|dictionary|Extensions map|extensions|extensions| + +#### Command `az sentinel threat-intelligence-indicator query-indicator` + +##### Example +``` +az sentinel threat-intelligence-indicator query-indicator --max-confidence 80 --max-valid-until \ +"2020-04-25T17:44:00.114052Z" --min-confidence 25 --min-valid-until "2020-04-05T17:44:00.114052Z" --page-size 100 \ +--sort-by item-key="lastUpdatedTimeUtc" sort-order="descending" --sources "Azure Sentinel" \ +--operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name \ +"myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--page-size**|integer|Page size|page_size|pageSize| +|**--min-confidence**|integer|Minimum confidence.|min_confidence|minConfidence| +|**--max-confidence**|integer|Maximum confidence.|max_confidence|maxConfidence| +|**--min-valid-until**|string|Start time for ValidUntil filter.|min_valid_until|minValidUntil| +|**--max-valid-until**|string|End time for ValidUntil filter.|max_valid_until|maxValidUntil| +|**--include-disabled**|boolean|Parameter to include/exclude disabled indicators.|include_disabled|includeDisabled| +|**--sort-by**|array|Columns to sort by and sorting order|sort_by|sortBy| +|**--sources**|array|Sources of threat intelligence indicators|sources|sources| +|**--pattern-types**|array|Pattern types|pattern_types|patternTypes| +|**--threat-types**|array|Threat types of threat intelligence indicators|threat_types|threatTypes| +|**--ids**|array|Ids of threat intelligence indicators|ids|ids| +|**--keywords**|array|Keywords for searching threat intelligence indicators|keywords|keywords| +|**--skip-token**|string|Skip token.|skip_token|skipToken| + +#### Command `az sentinel threat-intelligence-indicator replace-tag` + +##### Example +``` +az sentinel threat-intelligence-indicator replace-tag --name "d9cd6f0b-96b9-3984-17cd-a779d1e15a93" --etag \ +"\\"0000262c-0000-0800-0000-5e9767060000\\"" --threat-intelligence-tags "patching tags" --operational-insights-resource\ +-provider "Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--name**|string|Threat intelligence indicator name field.|name|name| +|**--etag**|string|Etag of the azure resource|etag|etag| +|**--threat-intelligence-tags**|array|List of tags|threat_intelligence_tags|threatIntelligenceTags| +|**--last-updated-time-utc**|string|Last updated time in UTC|last_updated_time_utc|lastUpdatedTimeUtc| +|**--source**|string|Source of a threat intelligence entity|source|source| +|**--display-name**|string|Display name of a threat intelligence entity|display_name|displayName| +|**--description**|string|Description of a threat intelligence entity|description|description| +|**--indicator-types**|array|Indicator types of threat intelligence entities|indicator_types|indicatorTypes| +|**--pattern**|string|Pattern of a threat intelligence entity|pattern|pattern| +|**--pattern-type**|string|Pattern type of a threat intelligence entity|pattern_type|patternType| +|**--pattern-version**|string|Pattern version of a threat intelligence entity|pattern_version|patternVersion| +|**--kill-chain-phases**|array|Kill chain phases|kill_chain_phases|killChainPhases| +|**--parsed-pattern**|array|Parsed patterns|parsed_pattern|parsedPattern| +|**--external-id**|string|External ID of threat intelligence entity|external_id|externalId| +|**--created-by-ref**|string|Created by reference of threat intelligence entity|created_by_ref|createdByRef| +|**--defanged**|boolean|Is threat intelligence entity defanged|defanged|defanged| +|**--external-last-updated-time-utc**|string|External last updated time in UTC|external_last_updated_time_utc|externalLastUpdatedTimeUtc| +|**--external-references**|array|External References|external_references|externalReferences| +|**--granular-markings**|array|Granular Markings|granular_markings|granularMarkings| +|**--labels**|array|Labels of threat intelligence entity|labels|labels| +|**--revoked**|boolean|Is threat intelligence entity revoked|revoked|revoked| +|**--confidence**|integer|Confidence of threat intelligence entity|confidence|confidence| +|**--object-marking-refs**|array|Threat intelligence entity object marking references|object_marking_refs|objectMarkingRefs| +|**--language**|string|Language of threat intelligence entity|language|language| +|**--threat-types**|array|Threat types|threat_types|threatTypes| +|**--valid-from**|string|Valid from|valid_from|validFrom| +|**--valid-until**|string|Valid until|valid_until|validUntil| +|**--created**|string|Created by|created|created| +|**--modified**|string|Modified by|modified|modified| +|**--extensions**|dictionary|Extensions map|extensions|extensions| + +### group `az sentinel threat-intelligence-indicator` +#### Command `az sentinel threat-intelligence-indicator list` + +##### Example +``` +az sentinel threat-intelligence-indicator list --operational-insights-resource-provider "Microsoft.OperationalInsights"\ + --resource-group "myRg" --workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| |**--filter**|string|Filters the results, based on a Boolean condition. Optional.|filter|$filter| -|**--orderby**|string|Sorts the results. Optional.|orderby|$orderby| |**--top**|integer|Returns only the first n results. Optional.|top|$top| |**--skip-token**|string|Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.|skip_token|$skipToken| +|**--orderby**|string|Sorts the results. Optional.|orderby|$orderby| -#### Command `az sentinel incident-comment show` +### group `az sentinel threat-intelligence-indicator-metric` +#### Command `az sentinel threat-intelligence-indicator-metric list` -##### Example +##### Example ``` -az sentinel incident-comment show --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" --incident-id \ -"73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel threat-intelligence-indicator-metric list --operational-insights-resource-provider \ +"Microsoft.OperationalInsights" --resource-group "myRg" --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| |**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| -|**--incident-comment-id**|string|Incident comment ID|incident_comment_id|incidentCommentId| -#### Command `az sentinel incident-comment create` +### group `az sentinel watchlist` +#### Command `az sentinel watchlist list` -##### Example +##### Example ``` -az sentinel incident-comment create --message "Some message" --incident-comment-id "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da001\ -4" --incident-id "73e01a99-5cd7-4139-a149-9f2736ff2ab5" --resource-group "myRg" --workspace-name "myWorkspace" +az sentinel watchlist list --operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group \ +"myRg" --workspace-name "myWorkspace" ``` -##### Parameters +##### Parameters |Option|Type|Description|Path (SDK)|Swagger name| |------|----|-----------|----------|------------| -|**--resource-group-name**|string|The name of the resource group within the user's subscription. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| |**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| -|**--incident-id**|string|Incident ID|incident_id|incidentId| -|**--incident-comment-id**|string|Incident comment ID|incident_comment_id|incidentCommentId| -|**--message**|string|The comment message|message|message| +|**--skip-token**|string|Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.|skip_token|$skipToken| + +#### Command `az sentinel watchlist show` + +##### Example +``` +az sentinel watchlist show --operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group \ +"myRg" --watchlist-alias "highValueAsset" --workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--watchlist-alias**|string|The watchlist alias|watchlist_alias|watchlistAlias| + +#### Command `az sentinel watchlist create` + +##### Example +``` +az sentinel watchlist create --operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group \ +"myRg" --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --description "Watchlist from CSV content" \ +--properties-content-type "text/csv" --display-name "High Value Assets Watchlist" --items-search-key "header1" \ +--number-of-lines-to-skip 1 --provider "Microsoft" --raw-content "This line will be skipped\\nheader1,header2\\nvalue1,\ +value2" --source "Local file" --watchlist-alias "highValueAsset" --workspace-name "myWorkspace" +``` +##### Example +``` +az sentinel watchlist create --operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group \ +"myRg" --etag "\\"0300bf09-0000-0000-0000-5c37296e0000\\"" --description "Watchlist from CSV content" --display-name \ +"High Value Assets Watchlist" --items-search-key "header1" --provider "Microsoft" --source "Local file" \ +--watchlist-alias "highValueAsset" --workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--watchlist-alias**|string|The watchlist alias|watchlist_alias|watchlistAlias| +|**--etag**|string|Etag of the azure resource|etag|etag| +|**--watchlist-id**|string|The id (a Guid) of the watchlist|watchlist_id|watchlistId| +|**--display-name**|string|The display name of the watchlist|display_name|displayName| +|**--provider**|string|The provider of the watchlist|provider|provider| +|**--source**|choice|The source of the watchlist|source|source| +|**--created**|date-time|The time the watchlist was created|created|created| +|**--updated**|date-time|The last time the watchlist was updated|updated|updated| +|**--description**|string|A description of the watchlist|description|description| +|**--watchlist-type**|string|The type of the watchlist|watchlist_type|watchlistType| +|**--watchlist-properties-watchlist-alias**|string|The alias of the watchlist|watchlist_properties_watchlist_alias|watchlistAlias| +|**--is-deleted**|boolean|A flag that indicates if the watchlist is deleted or not|is_deleted|isDeleted| +|**--labels**|array|List of labels relevant to this watchlist|labels|labels| +|**--default-duration**|duration|The default duration of a watchlist (in ISO 8601 duration format)|default_duration|defaultDuration| +|**--tenant-id**|string|The tenantId where the watchlist belongs to|tenant_id|tenantId| +|**--number-of-lines-to-skip**|integer|The number of lines in a csv content to skip before the header|number_of_lines_to_skip|numberOfLinesToSkip| +|**--raw-content**|string|The raw content that represents to watchlist items to create. Example : This line will be skipped header1,header2 value1,value2|raw_content|rawContent| +|**--items-search-key**|string|The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.|items_search_key|itemsSearchKey| +|**--properties-content-type**|string|The content type of the raw content. For now, only text/csv is valid|content_type|contentType| +|**--upload-status**|string|The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted|upload_status|uploadStatus| +|**--object-id**|uuid|The object id of the user.|object_id|objectId| +|**--user-info-object-id**|uuid|The object id of the user.|user_info_object_id|objectId| + +#### Command `az sentinel watchlist update` + +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--watchlist-alias**|string|The watchlist alias|watchlist_alias|watchlistAlias| +|**--etag**|string|Etag of the azure resource|etag|etag| +|**--watchlist-id**|string|The id (a Guid) of the watchlist|watchlist_id|watchlistId| +|**--display-name**|string|The display name of the watchlist|display_name|displayName| +|**--provider**|string|The provider of the watchlist|provider|provider| +|**--source**|choice|The source of the watchlist|source|source| +|**--created**|date-time|The time the watchlist was created|created|created| +|**--updated**|date-time|The last time the watchlist was updated|updated|updated| +|**--description**|string|A description of the watchlist|description|description| +|**--watchlist-type**|string|The type of the watchlist|watchlist_type|watchlistType| +|**--watchlist-properties-watchlist-alias**|string|The alias of the watchlist|watchlist_properties_watchlist_alias|watchlistAlias| +|**--is-deleted**|boolean|A flag that indicates if the watchlist is deleted or not|is_deleted|isDeleted| +|**--labels**|array|List of labels relevant to this watchlist|labels|labels| +|**--default-duration**|duration|The default duration of a watchlist (in ISO 8601 duration format)|default_duration|defaultDuration| +|**--tenant-id**|string|The tenantId where the watchlist belongs to|tenant_id|tenantId| +|**--number-of-lines-to-skip**|integer|The number of lines in a csv content to skip before the header|number_of_lines_to_skip|numberOfLinesToSkip| +|**--raw-content**|string|The raw content that represents to watchlist items to create. Example : This line will be skipped header1,header2 value1,value2|raw_content|rawContent| +|**--items-search-key**|string|The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.|items_search_key|itemsSearchKey| +|**--properties-content-type**|string|The content type of the raw content. For now, only text/csv is valid|content_type|contentType| +|**--upload-status**|string|The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted|upload_status|uploadStatus| +|**--object-id**|uuid|The object id of the user.|object_id|objectId| +|**--user-info-object-id**|uuid|The object id of the user.|user_info_object_id|objectId| + +#### Command `az sentinel watchlist delete` + +##### Example +``` +az sentinel watchlist delete --operational-insights-resource-provider "Microsoft.OperationalInsights" --resource-group \ +"myRg" --watchlist-alias "highValueAsset" --workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--watchlist-alias**|string|The watchlist alias|watchlist_alias|watchlistAlias| + +### group `az sentinel watchlist-item` +#### Command `az sentinel watchlist-item list` + +##### Example +``` +az sentinel watchlist-item list --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --watchlist-alias "highValueAsset" --workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--watchlist-alias**|string|The watchlist alias|watchlist_alias|watchlistAlias| +|**--skip-token**|string|Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.|skip_token|$skipToken| + +#### Command `az sentinel watchlist-item show` + +##### Example +``` +az sentinel watchlist-item show --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --watchlist-alias "highValueAsset" --watchlist-item-id "3f8901fe-63d9-4875-9ad5-9fb3b8105797" \ +--workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--watchlist-alias**|string|The watchlist alias|watchlist_alias|watchlistAlias| +|**--watchlist-item-id**|string|The watchlist item id (GUID)|watchlist_item_id|watchlistItemId| + +#### Command `az sentinel watchlist-item create` + +##### Example +``` +az sentinel watchlist-item create --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --watchlist-alias "highValueAsset" --etag "0300bf09-0000-0000-0000-5c37296e0000" \ +--items-key-value "{\\"Business tier\\":\\"10.0.2.0/24\\",\\"Data tier\\":\\"10.0.2.0/24\\",\\"Gateway \ +subnet\\":\\"10.0.255.224/27\\",\\"Private DMZ in\\":\\"10.0.0.0/27\\",\\"Public DMZ out\\":\\"10.0.0.96/27\\",\\"Web \ +Tier\\":\\"10.0.1.0/24\\"}" --watchlist-item-id "82ba292c-dc97-4dfc-969d-d4dd9e666842" --workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--watchlist-alias**|string|The watchlist alias|watchlist_alias|watchlistAlias| +|**--watchlist-item-id**|string|The watchlist item id (GUID)|watchlist_item_id|watchlistItemId| +|**--etag**|string|Etag of the azure resource|etag|etag| +|**--watchlist-item-type**|string|The type of the watchlist item|watchlist_item_type|watchlistItemType| +|**--watchlist-item-properties-watchlist-item-id-watchlist-item-id**|string|The id (a Guid) of the watchlist item|watchlist_item_properties_watchlist_item_id_watchlist_item_id|watchlistItemId| +|**--tenant-id**|string|The tenantId to which the watchlist item belongs to|tenant_id|tenantId| +|**--is-deleted**|boolean|A flag that indicates if the watchlist item is deleted or not|is_deleted|isDeleted| +|**--created**|date-time|The time the watchlist item was created|created|created| +|**--updated**|date-time|The last time the watchlist item was updated|updated|updated| +|**--items-key-value**|any|key-value pairs for a watchlist item|items_key_value|itemsKeyValue| +|**--entity-mapping**|any|key-value pairs for a watchlist item entity mapping|entity_mapping|entityMapping| +|**--object-id**|uuid|The object id of the user.|object_id|objectId| +|**--user-info-object-id**|uuid|The object id of the user.|user_info_object_id|objectId| + +#### Command `az sentinel watchlist-item update` + +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--watchlist-alias**|string|The watchlist alias|watchlist_alias|watchlistAlias| +|**--watchlist-item-id**|string|The watchlist item id (GUID)|watchlist_item_id|watchlistItemId| +|**--etag**|string|Etag of the azure resource|etag|etag| +|**--watchlist-item-type**|string|The type of the watchlist item|watchlist_item_type|watchlistItemType| +|**--watchlist-item-properties-watchlist-item-id-watchlist-item-id**|string|The id (a Guid) of the watchlist item|watchlist_item_properties_watchlist_item_id_watchlist_item_id|watchlistItemId| +|**--tenant-id**|string|The tenantId to which the watchlist item belongs to|tenant_id|tenantId| +|**--is-deleted**|boolean|A flag that indicates if the watchlist item is deleted or not|is_deleted|isDeleted| +|**--created**|date-time|The time the watchlist item was created|created|created| +|**--updated**|date-time|The last time the watchlist item was updated|updated|updated| +|**--items-key-value**|any|key-value pairs for a watchlist item|items_key_value|itemsKeyValue| +|**--entity-mapping**|any|key-value pairs for a watchlist item entity mapping|entity_mapping|entityMapping| +|**--object-id**|uuid|The object id of the user.|object_id|objectId| +|**--user-info-object-id**|uuid|The object id of the user.|user_info_object_id|objectId| + +#### Command `az sentinel watchlist-item delete` + +##### Example +``` +az sentinel watchlist-item delete --operational-insights-resource-provider "Microsoft.OperationalInsights" \ +--resource-group "myRg" --watchlist-alias "highValueAsset" --watchlist-item-id "4008512e-1d30-48b2-9ee2-d3612ed9d3ea" \ +--workspace-name "myWorkspace" +``` +##### Parameters +|Option|Type|Description|Path (SDK)|Swagger name| +|------|----|-----------|----------|------------| +|**--resource-group-name**|string|The name of the resource group. The name is case insensitive.|resource_group_name|resourceGroupName| +|**--operational-insights-resource-provider**|string|The namespace of workspaces resource provider- Microsoft.OperationalInsights.|operational_insights_resource_provider|operationalInsightsResourceProvider| +|**--workspace-name**|string|The name of the workspace.|workspace_name|workspaceName| +|**--watchlist-alias**|string|The watchlist alias|watchlist_alias|watchlistAlias| +|**--watchlist-item-id**|string|The watchlist item id (GUID)|watchlist_item_id|watchlistItemId| diff --git a/src/securityinsight/setup.py b/src/securityinsight/setup.py index 90474e79782..bac798e21ab 100644 --- a/src/securityinsight/setup.py +++ b/src/securityinsight/setup.py @@ -10,7 +10,7 @@ from setuptools import setup, find_packages # HISTORY.rst entry. -VERSION = '0.1.1' +VERSION = '0.1.0' try: from azext_sentinel.manual.version import VERSION except ImportError: @@ -48,7 +48,7 @@ description='Microsoft Azure Command-Line Tools SecurityInsights Extension', author='Microsoft Corporation', author_email='azpycli@microsoft.com', - url='https://github.com/Azure/azure-cli-extensions/tree/master/src/sentinel', + url='https://github.com/Azure/azure-cli-extensions/tree/master/src/securityinsight', long_description=README + '\n\n' + HISTORY, license='MIT', classifiers=CLASSIFIERS,