{ "swagger": "2.0", "schemes": [ "https" ], "host": "management.azure.com", "info": { "description": "API spec for Microsoft.Security (Azure Security Center) resource provider", "title": "Security Center", "version": "2017-08-01-preview", "x-apisguru-categories": [ "cloud" ], "x-logo": { "url": "https://api.apis.guru/v2/cache/logo/https_assets.onestore.ms_cdnfiles_onestorerolling-1606-01000_shell_v3_images_logo_microsoft.png" }, "x-origin": [ { "format": "swagger", "url": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/specification/security/resource-manager/Microsoft.Security/preview/2017-08-01-preview/iotSecuritySolutionAnalytics.json", "version": "2.0" } ], "x-preferred": false, "x-providerName": "azure.com", "x-serviceName": "security-iotSecuritySolutionAnalytics", "x-tags": [ "Azure", "Microsoft" ] }, "consumes": [ "application/json" ], "produces": [ "application/json" ], "securityDefinitions": { "azure_auth": { "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", "description": "Azure Active Directory OAuth2 Flow", "flow": "implicit", "scopes": { "user_impersonation": "impersonate your user account" }, "type": "oauth2" } }, "security": [ { "azure_auth": [ "user_impersonation" ] } ], "parameters": { "AggregatedAlertName": { "description": "Identifier of the aggregated alert", "in": "path", "name": "aggregatedAlertName", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "AggregatedRecommendationName": { "description": "Identifier of the aggregated recommendation", "in": "path", "name": "aggregatedRecommendationName", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "SolutionName": { "description": "The solution manager name", "in": "path", "name": "solutionName", "required": true, "type": "string", "x-ms-parameter-location": "method" } }, "paths": { "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels": { "get": { "description": "Security Analytics of a security solution", "operationId": "IoTSecuritySolutionsAnalytics_GetAll", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" }, { "$ref": "#/parameters/SolutionName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/IoTSecuritySolutionAnalyticsModelList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "IoT Security Solutions Analytics" ], "x-ms-examples": { "Get Security Solutions Analytics": { "parameters": { "api-version": "2017-08-01-preview", "resourceGroupName": "MyGroup", "solutionName": "default", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default", "name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default", "properties": { "devicesMetrics": [ { "date": "2019-02-01T00:00:00Z", "devicesMetrics": { "high": 3, "low": 70, "medium": 15 } }, { "date": "2019-02-02T00:00:00Z", "devicesMetrics": { "high": 3, "low": 65, "medium": 45 } } ], "metrics": { "high": 5, "low": 102, "medium": 200 }, "mostPrevalentDeviceAlerts": [ { "alertDisplayName": "Custom Alert - number of device to cloud messages in AMQP protocol is not in the allowed range", "devicesCount": 200, "reportedSeverity": "Low" }, { "alertDisplayName": "Custom Alert - execution of a process that is not allowed", "devicesCount": 170, "reportedSeverity": "Medium" }, { "alertDisplayName": "Successful Bruteforce", "devicesCount": 150, "reportedSeverity": "Low" } ], "mostPrevalentDeviceRecommendations": [ { "devicesCount": 200, "recommendationDisplayName": "Install the Azure Security of Things Agent", "reportedSeverity": "Low" }, { "devicesCount": 170, "recommendationDisplayName": "High level permissions configured in Edge model twin for Edge module", "reportedSeverity": "Low" }, { "devicesCount": 150, "recommendationDisplayName": "Same Authentication Credentials used by multiple devices", "reportedSeverity": "Medium" } ], "topAlertedDevices": [ { "alertsCount": 200, "deviceId": "id1" }, { "alertsCount": 170, "deviceId": "id2" }, { "alertsCount": 150, "deviceId": "id3" } ], "unhealthyDeviceCount": 1200 }, "type": "Microsoft.Security/IoTSecuritySolutionAnalyticsModelList" } ] } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default": { "get": { "description": "Security Analytics of a security solution", "operationId": "IoTSecuritySolutionsAnalytics_GetDefault", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" }, { "$ref": "#/parameters/SolutionName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/IoTSecuritySolutionAnalyticsModel" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "IoT Security Solutions Analytics" ], "x-ms-examples": { "Get Security Solutions Analytics": { "parameters": { "api-version": "2017-08-01-preview", "resourceGroupName": "MyGroup", "solutionName": "default", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default", "name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default", "properties": { "devicesMetrics": [ { "date": "2019-02-01T00:00:00Z", "devicesMetrics": { "high": 3, "low": 70, "medium": 15 } }, { "date": "2019-02-02T00:00:00Z", "devicesMetrics": { "high": 3, "low": 65, "medium": 45 } } ], "metrics": { "high": 5, "low": 102, "medium": 200 }, "mostPrevalentDeviceAlerts": [ { "alertDisplayName": "Custom Alert - number of device to cloud messages in AMQP protocol is not in the allowed range", "alertsCount": 200, "reportedSeverity": "Low" }, { "alertDisplayName": "Custom Alert - execution of a process that is not allowed", "alertsCount": 170, "reportedSeverity": "Medium" }, { "alertDisplayName": "Successful Bruteforce", "alertsCount": 150, "reportedSeverity": "Low" } ], "mostPrevalentDeviceRecommendations": [ { "devicesCount": 200, "recommendationDisplayName": "Install the Azure Security of Things Agent", "reportedSeverity": "Low" }, { "devicesCount": 170, "recommendationDisplayName": "High level permissions configured in Edge model twin for Edge module", "reportedSeverity": "Low" }, { "devicesCount": 150, "recommendationDisplayName": "Same Authentication Credentials used by multiple devices", "reportedSeverity": "Medium" } ], "topAlertedDevices": [ { "alertsCount": 200, "deviceId": "id1" }, { "alertsCount": 170, "deviceId": "id2" }, { "alertsCount": 150, "deviceId": "id3" } ], "unhealthyDeviceCount": 1200 }, "type": "Microsoft.Security/IoTSecuritySolutionAnalyticsModel" } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedAlerts": { "get": { "description": "Security Analytics of a security solution", "operationId": "IoTSecuritySolutionsAnalyticsAggregatedAlerts_List", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" }, { "$ref": "#/parameters/SolutionName" }, { "description": "The number of results to retrieve.", "in": "query", "name": "$top", "required": false, "type": "integer" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/IoTSecurityAggregatedAlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "IoT Security Solutions Analytics" ], "x-ms-examples": { "Get Security Solutions Analytics": { "parameters": { "api-version": "2017-08-01-preview", "resourceGroupName": "MyGroup", "solutionName": "default", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02", "name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02", "properties": { "actionTaken": "Detected", "aggregatedDateUtc": "2019-02-02", "alertDisplayName": "Failed Bruteforce", "alertType": "IoT_Bruteforce_Fail", "count": 50, "description": "Multiple unsuccsseful login attempts identified. A Bruteforce attack on the device failed.", "effectedResourceType": "IoT Device", "logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties", "remediationSteps": "", "reportedSeverity": "Low", "systemSource": "Devices", "vendorName": "Microsoft" }, "type": "Microsoft.Security/IoTSecurityAggregatedAlert" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Success/2019-02-02", "name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Success/2019-02-02", "properties": { "actionTaken": "Detected", "aggregatedDateUtc": "2019-02-02", "alertDisplayName": "Successful Bruteforce", "alertType": "IoT_Bruteforce_Success", "count": 600000, "description": "Multiple unsuccsseful login attempts identified followed by a succssful login. A Bruteforce attack on the device was Successfule", "effectedResourceType": "IoT Device", "logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties", "remediationSteps": "", "reportedSeverity": "Low", "systemSource": "Devices", "vendorName": "Microsoft" }, "type": "Microsoft.Security/IoTSecurityAggregatedAlert" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedAlerts/{aggregatedAlertName}": { "get": { "description": "Security Analytics of a security solution", "operationId": "IoTSecuritySolutionsAnalyticsAggregatedAlert_Get", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" }, { "$ref": "#/parameters/SolutionName" }, { "$ref": "#/parameters/AggregatedAlertName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/IoTSecurityAggregatedAlert" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "IoT Security Solutions Analytics" ], "x-ms-examples": { "Get Security Solutions Analytics": { "parameters": { "aggregatedAlertName": "IoT_Bruteforce_Fail/2019-02-02", "api-version": "2017-08-01-preview", "resourceGroupName": "MyGroup", "solutionName": "default", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02", "name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02", "properties": { "actionTaken": "Detected", "aggregatedDateUtc": "2019-02-02", "alertDisplayName": "Failed Bruteforce", "alertType": "IoT_Bruteforce_Fail", "count": 50, "description": "Multiple unsuccsseful login attempts identified. A Bruteforce attack on the device failed.", "effectedResourceType": "IoT Device", "logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties", "remediationSteps": "", "reportedSeverity": "Low", "systemSource": "Devices", "vendorName": "Microsoft" }, "type": "Microsoft.Security/IoTSecurityAggregatedAlert" } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedAlerts/{aggregatedAlertName}/dismiss": { "post": { "description": "Security Analytics of a security solution", "operationId": "IoTSecuritySolutionsAnalyticsAggregatedAlert_Dismiss", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" }, { "$ref": "#/parameters/SolutionName" }, { "$ref": "#/parameters/AggregatedAlertName" } ], "responses": { "200": { "description": "Dismissed" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "IoT Security Solutions Analytics" ], "x-ms-examples": { "Get Security Solutions Analytics": { "parameters": { "aggregatedAlertName": "IoT_Bruteforce_Fail/2019-02-02/dismiss", "api-version": "2017-08-01-preview", "resourceGroupName": "IoTEdgeResources", "solutionName": "default", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": {} } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedRecommendations": { "get": { "description": "Security Analytics of a security solution", "operationId": "IoTSecuritySolutionsAnalyticsRecommendations_List", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" }, { "$ref": "#/parameters/SolutionName" }, { "description": "The number of results to retrieve.", "in": "query", "name": "$top", "required": false, "type": "integer" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/IoTSecurityAggregatedRecommendationList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "IoT Security Solutions Analytics" ], "x-ms-examples": { "Get Security Solutions Analytics": { "parameters": { "api-version": "2017-08-01-preview", "resourceGroupName": "IoTEdgeResources", "solutionName": "default", "subscriptionId": "075423e9-7d33-4166-8bdf-3920b04e3735" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice", "name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice", "properties": { "description": "An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device", "detectedBy": "Microsoft", "healthyDevices": 10000, "logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('OpenPortsOnDevice')", "recommendationDisplayName": "Permissive firewall policy in one of the chains was found", "recommendationName": "OpenPortsOnDevice", "recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}", "remediationSteps": "", "reportedSeverity": "Low", "unhealthyDeviceCount": 200 }, "type": "Microsoft.Security/IoTSecurityAggregatedRecommendation" }, { "id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/TooLargeIPRange", "name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_InstallAgent", "properties": { "description": "An allow IP filter rule source IP range is too large. Overly permissive rules can expose your IoT hub to malicious actors.", "detectedBy": "Microsoft", "healthyDevices": 130000, "logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('TooLargeIPRange')", "recommendationDisplayName": "Permissive firewall policy in one of the chains was found", "recommendationName": "TooLargeIPRange", "recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}", "remediationSteps": "", "reportedSeverity": "High", "unhealthyDeviceCount": 1 }, "type": "Microsoft.Security/IoTSecurityAggregatedRecommendation" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedRecommendations/{aggregatedRecommendationName}": { "get": { "description": "Security Analytics of a security solution", "operationId": "IoTSecuritySolutionsAnalyticsRecommendation_Get", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" }, { "$ref": "#/parameters/SolutionName" }, { "$ref": "#/parameters/AggregatedRecommendationName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/IoTSecurityAggregatedRecommendation" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "IoT Security Solutions Analytics" ], "x-ms-examples": { "Get Security Solutions Analytics": { "parameters": { "aggregatedRecommendationName": "OpenPortsOnDevice", "api-version": "2017-08-01-preview", "resourceGroupName": "IoTEdgeResources", "solutionName": "default", "subscriptionId": "075423e9-7d33-4166-8bdf-3920b04e3735" }, "responses": { "200": { "body": { "id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice", "name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice", "properties": { "description": "An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device", "detectedBy": "Microsoft", "healthyDevices": 10000, "logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('OpenPortsOnDevice')", "recommendationDisplayName": "Permissive firewall policy in one of the chains was found", "recommendationName": "OpenPortsOnDevice", "recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}", "remediationSteps": "", "reportedSeverity": "Low", "unhealthyDeviceCount": 200 }, "type": "Microsoft.Security/IoTSecurityAggregatedRecommendation" } } } } } } } }, "definitions": { "IoTSecurityAggregatedAlert": { "allOf": [ { "description": "Describes an Azure resource.", "properties": { "id": { "description": "Resource Id", "readOnly": true, "type": "string" }, "name": { "description": "Resource name", "readOnly": true, "type": "string" }, "type": { "description": "Resource type", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-azure-resource": true }, { "$ref": "#/definitions/TagsResource" } ], "description": "Security Solution Aggregated Alert information", "properties": { "properties": { "$ref": "#/definitions/IoTSecurityAggregatedAlertProperties", "description": "Security Solution Aggregated Alert data", "x-ms-client-flatten": true } }, "type": "object" }, "IoTSecurityAggregatedAlertList": { "description": "List of IoT aggregated security alerts", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "description": "List of aggregated alerts data", "items": { "$ref": "#/definitions/IoTSecurityAggregatedAlert" }, "type": "array" } }, "required": [ "value" ] }, "IoTSecurityAggregatedAlertProperties": { "description": "Security Solution Aggregated Alert data", "properties": { "actionTaken": { "description": "The action that was taken as a response to the alert (Active, Blocked etc.)", "readOnly": true, "type": "string" }, "aggregatedDateUtc": { "description": "The date the incidents were detected by the vendor", "format": "date", "readOnly": true, "type": "string" }, "alertDisplayName": { "description": "Display name of the alert type", "readOnly": true, "type": "string" }, "alertType": { "description": "Name of the alert type", "readOnly": true, "type": "string" }, "count": { "description": "Occurrence number of the alert within the aggregated date", "readOnly": true, "type": "integer" }, "description": { "description": "Description of the incident and what it means", "readOnly": true, "type": "string" }, "effectedResourceType": { "description": "Azure resource ID of the resource that got the alerts", "readOnly": true, "type": "string" }, "logAnalyticsQuery": { "description": "query in log analytics to get the list of affected devices/alerts", "readOnly": true, "type": "string" }, "remediationSteps": { "description": "Recommended steps for remediation", "readOnly": true, "type": "string" }, "reportedSeverity": { "description": "Estimated severity of this alert", "enum": [ "Informational", "Low", "Medium", "High" ], "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, "name": "reportedSeverity", "values": [ { "value": "Informational" }, { "value": "Low" }, { "value": "Medium" }, { "value": "High" } ] } }, "systemSource": { "description": "The type of the alerted resource (Azure, Non-Azure)", "readOnly": true, "type": "string" }, "vendorName": { "description": "Name of the vendor that discovered the incident", "readOnly": true, "type": "string" } }, "type": "object" }, "IoTSecurityAggregatedRecommendation": { "allOf": [ { "description": "Describes an Azure resource.", "properties": { "id": { "description": "Resource Id", "readOnly": true, "type": "string" }, "name": { "description": "Resource name", "readOnly": true, "type": "string" }, "type": { "description": "Resource type", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-azure-resource": true }, { "$ref": "#/definitions/TagsResource" } ], "description": "Security Solution Recommendation Information", "properties": { "properties": { "$ref": "#/definitions/IoTSecurityAggregatedRecommendationProperties", "description": "Security Solution data", "x-ms-client-flatten": true } }, "type": "object" }, "IoTSecurityAggregatedRecommendationList": { "description": "List of IoT aggregated security recommendations", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "description": "List of aggregated alerts data", "items": { "$ref": "#/definitions/IoTSecurityAggregatedRecommendation" }, "type": "array" } }, "required": [ "value" ] }, "IoTSecurityAggregatedRecommendationProperties": { "description": "Security Solution Recommendation Information", "properties": { "description": { "description": "Description of the incident and what it means", "readOnly": true, "type": "string" }, "detectedBy": { "description": "Name of the vendor that discovered the issue", "readOnly": true, "type": "string" }, "healthyDevices": { "description": "the number of the healthy devices within the solution", "readOnly": true, "type": "integer" }, "logAnalyticsQuery": { "description": "query in log analytics to get the list of affected devices/alerts", "readOnly": true, "type": "string" }, "recommendationDisplayName": { "description": "Display name of the recommendation type.", "readOnly": true, "type": "string" }, "recommendationName": { "description": "Name of the recommendation", "type": "string" }, "recommendationTypeId": { "description": "The recommendation-type GUID.", "readOnly": true, "type": "string" }, "remediationSteps": { "description": "Recommended steps for remediation", "readOnly": true, "type": "string" }, "reportedSeverity": { "description": "Estimated severity of this recommendation", "enum": [ "Informational", "Low", "Medium", "High" ], "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, "name": "reportedSeverity", "values": [ { "value": "Informational" }, { "value": "Low" }, { "value": "Medium" }, { "value": "High" } ] } }, "unhealthyDeviceCount": { "description": "the number of the unhealthy devices within the solution", "readOnly": true, "type": "integer" } }, "type": "object" }, "IoTSecurityAlertedDevice": { "description": "Statistic information about the number of alerts per device during the last period", "properties": { "alertsCount": { "description": "the number of alerts raised for this device", "readOnly": true, "type": "integer" }, "deviceId": { "description": "Name of the alert type", "readOnly": true, "type": "string" } }, "type": "object" }, "IoTSecurityAlertedDevicesList": { "description": "List of devices with the count of raised alerts", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "description": "List of aggregated alerts data", "items": { "$ref": "#/definitions/IoTSecurityAlertedDevice" }, "type": "array" } }, "required": [ "value" ] }, "IoTSecurityDeviceAlert": { "description": "Statistic information about the number of alerts per alert type during the last period", "properties": { "alertDisplayName": { "description": "Display name of the alert", "readOnly": true, "type": "string" }, "alertsCount": { "description": "the number of alerts raised for this alert type", "readOnly": true, "type": "integer" }, "reportedSeverity": { "description": "Estimated severity of this alert", "enum": [ "Informational", "Low", "Medium", "High" ], "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, "name": "reportedSeverity", "values": [ { "value": "Informational" }, { "value": "Low" }, { "value": "Medium" }, { "value": "High" } ] } } }, "type": "object" }, "IoTSecurityDeviceAlertsList": { "description": "List of alerts with the count of raised alerts", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "description": "List of top alerts data", "items": { "$ref": "#/definitions/IoTSecurityDeviceAlert" }, "type": "array" } }, "required": [ "value" ] }, "IoTSecurityDeviceRecommendation": { "description": "Statistic information about the number of recommendations per recommendation type", "properties": { "devicesCount": { "description": "the number of device with this recommendation", "readOnly": true, "type": "integer" }, "recommendationDisplayName": { "description": "Display name of the recommendation", "readOnly": true, "type": "string" }, "reportedSeverity": { "description": "Estimated severity of this recommendation", "enum": [ "Informational", "Low", "Medium", "High" ], "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, "name": "reportedSeverity", "values": [ { "value": "Informational" }, { "value": "Low" }, { "value": "Medium" }, { "value": "High" } ] } } }, "type": "object" }, "IoTSecurityDeviceRecommendationsList": { "description": "List of recommendations with the count of devices", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "description": "List of aggregated recommendation data", "items": { "$ref": "#/definitions/IoTSecurityDeviceRecommendation" }, "type": "array" } }, "required": [ "value" ] }, "IoTSecuritySolutionAnalyticsModel": { "allOf": [ { "description": "Describes an Azure resource.", "properties": { "id": { "description": "Resource Id", "readOnly": true, "type": "string" }, "name": { "description": "Resource name", "readOnly": true, "type": "string" }, "type": { "description": "Resource type", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-azure-resource": true } ], "description": "Security Analytics of a security solution", "properties": { "properties": { "$ref": "#/definitions/IoTSecuritySolutionAnalyticsModelProperties", "description": "Security Solution Aggregated Alert data", "x-ms-client-flatten": true } }, "type": "object" }, "IoTSecuritySolutionAnalyticsModelList": { "description": "List of Security Analytics of a security solution", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "description": "List of Security Analytics of a security solution", "items": { "$ref": "#/definitions/IoTSecuritySolutionAnalyticsModel" }, "type": "array" } }, "required": [ "value" ] }, "IoTSecuritySolutionAnalyticsModelProperties": { "description": "Security Analytics of a security solution properties", "properties": { "devicesMetrics": { "description": "The list of devices metrics by the aggregated date.", "items": { "properties": { "date": { "description": "the date of the metrics", "format": "date-time", "type": "string" }, "devicesMetrics": { "$ref": "#/definitions/IoTSeverityMetrics", "description": "devices alerts count by severity.", "type": "object" } } }, "readOnly": true, "type": "array" }, "metrics": { "$ref": "#/definitions/IoTSeverityMetrics", "description": "Security Analytics of a security solution", "readOnly": true, "type": "object" }, "mostPrevalentDeviceAlerts": { "$ref": "#/definitions/IoTSecurityDeviceAlertsList", "description": "The list of most prevalent 3 alerts.", "type": "object" }, "mostPrevalentDeviceRecommendations": { "$ref": "#/definitions/IoTSecurityDeviceRecommendationsList", "description": "The list of most prevalent 3 recommendations.", "type": "object" }, "topAlertedDevices": { "$ref": "#/definitions/IoTSecurityAlertedDevicesList", "description": "The list of top 3 devices with the most attacked.", "type": "object" }, "unhealthyDeviceCount": { "description": "number of unhealthy devices", "readOnly": true, "type": "integer" } } }, "IoTSeverityMetrics": { "description": "Severity metrics", "properties": { "high": { "description": "count of high severity items", "type": "integer" }, "low": { "description": "count of low severity items", "type": "integer" }, "medium": { "description": "count of medium severity items", "type": "integer" } }, "type": "object" }, "TagsResource": { "description": "A container holding only the Tags for a resource, allowing the user to update the tags.", "properties": { "tags": { "additionalProperties": { "type": "string" }, "description": "Resource tags", "type": "object" } } } } }