{ "swagger": "2.0", "schemes": [ "https" ], "host": "management.azure.com", "info": { "description": "API spec for Microsoft.Security (Azure Security Center) resource provider", "title": "Security Center", "version": "2015-06-01-preview", "x-apisguru-categories": [ "cloud" ], "x-logo": { "url": "https://api.apis.guru/v2/cache/logo/https_assets.onestore.ms_cdnfiles_onestorerolling-1606-01000_shell_v3_images_logo_microsoft.png" }, "x-origin": [ { "format": "swagger", "url": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/security.json", "version": "2.0" } ], "x-preferred": false, "x-providerName": "azure.com", "x-serviceName": "security", "x-tags": [ "Azure", "Microsoft" ] }, "consumes": [ "application/json" ], "produces": [ "application/json" ], "securityDefinitions": { "azure_auth": { "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", "description": "Azure Active Directory OAuth2 Flow", "flow": "implicit", "scopes": { "user_impersonation": "impersonate your user account" }, "type": "oauth2" } }, "security": [ { "azure_auth": [ "user_impersonation" ] } ], "parameters": { "AlertName": { "description": "Name of the alert object", "in": "path", "name": "alertName", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "AlertUpdateActionType": { "description": "Type of the action to do on the alert", "enum": [ "Dismiss", "Reactivate" ], "in": "path", "name": "alertUpdateActionType", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "ApiVersion": { "description": "API version for the operation", "enum": [ "2015-06-01-preview" ], "in": "query", "name": "api-version", "required": true, "type": "string" }, "AscLocation": { "description": "The location where ASC stores the data of the subscription. can be retrieved from Get locations", "in": "path", "name": "ascLocation", "required": true, "type": "string", "x-ms-parameter-location": "client" }, "ConnectionType": { "description": "The type of allowed connections (Internal, External)", "enum": [ "Internal", "External" ], "in": "path", "name": "connectionType", "required": true, "type": "string", "x-ms-enum": { "modelAsString": true, "name": "connectionType", "values": [ { "value": "Internal" }, { "value": "External" } ] }, "x-ms-parameter-location": "method" }, "DiscoveredSecuritySolutionName": { "description": "Name of a discovered security solution.", "in": "path", "name": "discoveredSecuritySolutionName", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "ExtendedResourceName": { "description": "The name of the base resource", "in": "path", "name": "extendedResourceName", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "ExtendedResourceProvider": { "description": "Resource provider name of the base resource", "in": "path", "name": "extendedResourceProvider", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "ExtendedResourceType": { "description": "Type of the base resource", "in": "path", "name": "extendedResourceType", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "ExternalSecuritySolutionsName": { "description": "Name of an external security solution.", "in": "path", "name": "externalSecuritySolutionsName", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "JitNetworkAccessPolicy": { "in": "body", "name": "body", "required": true, "schema": { "$ref": "#/definitions/JitNetworkAccessPolicy" }, "x-ms-parameter-location": "method" }, "JitNetworkAccessPolicyInitiateRequest": { "in": "body", "name": "body", "required": true, "schema": { "$ref": "#/definitions/JitNetworkAccessPolicyInitiateRequest" }, "x-ms-parameter-location": "method" }, "JitNetworkAccessPolicyInitiateType": { "description": "Type of the action to do on the Just-in-Time access policy.", "enum": [ "initiate" ], "in": "path", "name": "jitNetworkAccessPolicyInitiateType", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "JitNetworkAccessPolicyName": { "description": "Name of a Just-in-Time access configuration policy.", "in": "path", "name": "jitNetworkAccessPolicyName", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "ODataExpand": { "description": "OData expand. Optional.", "in": "query", "name": "$expand", "required": false, "type": "string", "x-ms-parameter-location": "method" }, "ODataFilter": { "description": "OData filter. Optional.", "in": "query", "name": "$filter", "required": false, "type": "string", "x-ms-parameter-location": "method" }, "ODataSelect": { "description": "OData select. Optional.", "in": "query", "name": "$select", "required": false, "type": "string", "x-ms-parameter-location": "method" }, "ResourceGroupName": { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "SubscriptionId": { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, "TaskName": { "description": "Name of the task object, will be a GUID", "in": "path", "name": "taskName", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "TaskUpdateActionType": { "description": "Type of the action to do on the task", "enum": [ "Activate", "Dismiss", "Start", "Resolve", "Close" ], "in": "path", "name": "taskUpdateActionType", "required": true, "type": "string", "x-ms-parameter-location": "method" }, "TopologyResourceName": { "description": "Name of a topology resources collection.", "in": "path", "name": "topologyResourceName", "required": true, "type": "string", "x-ms-parameter-location": "method" } }, "paths": { "/providers/Microsoft.Security/operations": { "get": { "description": "Exposes all available operations for discovery purposes.", "operationId": "Operations_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/OperationList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Operations" ], "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts": { "get": { "description": "List all the alerts that are associated with the subscription", "operationId": "Alerts_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ODataFilter" }, { "$ref": "#/parameters/ODataSelect" }, { "$ref": "#/parameters/ODataExpand" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alerts on a subscription": { "parameters": { "api-version": "2015-06-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "properties": { "actionTaken": "Detected", "alertDisplayName": "Suspicious Screensaver process executed", "alertName": "SuspiciousScreenSaver", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", "canBeInvestigated": true, "compromisedEntity": "vm2", "confidenceReasons": [ { "reason": "Suspicious process execution history for this subscription", "type": "Process" }, { "reason": "Suspicious process execution history for this subscription", "type": "Process" }, { "reason": "cmd.exe appeared in multiple alerts of the same type", "type": "Process" } ], "confidenceScore": 0.3, "description": "The process ‘%{process name}’ was observed executing from an uncommon location.\r\n\r\nFiles with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.", "detectedTimeUtc": "2018-05-07T13:51:45.0045913Z", "entities": [ { "OsVersion": null, "azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", "dnsDomain": "", "hostName": "vm2", "netBiosName": "vm2", "ntDomain": "", "omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a", "operatingSystem": "Unknown", "type": "host" }, { "logonId": "0x61450d87", "name": "contosoUser", "ntDomain": "vm2", "sid": "S-1-5-21-2144575486-8928446540-5163864319-500", "type": "account" }, { "directory": "c:\\windows\\system32", "name": "cmd.exe", "type": "file" }, { "directory": "c:\\users\\contosoUser", "name": "scrsave.scr", "type": "file" }, { "commandLine": "c:\\users\\contosoUser\\scrsave.scr", "creationTimeUtc": "2018-05-07T13:51:45.0045913Z", "processId": "0x4aec", "type": "process" } ], "extendedProperties": { "account logon id": "0x61450d87", "command line": "c:\\users\\contosoUser\\scrsave.scr", "domain name": "vm2", "enrichment_tas_threat__reports": "{\"Kind\":\"MultiLink\",\"DisplayValueToUrlDictionary\":{\"Report: Suspicious Screen Saver Execution\":\"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Screen-Saver-Execution.pdf?sv=2016-05-31&sr=b&sig=2igHPl764UM7aBHNaO9mPAnpzoXlwRw8YjpFLLuB2NE%3D&spr=https&st=2018-05-07T00%3A20%3A54Z&se=2018-05-08T00%3A35%3A54Z&sp=r\"}}", "parent process": "cmd.exe", "parent process id": "0x3c44", "process id": "0x4aec", "process name": "c:\\users\\contosoUser\\scrsave.scr", "resourceType": "Virtual Machine", "user SID": "S-1-5-21-2144575486-8928446540-5163864319-500", "user name": "vm2\\contosoUser" }, "instanceId": "2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "remediationSteps": "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)\r\n2. Make sure the machine is completely updated and has an updated anti-malware application installed\r\n3. Run a full anti-malware scan and verify that the threat was removed\r\n4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)\r\n5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)\r\n6. Escalate the alert to the information security team", "reportedSeverity": "Low", "reportedTimeUtc": "2018-05-07T13:51:48.3810457Z", "state": "Active", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "systemSource": "Azure", "vendorName": "Microsoft", "workspaceArmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-21ff7fc3-e762-48dd-bd96-b551f6dcdd23-weu" }, "type": "Microsoft.Security/Locations/alerts" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/allowedConnections": { "get": { "description": "Gets the list of all possible traffic between resources for the subscription", "operationId": "AllowedConnections_List", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AllowedConnectionsList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "AllowedConnections" ], "x-ms-examples": { "Get allowed connections on a subscription": { "parameters": { "api-version": "2015-06-01-preview", "subscriptionId": "3eeab341-f466-499c-a8be-85427e154bad" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Security/locations/centralus/allowedConnections/Internal", "location": "centralus", "name": "Internal", "properties": { "calculatedDateTime": "2018-08-06T14:55:32.3518545Z", "connectableResources": [ { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine1", "inboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine2", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ], "outboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine2", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ] }, { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine2", "inboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine1", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ], "outboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine1", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ] }, { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine3", "inboundConnectedResources": [], "outboundConnectedResources": [] } ] }, "type": "Microsoft.Security/locations/allowedConnections" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/discoveredSecuritySolutions": { "get": { "description": "Gets a list of discovered Security Solutions for the subscription.", "operationId": "DiscoveredSecuritySolutions_List", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/DiscoveredSecuritySolutionList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "DiscoveredSecuritySolutions" ], "x-ms-examples": { "Get discovered security solutions": { "parameters": { "api-version": "2015-06-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/centralus/discoveredSecuritySolutions/CP", "location": "eastus", "name": "CP", "properties": { "offer": "cisco-asav", "publisher": "cisco", "securityFamily": "Ngfw", "sku": "asav-azure-byol" }, "type": "Microsoft.Security/locations/discoveredSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/centralus/discoveredSecuritySolutions/paloalto7", "location": "eastus2", "name": "paloalto7", "properties": { "offer": "vmseries1", "publisher": "paloaltonetworks", "securityFamily": "Ngfw", "sku": "byol" }, "type": "Microsoft.Security/locations/discoveredSecuritySolutions" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/externalSecuritySolutions": { "get": { "description": "Gets a list of external security solutions for the subscription.", "operationId": "ExternalSecuritySolutions_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/ExternalSecuritySolutionList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "ExternalSecuritySolutions" ], "x-ms-examples": { "Get external security solutions on a subscription": { "parameters": { "api-version": "2015-06-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/defaultresourcegroup-eus/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-eus", "kind": "AAD", "location": "eastus", "name": "aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-eus", "properties": { "connectivityState": "Discovered", "deviceType": "Azure Active Directory Identity Protection", "deviceVendor": "Microsoft", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-eus/providers/Microsoft.OperationalInsights/workspaces/defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-eus" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/defaultresourcegroup-weu/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-weu", "kind": "AAD", "location": "westeurope", "name": "aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-weu", "properties": { "connectivityState": "Discovered", "deviceType": "Azure Active Directory Identity Protection", "deviceVendor": "Microsoft", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/Microsoft.OperationalInsights/workspaces/defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-weu" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/unificationprod/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/cef_omsprd_barracudanetworks_waf_barracuda", "kind": "CEF", "location": "westcentralus", "name": "cef_omsprd_barracudanetworks_waf_barracuda", "properties": { "deviceType": "WAF", "deviceVendor": "barracudanetworks", "hostname": "barracuda", "lastEventReceived": "2018-05-09T10:30:11.523Z", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/unificationprod/providers/Microsoft.OperationalInsights/workspaces/omsprd" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/unificationprod/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/cef_omsprd_virtualhoneypot_Microsoft_demovm20", "kind": "CEF", "location": "westcentralus", "name": "cef_omsprd_virtualhoneypot_Microsoft_demovm20", "properties": { "deviceType": "Microsoft", "deviceVendor": "virtualHoneypot", "hostname": "demovm20", "lastEventReceived": "2018-05-08T15:42:22.57Z", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/unificationprod/providers/Microsoft.OperationalInsights/workspaces/omsprd" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/unificationprod/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/cef_omsprd_virtualhoneypot_Microsoft_demovm10", "kind": "CEF", "location": "westcentralus", "name": "cef_omsprd_virtualhoneypot_Microsoft_demovm10", "properties": { "deviceType": "Microsoft", "deviceVendor": "virtualHoneypot", "hostname": "demovm10", "lastEventReceived": "2018-05-08T10:38:53.423Z", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/unificationprod/providers/Microsoft.OperationalInsights/workspaces/omsprd" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/unificationprod/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/aad_omsprd", "kind": "AAD", "location": "westcentralus", "name": "aad_omsprd", "properties": { "connectivityState": "Discovered", "deviceType": "Azure Active Directory Identity Protection", "deviceVendor": "Microsoft", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/unificationprod/providers/Microsoft.OperationalInsights/workspaces/omsprd" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/defaultresourcegroup-ejp/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-ejp", "kind": "AAD", "location": "japaneast", "name": "aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-ejp", "properties": { "connectivityState": "Discovered", "deviceType": "Azure Active Directory Identity Protection", "deviceVendor": "Microsoft", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-ejp/providers/Microsoft.OperationalInsights/workspaces/defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-ejp" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/jitNetworkAccessPolicies": { "get": { "description": "Policies for protecting resources using Just-in-Time access control.", "operationId": "JitNetworkAccessPolicies_List", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/JitNetworkAccessPoliciesList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "JitNetworkAccessPolicies" ], "x-ms-examples": { "Get JIT network access policies on a subscription": { "parameters": { "api-version": "2015-06-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/default", "kind": "Basic", "location": "westeurope", "name": "default", "properties": { "provisioningState": "Succeeded", "requests": [ { "requestor": "barbara@contoso.com", "startTimeUtc": "2018-05-17T08:06:45.5691611Z", "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "192.127.0.2", "endTimeUtc": "2018-05-17T09:06:45.5691611Z", "number": 3389, "status": "Initiated", "statusReason": "UserRequested" } ] } ] } ], "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 22, "protocol": "*" }, { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 3389, "protocol": "*" } ] } ] }, "type": "Microsoft.Security/locations/jitNetworkAccessPolicies" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations": { "get": { "description": "The location of the responsible ASC of the specific subscription (home region). For each subscription there is only one responsible location. The location in the response should be used to read or write other resources in ASC according to their ID.", "operationId": "Locations_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AscLocationList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Locations" ], "x-ms-examples": { "Get security data locations": { "parameters": { "api-version": "2015-06-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/locations/centralus", "name": "centralus", "properties": { "homeRegionName": "centralus" }, "type": "Microsoft.Security/locations" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}": { "get": { "description": "Details of a specific location", "operationId": "Locations_Get", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AscLocation" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Locations" ], "x-ms-examples": { "Get security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "centralus", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/locations/centralus", "name": "centralus", "properties": { "homeRegionName": "centralus" }, "type": "Microsoft.Security/locations" } } } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/ExternalSecuritySolutions": { "get": { "description": "Gets a list of external Security Solutions for the subscription and location.", "operationId": "ExternalSecuritySolutions_ListByHomeRegion", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/ExternalSecuritySolutionList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "ExternalSecuritySolutions" ], "x-ms-examples": { "Get external security solutions on a subscription from security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "centralus", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/defaultresourcegroup-eus/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-eus", "kind": "AAD", "location": "eastus", "name": "aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-eus", "properties": { "connectivityState": "Discovered", "deviceType": "Azure Active Directory Identity Protection", "deviceVendor": "Microsoft", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-eus/providers/Microsoft.OperationalInsights/workspaces/defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-eus" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/defaultresourcegroup-weu/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-weu", "kind": "AAD", "location": "westeurope", "name": "aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-weu", "properties": { "connectivityState": "Discovered", "deviceType": "Azure Active Directory Identity Protection", "deviceVendor": "Microsoft", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/Microsoft.OperationalInsights/workspaces/defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-weu" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/unificationprod/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/cef_omsprd_barracudanetworks_waf_barracuda", "kind": "CEF", "location": "westcentralus", "name": "cef_omsprd_barracudanetworks_waf_barracuda", "properties": { "deviceType": "WAF", "deviceVendor": "barracudanetworks", "hostname": "barracuda", "lastEventReceived": "2018-05-09T10:30:11.523Z", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/unificationprod/providers/Microsoft.OperationalInsights/workspaces/omsprd" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/unificationprod/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/cef_omsprd_virtualhoneypot_Microsoft_demovm20", "kind": "CEF", "location": "westcentralus", "name": "cef_omsprd_virtualhoneypot_Microsoft_demovm20", "properties": { "deviceType": "Microsoft", "deviceVendor": "virtualHoneypot", "hostname": "demovm20", "lastEventReceived": "2018-05-08T15:42:22.57Z", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/unificationprod/providers/Microsoft.OperationalInsights/workspaces/omsprd" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/unificationprod/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/cef_omsprd_virtualhoneypot_Microsoft_demovm10", "kind": "CEF", "location": "westcentralus", "name": "cef_omsprd_virtualhoneypot_Microsoft_demovm10", "properties": { "deviceType": "Microsoft", "deviceVendor": "virtualHoneypot", "hostname": "demovm10", "lastEventReceived": "2018-05-08T10:38:53.423Z", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/unificationprod/providers/Microsoft.OperationalInsights/workspaces/omsprd" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/unificationprod/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/aad_omsprd", "kind": "AAD", "location": "westcentralus", "name": "aad_omsprd", "properties": { "connectivityState": "Discovered", "deviceType": "Azure Active Directory Identity Protection", "deviceVendor": "Microsoft", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/unificationprod/providers/Microsoft.OperationalInsights/workspaces/omsprd" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/defaultresourcegroup-ejp/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-ejp", "kind": "AAD", "location": "japaneast", "name": "aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-ejp", "properties": { "connectivityState": "Discovered", "deviceType": "Azure Active Directory Identity Protection", "deviceVendor": "Microsoft", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-ejp/providers/Microsoft.OperationalInsights/workspaces/defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-ejp" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { "get": { "description": "List all the alerts that are associated with the subscription that are stored in a specific location", "operationId": "Alerts_ListSubscriptionLevelAlertsByRegion", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ODataFilter" }, { "$ref": "#/parameters/ODataSelect" }, { "$ref": "#/parameters/ODataExpand" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alerts on a subscription from a security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "properties": { "actionTaken": "Detected", "alertDisplayName": "Suspicious Screensaver process executed", "alertName": "SuspiciousScreenSaver", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", "canBeInvestigated": true, "compromisedEntity": "vm2", "confidenceReasons": [ { "reason": "Suspicious process execution history for this subscription", "type": "Process" }, { "reason": "Suspicious process execution history for this subscription", "type": "Process" }, { "reason": "cmd.exe appeared in multiple alerts of the same type", "type": "Process" } ], "confidenceScore": 0.3, "description": "The process ‘%{process name}’ was observed executing from an uncommon location.\r\n\r\nFiles with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.", "detectedTimeUtc": "2018-05-07T13:51:45.0045913Z", "entities": [ { "OsVersion": null, "azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", "dnsDomain": "", "hostName": "vm2", "netBiosName": "vm2", "ntDomain": "", "omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a", "operatingSystem": "Unknown", "type": "host" }, { "logonId": "0x61450d87", "name": "contosoUser", "ntDomain": "vm2", "sid": "S-1-5-21-2144575486-8928446540-5163864319-500", "type": "account" }, { "directory": "c:\\windows\\system32", "name": "cmd.exe", "type": "file" }, { "processId": "0x3c44", "type": "process" }, { "directory": "c:\\users\\contosoUser", "name": "scrsave.scr", "type": "file" }, { "commandLine": "c:\\users\\contosoUser\\scrsave.scr", "creationTimeUtc": "2018-05-07T13:51:45.0045913Z", "processId": "0x4aec", "type": "process" } ], "extendedProperties": { "account logon id": "0x61450d87", "command line": "c:\\users\\contosoUser\\scrsave.scr", "domain name": "vm2", "enrichment_tas_threat__reports": "{\"Kind\":\"MultiLink\",\"DisplayValueToUrlDictionary\":{\"Report: Suspicious Screen Saver Execution\":\"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Screen-Saver-Execution.pdf?sv=2016-05-31&sr=b&sig=2igHPl764UM7aBHNaO9mPAnpzoXlwRw8YjpFLLuB2NE%3D&spr=https&st=2018-05-07T00%3A20%3A54Z&se=2018-05-08T00%3A35%3A54Z&sp=r\"}}", "parent process": "cmd.exe", "parent process id": "0x3c44", "process id": "0x4aec", "process name": "c:\\users\\contosoUser\\scrsave.scr", "resourceType": "Virtual Machine", "user SID": "S-1-5-21-2144575486-8928446540-5163864319-500", "user name": "vm2\\contosoUser" }, "instanceId": "2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "remediationSteps": "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)\r\n2. Make sure the machine is completely updated and has an updated anti-malware application installed\r\n3. Run a full anti-malware scan and verify that the threat was removed\r\n4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)\r\n5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)\r\n6. Escalate the alert to the information security team", "reportedSeverity": "Low", "reportedTimeUtc": "2018-05-07T13:51:48.3810457Z", "state": "Active", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "systemSource": "Azure", "vendorName": "Microsoft", "workspaceArmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-21ff7fc3-e762-48dd-bd96-b551f6dcdd23-weu" }, "type": "Microsoft.Security/Locations/alerts" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { "get": { "description": "Get an alert that is associated with a subscription", "operationId": "Alerts_GetSubscriptionLevelAlert", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/Alert" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alert on a subscription from a security data location": { "parameters": { "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" } } } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/{alertUpdateActionType}": { "post": { "description": "Update the alert's state", "operationId": "Alerts_UpdateSubscriptionLevelAlertState", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" }, { "$ref": "#/parameters/AlertUpdateActionType" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Update security alert state on a subscription from a security data location": { "parameters": { "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "alertUpdateActionType": "Dismiss", "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "204": {} } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/allowedConnections": { "get": { "description": "Gets the list of all possible traffic between resources for the subscription and location.", "operationId": "AllowedConnections_ListByHomeRegion", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AllowedConnectionsList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "AllowedConnections" ], "x-ms-examples": { "Get allowed connections on a subscription from security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "centralus", "subscriptionId": "3eeab341-f466-499c-a8be-85427e154bad" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Security/locations/centralus/allowedConnections/Internal", "location": "centralus", "name": "Internal", "properties": { "calculatedDateTime": "2018-08-06T14:55:32.3518545Z", "connectableResources": [ { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine1", "inboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine2", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ], "outboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine2", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ] }, { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine2", "inboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine1", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ], "outboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine1", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ] }, { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine3", "inboundConnectedResources": [], "outboundConnectedResources": [] } ] }, "type": "Microsoft.Security/locations/allowedConnections" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/discoveredSecuritySolutions": { "get": { "description": "Gets a list of discovered Security Solutions for the subscription and location.", "operationId": "DiscoveredSecuritySolutions_ListByHomeRegion", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/DiscoveredSecuritySolutionList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "DiscoveredSecuritySolutions" ], "x-ms-examples": { "Get discovered security solutions from a security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "centralus", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/centralus/discoveredSecuritySolutions/CP", "location": "eastus", "name": "CP", "properties": { "offer": "cisco-asav", "publisher": "cisco", "securityFamily": "Ngfw", "sku": "asav-azure-byol" }, "type": "Microsoft.Security/locations/discoveredSecuritySolutions" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/centralus/discoveredSecuritySolutions/paloalto7", "location": "eastus2", "name": "paloalto7", "properties": { "offer": "vmseries1", "publisher": "paloaltonetworks", "securityFamily": "Ngfw", "sku": "byol" }, "type": "Microsoft.Security/locations/discoveredSecuritySolutions" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies": { "get": { "description": "Policies for protecting resources using Just-in-Time access control for the subscription, location", "operationId": "JitNetworkAccessPolicies_ListByRegion", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/JitNetworkAccessPoliciesList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "JitNetworkAccessPolicies" ], "x-ms-examples": { "Get JIT network access policies on a subscription from a security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/default", "kind": "Basic", "location": "westeurope", "name": "default", "properties": { "provisioningState": "Succeeded", "requests": [ { "requestor": "barbara@contoso.com", "startTimeUtc": "2018-05-17T08:06:45.5691611Z", "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "192.127.0.2", "endTimeUtc": "2018-05-17T09:06:45.5691611Z", "number": 3389, "status": "Initiated", "statusReason": "UserRequested" } ] } ] } ], "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 22, "protocol": "*" }, { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 3389, "protocol": "*" } ] } ] }, "type": "Microsoft.Security/locations/jitNetworkAccessPolicies" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/tasks": { "get": { "description": "Recommended tasks that will help improve the security of the subscription proactively", "operationId": "Tasks_ListByHomeRegion", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ODataFilter" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/SecurityTaskList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Tasks" ], "x-ms-examples": { "Get security recommendations tasks from security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/locations/westeurope/tasks/62609ee7-d0a5-8616-9fe4-1df5cca7758d", "name": "62609ee7-d0a5-8616-9fe4-1df5cca7758d", "properties": { "creationTimeUtc": "2018-03-05T10:42:03.9935508Z", "lastStateChangeTimeUtc": "2018-03-05T10:42:03.9935508Z", "securityTaskParameters": { "location": "uksouth", "name": "NetworkSecurityGroupMissingOnSubnet", "resourceGroup": "myRg", "resourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/default", "resourceName": "default", "resourceParent": "vnet1", "resourceType": "Subnet", "uniqueKey": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/default" }, "state": "Active", "subState": "NA" }, "type": "Microsoft.Security/locations/tasks" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Security/locations/westeurope/tasks/d55b4dc0-779c-c66c-33e5-d7bce24c4222", "name": "d55b4dc0-779c-c66c-33e5-d7bce24c4222", "properties": { "creationTimeUtc": "2018-04-02T11:41:27.0541014Z", "lastStateChangeTimeUtc": "2018-04-02T11:41:27.0541014Z", "securityTaskParameters": { "isDataDiskEncrypted": false, "isOsDiskEncrypted": false, "name": "EncryptionOnVm", "resourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "severity": "High", "uniqueKey": "EncryptionOnVmTaskParameters_/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "vmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "vmName": "vm1" }, "state": "Active", "subState": "NA" }, "type": "Microsoft.Security/locations/tasks" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/tasks/{taskName}": { "get": { "description": "Recommended tasks that will help improve the security of the subscription proactively", "operationId": "Tasks_GetSubscriptionLevelTask", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/TaskName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/SecurityTask" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Tasks" ], "x-ms-examples": { "Get security recommendation task from security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "taskName": "62609ee7-d0a5-8616-9fe4-1df5cca7758d" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/locations/westeurope/tasks/62609ee7-d0a5-8616-9fe4-1df5cca7758d", "name": "62609ee7-d0a5-8616-9fe4-1df5cca7758d", "properties": { "creationTimeUtc": "2018-03-05T10:42:03.9935508Z", "lastStateChangeTimeUtc": "2018-03-05T10:42:03.9935508Z", "securityTaskParameters": { "location": "uksouth", "name": "NetworkSecurityGroupMissingOnSubnet", "resourceGroup": "myRg", "resourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/default", "resourceName": "default", "resourceParent": "vnet1", "resourceType": "Subnet", "uniqueKey": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/default" }, "state": "Active", "subState": "NA" }, "type": "Microsoft.Security/locations/tasks" } } } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/tasks/{taskName}/{taskUpdateActionType}": { "post": { "description": "Recommended tasks that will help improve the security of the subscription proactively", "operationId": "Tasks_UpdateSubscriptionLevelTaskState", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/TaskName" }, { "$ref": "#/parameters/TaskUpdateActionType" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Tasks" ], "x-ms-examples": { "Change security recommendation task state": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "taskName": "62609ee7-d0a5-8616-9fe4-1df5cca7758d", "taskUpdateActionType": "Dismiss" }, "responses": { "204": {} } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/topologies": { "get": { "description": "Gets a list that allows to build a topology view of a subscription and location.", "operationId": "Topology_ListByHomeRegion", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/TopologyList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Topology" ], "x-ms-examples": { "Get topology on a subscription from security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "centralus", "subscriptionId": "3eeab341-f466-499c-a8be-85427e154bad" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Security/locations/centralus/topologies/vnets", "location": "westus", "name": "vnets", "properties": { "calculatedDateTime": "2018-07-10T13:56:10.5755270Z", "topologyResources": [ { "children": [ { "resourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Network/virtualNetworks/myvnet/subnets/mysubnet" } ], "location": "westus", "networkZones": "Internal", "recommendationsExist": false, "resourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Network/virtualNetworks/myvnet", "severity": "Healthy", "topologyScore": 0 } ] }, "type": "Microsoft.Security/locations/topologies" }, { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Security/locations/centralus/topologies/subnets", "location": "westus", "name": "subnets", "properties": { "calculatedDateTime": "2018-07-10T13:56:10.5755270Z", "topologyResources": [ { "location": "westus", "networkZones": "Internal", "parents": [ { "resourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Network/virtualNetworks/myvnet" } ], "recommendationsExist": false, "resourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Network/virtualNetworks/myvnet/subnets/mysubnet", "severity": "Healthy", "topologyScore": 5 } ] }, "type": "Microsoft.Security/locations/topologies" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/tasks": { "get": { "description": "Recommended tasks that will help improve the security of the subscription proactively", "operationId": "Tasks_List", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ODataFilter" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/SecurityTaskList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Tasks" ], "x-ms-examples": { "Get security recommendations tasks": { "parameters": { "api-version": "2015-06-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/locations/westeurope/tasks/62609ee7-d0a5-8616-9fe4-1df5cca7758d", "name": "62609ee7-d0a5-8616-9fe4-1df5cca7758d", "properties": { "creationTimeUtc": "2018-03-05T10:42:03.9935508Z", "lastStateChangeTimeUtc": "2018-03-05T10:42:03.9935508Z", "securityTaskParameters": { "location": "uksouth", "name": "NetworkSecurityGroupMissingOnSubnet", "resourceGroup": "myRg", "resourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/default", "resourceName": "default", "resourceParent": "vnet1", "resourceType": "Subnet", "uniqueKey": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/default" }, "state": "Active", "subState": "NA" }, "type": "Microsoft.Security/locations/tasks" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Security/locations/westeurope/tasks/d55b4dc0-779c-c66c-33e5-d7bce24c4222", "name": "d55b4dc0-779c-c66c-33e5-d7bce24c4222", "properties": { "creationTimeUtc": "2018-04-02T11:41:27.0541014Z", "lastStateChangeTimeUtc": "2018-04-02T11:41:27.0541014Z", "securityTaskParameters": { "isDataDiskEncrypted": false, "isOsDiskEncrypted": false, "name": "EncryptionOnVm", "resourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "severity": "High", "uniqueKey": "EncryptionOnVmTaskParameters_/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "vmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "vmName": "vm1" }, "state": "Active", "subState": "NA" }, "type": "Microsoft.Security/locations/tasks" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/topologies": { "get": { "description": "Gets a list that allows to build a topology view of a subscription.", "operationId": "Topology_List", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/TopologyList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Topology" ], "x-ms-examples": { "Get topology on a subscription": { "parameters": { "api-version": "2015-06-01-preview", "subscriptionId": "3eeab341-f466-499c-a8be-85427e154bad" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Security/locations/centralus/topologies/vnets", "location": "westus", "name": "vnets", "properties": { "calculatedDateTime": "2018-07-10T13:56:10.5755270Z", "topologyResources": [ { "children": [ { "resourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Network/virtualNetworks/myvnet/subnets/mysubnet" } ], "location": "westus", "networkZones": "Internal", "recommendationsExist": false, "resourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Network/virtualNetworks/myvnet", "severity": "Healthy", "topologyScore": 0 } ] }, "type": "Microsoft.Security/locations/topologies" }, { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Security/locations/centralus/topologies/subnets", "location": "westus", "name": "subnets", "properties": { "calculatedDateTime": "2018-07-10T13:56:10.5755270Z", "topologyResources": [ { "location": "westus", "networkZones": "Internal", "parents": [ { "resourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Network/virtualNetworks/myvnet" } ], "recommendationsExist": false, "resourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Network/virtualNetworks/myvnet/subnets/mysubnet", "severity": "Healthy", "topologyScore": 5 } ] }, "type": "Microsoft.Security/locations/topologies" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/alerts": { "get": { "description": "List all the alerts that are associated with the resource group", "operationId": "Alerts_ListByResourceGroup", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/ODataFilter" }, { "$ref": "#/parameters/ODataSelect" }, { "$ref": "#/parameters/ODataExpand" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alerts on a resource group": { "parameters": { "api-version": "2015-06-01-preview", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/jitNetworkAccessPolicies": { "get": { "description": "Policies for protecting resources using Just-in-Time access control for the subscription, location", "operationId": "JitNetworkAccessPolicies_ListByResourceGroup", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/JitNetworkAccessPoliciesList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "JitNetworkAccessPolicies" ], "x-ms-examples": { "Get JIT network access policies on a resource group": { "parameters": { "api-version": "2015-06-01-preview", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/default", "kind": "Basic", "location": "westeurope", "name": "default", "properties": { "provisioningState": "Succeeded", "requests": [ { "requestor": "barbara@contoso.com", "startTimeUtc": "2018-05-17T08:06:45.5691611Z", "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "192.127.0.2", "endTimeUtc": "2018-05-17T09:06:45.5691611Z", "number": 3389, "status": "Initiated", "statusReason": "UserRequested" } ] } ] } ], "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 22, "protocol": "*" }, { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 3389, "protocol": "*" } ] } ] }, "type": "Microsoft.Security/locations/jitNetworkAccessPolicies" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/ExternalSecuritySolutions/{externalSecuritySolutionsName}": { "get": { "description": "Gets a specific external Security Solution.", "operationId": "ExternalSecuritySolutions_Get", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ExternalSecuritySolutionsName" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/ExternalSecuritySolution" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "ExternalSecuritySolutions" ], "x-ms-examples": { "Get external security solution": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "centralus", "externalSecuritySolutionsName": "aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-eus", "resourceGroupName": "defaultresourcegroup-eus", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/defaultresourcegroup-eus/providers/Microsoft.Security/locations/centralus/externalSecuritySolutions/aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-eus", "kind": "AAD", "location": "eastus", "name": "aad_defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-eus", "properties": { "connectivityState": "Discovered", "deviceType": "Azure Active Directory Identity Protection", "deviceVendor": "Microsoft", "workspace": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-eus/providers/Microsoft.OperationalInsights/workspaces/defaultworkspace-20ff7fc3-e762-44dd-bd96-b71116dcdc23-eus" } }, "type": "Microsoft.Security/locations/externalSecuritySolutions" } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { "get": { "description": "List all the alerts that are associated with the resource group that are stored in a specific location", "operationId": "Alerts_ListResourceGroupLevelAlertsByRegion", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/ODataFilter" }, { "$ref": "#/parameters/ODataSelect" }, { "$ref": "#/parameters/ODataExpand" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alerts on a resource group from a security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { "get": { "description": "Get an alert that is associated a resource group or a resource in a resource group", "operationId": "Alerts_GetResourceGroupLevelAlerts", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" }, { "$ref": "#/parameters/ResourceGroupName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/Alert" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alert on a resource group from a security data location": { "parameters": { "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/{alertUpdateActionType}": { "post": { "description": "Update the alert's state", "operationId": "Alerts_UpdateResourceGroupLevelAlertState", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" }, { "$ref": "#/parameters/AlertUpdateActionType" }, { "$ref": "#/parameters/ResourceGroupName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Update security alert state on a resource group from a security data location": { "parameters": { "alertName": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "alertUpdateActionType": "Dismiss", "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg2", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "204": {} } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/allowedConnections/{connectionType}": { "get": { "description": "Gets the list of all possible traffic between resources for the subscription and location, based on connection type.", "operationId": "AllowedConnections_Get", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ConnectionType" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AllowedConnectionsResource" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "AllowedConnections" ], "x-ms-examples": { "Get allowed connections": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "centralus", "connectionType": "Internal", "resourceGroupName": "myResourceGroup", "subscriptionId": "3eeab341-f466-499c-a8be-85427e154bad" }, "responses": { "200": { "body": { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Security/locations/centralus/allowedConnections/Internal", "location": "centralus", "name": "Internal", "properties": { "calculatedDateTime": "2018-08-06T14:55:32.3518545Z", "connectableResources": [ { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine1", "inboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine2", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ], "outboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine2", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ] }, { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine2", "inboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine1", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ], "outboundConnectedResources": [ { "connectedResourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine1", "tcpPorts": "[0-21,23-3388,3390-5984,5987-65535]", "udpPorts": "[0-21,23-3388,3390-5984,5987-65535]" } ] }, { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/virtaulMachine3", "inboundConnectedResources": [], "outboundConnectedResources": [] } ] }, "type": "Microsoft.Security/locations/allowedConnections" } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/discoveredSecuritySolutions/{discoveredSecuritySolutionName}": { "get": { "description": "Gets a specific discovered Security Solution.", "operationId": "DiscoveredSecuritySolutions_Get", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/DiscoveredSecuritySolutionName" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/DiscoveredSecuritySolution" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "DiscoveredSecuritySolutions" ], "x-ms-examples": { "Get discovered security solution from a security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "centralus", "discoveredSecuritySolutionName": "paloalto7", "resourceGroupName": "myRg2", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/centralus/discoveredSecuritySolutions/paloalto7", "location": "eastus2", "name": "paloalto7", "properties": { "offer": "vmseries1", "publisher": "paloaltonetworks", "securityFamily": "Ngfw", "sku": "byol" }, "type": "Microsoft.Security/locations/discoveredSecuritySolutions" } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies": { "get": { "description": "Policies for protecting resources using Just-in-Time access control for the subscription, location", "operationId": "JitNetworkAccessPolicies_ListByResourceGroupAndRegion", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/JitNetworkAccessPoliciesList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "JitNetworkAccessPolicies" ], "x-ms-examples": { "Get JIT network access policies on a resource group from a security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/default", "kind": "Basic", "location": "westeurope", "name": "default", "properties": { "provisioningState": "Succeeded", "requests": [ { "requestor": "barbara@contoso.com", "startTimeUtc": "2018-05-17T08:06:45.5691611Z", "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "192.127.0.2", "endTimeUtc": "2018-05-17T09:06:45.5691611Z", "number": 3389, "status": "Initiated", "statusReason": "UserRequested" } ] } ] } ], "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 22, "protocol": "*" }, { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 3389, "protocol": "*" } ] } ] }, "type": "Microsoft.Security/locations/jitNetworkAccessPolicies" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies/{jitNetworkAccessPolicyName}": { "delete": { "description": "Delete a Just-in-Time access control policy.", "operationId": "JitNetworkAccessPolicies_Delete", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/JitNetworkAccessPolicyName" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK - Resource was deleted" }, "204": { "description": "No Content - Resource does not exist" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "JitNetworkAccessPolicies" ], "x-ms-examples": { "Delete a JIT network access policy": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "jitNetworkAccessPolicyName": "default", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": {}, "204": {} } } } }, "get": { "description": "Policies for protecting resources using Just-in-Time access control for the subscription, location", "operationId": "JitNetworkAccessPolicies_Get", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/JitNetworkAccessPolicyName" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/JitNetworkAccessPolicy" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "JitNetworkAccessPolicies" ], "x-ms-examples": { "Get JIT network access policy": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "jitNetworkAccessPolicyName": "default", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/default", "kind": "Basic", "location": "westeurope", "name": "default", "properties": { "provisioningState": "Succeeded", "requests": [ { "requestor": "barbara@contoso.com", "startTimeUtc": "2018-05-17T08:06:45.5691611Z", "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "192.127.0.2", "endTimeUtc": "2018-05-17T09:06:45.5691611Z", "number": 3389, "status": "Initiated", "statusReason": "UserRequested" } ] } ] } ], "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 22, "protocol": "*" }, { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 3389, "protocol": "*" } ] } ] }, "type": "Microsoft.Security/locations/jitNetworkAccessPolicies" } } } } } }, "put": { "description": "Create a policy for protecting resources using Just-in-Time access control", "operationId": "JitNetworkAccessPolicies_CreateOrUpdate", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/JitNetworkAccessPolicyName" }, { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/JitNetworkAccessPolicy" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/JitNetworkAccessPolicy" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "JitNetworkAccessPolicies" ], "x-ms-examples": { "Create JIT network access policy": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/default", "kind": "Basic", "location": "westeurope", "name": "default", "properties": { "provisioningState": "Succeeded", "requests": [ { "requestor": "barbara@contoso.com", "startTimeUtc": "2018-05-17T08:06:45.5691611Z", "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "192.127.0.2", "endTimeUtc": "2018-05-17T09:06:45.5691611Z", "number": 3389, "status": "Initiated", "statusReason": "UserRequested" } ] } ] } ], "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 22, "protocol": "*" }, { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 3389, "protocol": "*" } ] } ] }, "type": "Microsoft.Security/locations/jitNetworkAccessPolicies" }, "jitNetworkAccessPolicyName": "default", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/default", "kind": "Basic", "location": "westeurope", "name": "default", "properties": { "provisioningState": "Succeeded", "requests": [ { "requestor": "barbara@contoso.com", "startTimeUtc": "2018-05-17T08:06:45.5691611Z", "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "192.127.0.2", "endTimeUtc": "2018-05-17T09:06:45.5691611Z", "number": 3389, "status": "Initiated", "statusReason": "UserRequested" } ] } ] } ], "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 22, "protocol": "*" }, { "allowedSourceAddressPrefix": "*", "maxRequestAccessDuration": "PT3H", "number": 3389, "protocol": "*" } ] } ] }, "type": "Microsoft.Security/locations/jitNetworkAccessPolicies" } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies/{jitNetworkAccessPolicyName}/{jitNetworkAccessPolicyInitiateType}": { "post": { "description": "Initiate a JIT access from a specific Just-in-Time policy configuration.", "operationId": "JitNetworkAccessPolicies_Initiate", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/JitNetworkAccessPolicyName" }, { "$ref": "#/parameters/JitNetworkAccessPolicyInitiateType" }, { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/JitNetworkAccessPolicyInitiateRequest" } ], "responses": { "202": { "description": "Accepted", "schema": { "$ref": "#/definitions/JitNetworkAccessRequest" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "JitNetworkAccessPolicies" ], "x-ms-examples": { "Initiate an action on a JIT network access policy": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "body": { "virtualMachines": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "192.127.0.2", "duration": "PT1H", "number": 3389 } ] } ] }, "jitNetworkAccessPolicyInitiateType": "initiate", "jitNetworkAccessPolicyName": "default", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "202": { "body": { "requestor": "barbara@contoso.com", "startTimeUtc": "2018-07-12T08:53:03.3658798Z", "virtualMachines": [ { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "ports": [ { "allowedSourceAddressPrefix": "192.127.0.2", "endTimeUtc": "2018-07-12T09:53:03.3658798Z", "number": 3389, "status": "Initiating", "statusReason": "UserRequested" } ] } ] } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/tasks": { "get": { "description": "Recommended tasks that will help improve the security of the subscription proactively", "operationId": "Tasks_ListByResourceGroup", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/ODataFilter" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/SecurityTaskList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Tasks" ], "x-ms-examples": { "Get security recommendation tasks in a resource group": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Security/locations/westeurope/tasks/d55b4dc0-779c-c66c-33e5-d7bce24c4222", "name": "d55b4dc0-779c-c66c-33e5-d7bce24c4222", "properties": { "creationTimeUtc": "2018-04-02T11:41:27.0541014Z", "lastStateChangeTimeUtc": "2018-04-02T11:41:27.0541014Z", "securityTaskParameters": { "isDataDiskEncrypted": false, "isOsDiskEncrypted": false, "name": "EncryptionOnVm", "resourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "severity": "High", "uniqueKey": "EncryptionOnVmTaskParameters_/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "vmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "vmName": "vm1" }, "state": "Active", "subState": "NA" }, "type": "Microsoft.Security/locations/tasks" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/tasks/{taskName}": { "get": { "description": "Recommended tasks that will help improve the security of the subscription proactively", "operationId": "Tasks_GetResourceGroupLevelTask", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/TaskName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/SecurityTask" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Tasks" ], "x-ms-examples": { "Get security recommendation task in a resource group": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "taskName": "d55b4dc0-779c-c66c-33e5-d7bce24c4222" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Security/locations/westeurope/tasks/d55b4dc0-779c-c66c-33e5-d7bce24c4222", "name": "d55b4dc0-779c-c66c-33e5-d7bce24c4222", "properties": { "creationTimeUtc": "2018-04-02T11:41:27.0541014Z", "lastStateChangeTimeUtc": "2018-04-02T11:41:27.0541014Z", "securityTaskParameters": { "isDataDiskEncrypted": false, "isOsDiskEncrypted": false, "name": "EncryptionOnVm", "resourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "severity": "High", "uniqueKey": "EncryptionOnVmTaskParameters_/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "vmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg/providers/Microsoft.Compute/virtualMachines/vm1", "vmName": "vm1" }, "state": "Active", "subState": "NA" }, "type": "Microsoft.Security/locations/tasks" } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/tasks/{taskName}/{taskUpdateActionType}": { "post": { "description": "Recommended tasks that will help improve the security of the subscription proactively", "operationId": "Tasks_UpdateResourceGroupLevelTaskState", "parameters": [ { "$ref": "#/parameters/ApiVersion" }, { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/TaskName" }, { "$ref": "#/parameters/TaskUpdateActionType" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Tasks" ], "x-ms-examples": { "Change security recommendation task state": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "taskName": "d55b4dc0-779c-c66c-33e5-d7bce24c4222", "taskUpdateActionType": "Dismiss" }, "responses": { "204": {} } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/topologies/{topologyResourceName}": { "get": { "description": "Gets a specific topology component.", "operationId": "Topology_Get", "parameters": [ { "$ref": "#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/AscLocation" }, { "$ref": "#/parameters/TopologyResourceName" }, { "$ref": "#/parameters/ApiVersion" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/TopologyResource" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/CloudError" } } }, "tags": [ "Topology" ], "x-ms-examples": { "Get topology": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "centralus", "resourceGroupName": "myservers", "subscriptionId": "3eeab341-f466-499c-a8be-85427e154bad", "topologyResourceName": "vnets" }, "responses": { "200": { "body": { "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Security/locations/centralus/topologies/vnets", "location": "westus", "name": "vnets", "properties": { "calculatedDateTime": "2018-07-10T13:56:10.5755270Z", "topologyResources": [ { "children": [ { "resourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Network/virtualNetworks/myvnet/subnets/mysubnet" } ], "location": "westus", "networkZones": "InternetFacing", "recommendationsExist": false, "resourceId": "/subscriptions/3eeab341-f466-499c-a8be-85427e154bad/resourceGroups/myservers/providers/Microsoft.Network/virtualNetworks/myvnet", "severity": "Healthy", "topologyScore": 0 } ] }, "type": "Microsoft.Security/locations/topologies" } } } } } } } }, "definitions": { "AadConnectivityState": { "description": "Describes an Azure resource with kind", "properties": { "connectivityState": { "enum": [ "Discovered", "NotLicensed", "Connected" ], "title": "The connectivity state of the external AAD solution ", "type": "string", "x-ms-enum": { "modelAsString": true, "name": "AadConnectivityState", "values": [ { "value": "Discovered" }, { "value": "NotLicensed" }, { "value": "Connected" } ] } } }, "type": "object" }, "AadExternalSecuritySolution": { "allOf": [ { "$ref": "#/definitions/ExternalSecuritySolution" } ], "description": "Represents an AAD identity protection solution which sends logs to an OMS workspace.", "properties": { "properties": { "$ref": "#/definitions/AadSolutionProperties" } }, "type": "object", "x-ms-discriminator-value": "AAD" }, "AadSolutionProperties": { "allOf": [ { "$ref": "#/definitions/ExternalSecuritySolutionProperties" }, { "$ref": "#/definitions/AadConnectivityState" } ], "title": "The external security solution properties for AAD solutions", "type": "object" }, "Alert": { "allOf": [ { "$ref": "#/definitions/Resource" } ], "description": "Security alert", "properties": { "properties": { "$ref": "#/definitions/AlertProperties", "x-ms-client-flatten": true } }, "type": "object" }, "AlertConfidenceReason": { "description": "Factors that increase our confidence that the alert is a true positive", "properties": { "reason": { "description": "description of the confidence reason", "readOnly": true, "type": "string" }, "type": { "description": "Type of confidence factor", "readOnly": true, "type": "string" } }, "type": "object" }, "AlertEntity": { "additionalProperties": true, "description": "Changing set of properties depending on the entity type.", "properties": { "type": { "description": "Type of entity", "readOnly": true, "type": "string" } }, "type": "object" }, "AlertExtendedProperties": { "additionalProperties": true, "description": "Changing set of properties depending on the alert type.", "type": "object" }, "AlertList": { "description": "List of security alerts", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "items": { "$ref": "#/definitions/Alert" }, "type": "array" } }, "type": "object" }, "AlertProperties": { "description": "describes security alert properties.", "properties": { "actionTaken": { "description": "The action that was taken as a response to the alert (Active, Blocked etc.)", "readOnly": true, "type": "string" }, "alertDisplayName": { "description": "Display name of the alert type", "readOnly": true, "type": "string" }, "alertName": { "description": "Name of the alert type", "readOnly": true, "type": "string" }, "associatedResource": { "description": "Azure resource ID of the associated resource", "readOnly": true, "type": "string" }, "canBeInvestigated": { "description": "Whether this alert can be investigated with Azure Security Center", "readOnly": true, "type": "boolean" }, "compromisedEntity": { "description": "The entity that the incident happened on", "readOnly": true, "type": "string" }, "confidenceReasons": { "description": "reasons the alert got the confidenceScore value", "items": { "$ref": "#/definitions/AlertConfidenceReason" }, "type": "array" }, "confidenceScore": { "description": "level of confidence we have on the alert", "format": "float", "maximum": 1, "minimum": 0, "readOnly": true, "type": "number" }, "description": { "description": "Description of the incident and what it means", "readOnly": true, "type": "string" }, "detectedTimeUtc": { "description": "The time the incident was detected by the vendor", "format": "date-time", "readOnly": true, "type": "string" }, "entities": { "description": "objects that are related to this alerts", "items": { "$ref": "#/definitions/AlertEntity" }, "type": "array" }, "extendedProperties": { "$ref": "#/definitions/AlertExtendedProperties" }, "instanceId": { "description": "Instance ID of the alert.", "readOnly": true, "type": "string" }, "isIncident": { "description": "Whether this alert is for incident type or not (otherwise - single alert)", "readOnly": true, "type": "boolean" }, "remediationSteps": { "description": "Recommended steps to reradiate the incident", "readOnly": true, "type": "string" }, "reportedSeverity": { "description": "Estimated severity of this alert", "enum": [ "Silent", "Information", "Low", "High" ], "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, "name": "reportedSeverity", "values": [ { "value": "Silent" }, { "value": "Information" }, { "value": "Low" }, { "value": "High" } ] } }, "reportedTimeUtc": { "description": "The time the incident was reported to Microsoft.Security in UTC", "format": "date-time", "readOnly": true, "type": "string" }, "state": { "description": "State of the alert (Active, Dismissed etc.)", "readOnly": true, "type": "string" }, "subscriptionId": { "description": "Azure subscription ID of the resource that had the security alert or the subscription ID of the workspace that this resource reports to", "readOnly": true, "type": "string" }, "systemSource": { "description": "The type of the alerted resource (Azure, Non-Azure)", "readOnly": true, "type": "string" }, "vendorName": { "description": "Name of the vendor that discovered the incident", "readOnly": true, "type": "string" }, "workspaceArmId": { "description": "Azure resource ID of the workspace that the alert was reported to.", "readOnly": true, "type": "string" } }, "type": "object" }, "AllowedConnectionsList": { "description": "List of all possible traffic between Azure resources", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "items": { "$ref": "#/definitions/AllowedConnectionsResource" }, "readOnly": true, "type": "array" } }, "type": "object" }, "AllowedConnectionsResource": { "allOf": [ { "$ref": "#/definitions/Resource" }, { "$ref": "#/definitions/Location" } ], "description": "The resource whose properties describes the allowed traffic between Azure resources", "properties": { "properties": { "$ref": "#/definitions/AllowedConnectionsResourceProperties", "readOnly": true, "x-ms-client-flatten": true } }, "type": "object" }, "AllowedConnectionsResourceProperties": { "description": "Describes the allowed traffic between Azure resources", "properties": { "calculatedDateTime": { "description": "The UTC time on which the allowed connections resource was calculated", "format": "date-time", "readOnly": true, "type": "string" }, "connectableResources": { "description": "List of connectable resources", "items": { "$ref": "#/definitions/ConnectableResource" }, "readOnly": true, "type": "array" } }, "type": "object" }, "AscLocation": { "allOf": [ { "$ref": "#/definitions/Resource" } ], "description": "The ASC location of the subscription is in the \"name\" field", "properties": { "properties": { "$ref": "#/definitions/AscLocationProperties", "x-ms-client-flatten": true } }, "type": "object" }, "AscLocationList": { "description": "List of locations where ASC saves your data", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "items": { "$ref": "#/definitions/AscLocation" }, "readOnly": true, "type": "array" } }, "type": "object" }, "AscLocationProperties": { "description": "An empty set of properties", "type": "object" }, "AtaExternalSecuritySolution": { "allOf": [ { "$ref": "#/definitions/ExternalSecuritySolution" } ], "description": "Represents an ATA security solution which sends logs to an OMS workspace", "properties": { "properties": { "$ref": "#/definitions/AtaSolutionProperties" } }, "type": "object", "x-ms-discriminator-value": "ATA" }, "AtaSolutionProperties": { "allOf": [ { "$ref": "#/definitions/ExternalSecuritySolutionProperties" } ], "properties": { "lastEventReceived": { "type": "string" } }, "title": "The external security solution properties for ATA solutions", "type": "object" }, "CefExternalSecuritySolution": { "allOf": [ { "$ref": "#/definitions/ExternalSecuritySolution" } ], "description": "Represents a security solution which sends CEF logs to an OMS workspace", "properties": { "properties": { "$ref": "#/definitions/CefSolutionProperties" } }, "type": "object", "x-ms-discriminator-value": "CEF" }, "CefSolutionProperties": { "allOf": [ { "$ref": "#/definitions/ExternalSecuritySolutionProperties" } ], "properties": { "agent": { "type": "string" }, "hostname": { "type": "string" }, "lastEventReceived": { "type": "string" } }, "title": "The external security solution properties for CEF solutions", "type": "object" }, "CloudError": { "description": "Error response structure.", "properties": { "error": { "$ref": "#/definitions/CloudErrorBody", "description": "Error data", "x-ms-client-flatten": true } }, "type": "object", "x-ms-external": true }, "CloudErrorBody": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true }, "ConnectableResource": { "description": "Describes the allowed inbound and outbound traffic of an Azure resource", "properties": { "id": { "description": "The Azure resource id", "readOnly": true, "type": "string" }, "inboundConnectedResources": { "description": "The list of Azure resources that the resource has inbound allowed connection from", "items": { "$ref": "#/definitions/ConnectedResource" }, "readOnly": true, "type": "array" }, "outboundConnectedResources": { "description": "The list of Azure resources that the resource has outbound allowed connection to", "items": { "$ref": "#/definitions/ConnectedResource" }, "readOnly": true, "type": "array" } }, "type": "object" }, "ConnectedResource": { "description": "Describes properties of a connected resource", "properties": { "connectedResourceId": { "description": "The Azure resource id of the connected resource", "readOnly": true, "type": "string" }, "tcpPorts": { "description": "The allowed tcp ports", "readOnly": true, "type": "string" }, "udpPorts": { "description": "The allowed udp ports", "readOnly": true, "type": "string" } }, "type": "object" }, "ConnectedWorkspace": { "properties": { "id": { "description": "Azure resource ID of the connected OMS workspace", "type": "string" } }, "title": "Represents an OMS workspace to which the solution is connected", "type": "object" }, "DiscoveredSecuritySolution": { "allOf": [ { "$ref": "#/definitions/Resource" }, { "$ref": "#/definitions/Location" } ], "properties": { "properties": { "$ref": "#/definitions/DiscoveredSecuritySolutionProperties", "x-ms-client-flatten": true } }, "required": [ "properties" ], "type": "object" }, "DiscoveredSecuritySolutionList": { "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "items": { "$ref": "#/definitions/DiscoveredSecuritySolution" }, "type": "array" } }, "type": "object" }, "DiscoveredSecuritySolutionProperties": { "properties": { "offer": { "description": "The security solutions' image offer", "type": "string" }, "publisher": { "description": "The security solutions' image publisher", "type": "string" }, "securityFamily": { "description": "The security family of the discovered solution", "enum": [ "Waf", "Ngfw", "SaasWaf", "Va" ], "type": "string", "x-ms-enum": { "modelAsString": true, "name": "securityFamily", "values": [ { "value": "Waf" }, { "value": "Ngfw" }, { "value": "SaasWaf" }, { "value": "Va" } ] } }, "sku": { "description": "The security solutions' image sku", "type": "string" } }, "required": [ "securityFamily", "offer", "publisher", "sku" ], "type": "object" }, "ExternalSecuritySolution": { "allOf": [ { "$ref": "#/definitions/Resource" }, { "$ref": "#/definitions/ExternalSecuritySolutionKind" }, { "$ref": "#/definitions/Location" } ], "description": "Represents a security solution external to Azure Security Center which sends information to an OMS workspace and whose data is displayed by Azure Security Center.", "discriminator": "kind", "properties": {}, "type": "object" }, "ExternalSecuritySolutionKind": { "description": "Describes an Azure resource with kind", "properties": { "kind": { "description": "The kind of the external solution", "enum": [ "CEF", "ATA", "AAD" ], "type": "string", "x-ms-enum": { "modelAsString": true, "name": "ExternalSecuritySolutionKind", "values": [ { "value": "CEF" }, { "value": "ATA" }, { "value": "AAD" } ] } } }, "type": "object" }, "ExternalSecuritySolutionList": { "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "items": { "$ref": "#/definitions/ExternalSecuritySolution" }, "type": "array" } } }, "ExternalSecuritySolutionProperties": { "additionalProperties": true, "description": "The solution properties (correspond to the solution kind)", "properties": { "deviceType": { "type": "string" }, "deviceVendor": { "type": "string" }, "workspace": { "$ref": "#/definitions/ConnectedWorkspace" } }, "type": "object" }, "JitNetworkAccessPoliciesList": { "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "items": { "$ref": "#/definitions/JitNetworkAccessPolicy" }, "type": "array" } }, "type": "object" }, "JitNetworkAccessPolicy": { "allOf": [ { "$ref": "#/definitions/Resource" }, { "$ref": "#/definitions/Kind" }, { "$ref": "#/definitions/Location" } ], "properties": { "properties": { "$ref": "#/definitions/JitNetworkAccessPolicyProperties", "x-ms-client-flatten": true } }, "required": [ "properties" ], "type": "object" }, "JitNetworkAccessPolicyInitiatePort": { "properties": { "allowedSourceAddressPrefix": { "description": "Source of the allowed traffic. If omitted, the request will be for the source IP address of the initiate request.", "type": "string" }, "endTimeUtc": { "description": "The time to close the request in UTC", "format": "date-time", "type": "string" }, "number": { "$ref": "#/definitions/PortNumber" } }, "required": [ "endTimeUtc", "number" ], "type": "object" }, "JitNetworkAccessPolicyInitiateRequest": { "properties": { "virtualMachines": { "description": "A list of virtual machines & ports to open access for", "items": { "$ref": "#/definitions/JitNetworkAccessPolicyInitiateVirtualMachine" }, "type": "array" } }, "required": [ "virtualMachines" ], "type": "object" }, "JitNetworkAccessPolicyInitiateVirtualMachine": { "properties": { "id": { "description": "Resource ID of the virtual machine that is linked to this policy", "type": "string" }, "ports": { "description": "The ports to open for the resource with the `id`", "items": { "$ref": "#/definitions/JitNetworkAccessPolicyInitiatePort" }, "type": "array" } }, "required": [ "id", "ports" ], "type": "object" }, "JitNetworkAccessPolicyProperties": { "properties": { "provisioningState": { "description": "Gets the provisioning state of the Just-in-Time policy.", "readOnly": true, "type": "string" }, "requests": { "items": { "$ref": "#/definitions/JitNetworkAccessRequest" }, "type": "array" }, "virtualMachines": { "description": "Configurations for Microsoft.Compute/virtualMachines resource type.", "items": { "$ref": "#/definitions/JitNetworkAccessPolicyVirtualMachine" }, "type": "array" } }, "required": [ "virtualMachines" ], "type": "object" }, "JitNetworkAccessPolicyVirtualMachine": { "properties": { "id": { "description": "Resource ID of the virtual machine that is linked to this policy", "type": "string" }, "ports": { "description": "Port configurations for the virtual machine", "items": { "$ref": "#/definitions/JitNetworkAccessPortRule" }, "type": "array" } }, "required": [ "id", "ports" ], "type": "object" }, "JitNetworkAccessPortRule": { "properties": { "allowedSourceAddressPrefix": { "description": "Mutually exclusive with the \"allowedSourceAddressPrefixes\" parameter. Should be an IP address or CIDR, for example \"192.168.0.3\" or \"192.168.0.0/16\".", "type": "string" }, "allowedSourceAddressPrefixes": { "description": "Mutually exclusive with the \"allowedSourceAddressPrefix\" parameter.", "items": { "description": "IP address or CIDR, for example \"192.168.0.3\" or \"192.168.0.0/16\".", "type": "string" }, "type": "array" }, "maxRequestAccessDuration": { "description": "Maximum duration requests can be made for. In ISO 8601 duration format. Minimum 5 minutes, maximum 1 day", "type": "string" }, "number": { "$ref": "#/definitions/PortNumber" }, "protocol": { "enum": [ "TCP", "UDP", "*" ], "type": "string", "x-ms-enum": { "modelAsString": true, "name": "protocol", "values": [ { "value": "TCP" }, { "value": "UDP" }, { "name": "All", "value": "*" } ] } } }, "required": [ "maxRequestAccessDuration", "number", "protocol" ], "type": "object" }, "JitNetworkAccessRequest": { "properties": { "requestor": { "description": "The identity of the person who made the request", "type": "string" }, "startTimeUtc": { "description": "The start time of the request in UTC", "format": "date-time", "type": "string" }, "virtualMachines": { "items": { "$ref": "#/definitions/JitNetworkAccessRequestVirtualMachine" }, "type": "array" } }, "required": [ "requestor", "startTimeUtc", "virtualMachines" ], "type": "object" }, "JitNetworkAccessRequestPort": { "properties": { "allowedSourceAddressPrefix": { "description": "Mutually exclusive with the \"allowedSourceAddressPrefixes\" parameter. Should be an IP address or CIDR, for example \"192.168.0.3\" or \"192.168.0.0/16\".", "type": "string" }, "allowedSourceAddressPrefixes": { "description": "Mutually exclusive with the \"allowedSourceAddressPrefix\" parameter.", "items": { "description": "IP address or CIDR, for example \"192.168.0.3\" or \"192.168.0.0/16\".", "type": "string" }, "type": "array" }, "endTimeUtc": { "description": "The date & time at which the request ends in UTC", "format": "date-time", "type": "string" }, "number": { "$ref": "#/definitions/PortNumber" }, "status": { "description": "The status of the port", "enum": [ "Revoked", "Initiated" ], "type": "string", "x-ms-enum": { "modelAsString": true, "name": "status", "values": [ { "value": "Revoked" }, { "value": "Initiated" } ] } }, "statusReason": { "description": "A description of why the `status` has its value", "enum": [ "Expired", "UserRequested", "NewerRequestInitiated" ], "type": "string", "x-ms-enum": { "modelAsString": true, "name": "statusReason", "values": [ { "value": "Expired" }, { "value": "UserRequested" }, { "value": "NewerRequestInitiated" } ] } } }, "required": [ "endTimeUtc", "number", "status", "statusReason" ], "type": "object" }, "JitNetworkAccessRequestVirtualMachine": { "properties": { "id": { "description": "Resource ID of the virtual machine that is linked to this policy", "type": "string" }, "ports": { "description": "The ports that were opened for the virtual machine", "items": { "$ref": "#/definitions/JitNetworkAccessRequestPort" }, "type": "array" } }, "required": [ "id", "ports" ], "type": "object" }, "Kind": { "description": "Describes an Azure resource with kind", "properties": { "kind": { "description": "Kind of the resource", "type": "string" } }, "type": "object" }, "Location": { "description": "Describes an Azure resource with location", "properties": { "location": { "description": "Location where the resource is stored", "readOnly": true, "type": "string" } }, "type": "object" }, "Operation": { "description": "Possible operation in the REST API of Microsoft.Security", "properties": { "display": { "$ref": "#/definitions/OperationDisplay" }, "name": { "description": "Name of the operation", "readOnly": true, "type": "string" }, "origin": { "description": "Where the operation is originated", "readOnly": true, "type": "string" } }, "type": "object" }, "OperationDisplay": { "description": "Security operation display", "properties": { "description": { "description": "The description of the operation.", "readOnly": true, "type": "string" }, "operation": { "description": "The display name of the security operation.", "readOnly": true, "type": "string" }, "provider": { "description": "The resource provider for the operation.", "readOnly": true, "type": "string" }, "resource": { "description": "The display name of the resource the operation applies to.", "readOnly": true, "type": "string" } }, "type": "object" }, "OperationList": { "description": "List of possible operations for Microsoft.Security resource provider", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "description": "List of Security operations", "items": { "$ref": "#/definitions/Operation" }, "type": "array" } }, "type": "object" }, "PortNumber": { "maximum": 65535, "minimum": 0, "type": "integer" }, "Resource": { "description": "Describes an Azure resource.", "properties": { "id": { "description": "Resource Id", "readOnly": true, "type": "string" }, "name": { "description": "Resource name", "readOnly": true, "type": "string" }, "type": { "description": "Resource type", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-azure-resource": true }, "SecurityTask": { "allOf": [ { "$ref": "#/definitions/Resource" } ], "description": "Security task that we recommend to do in order to strengthen security", "properties": { "properties": { "$ref": "#/definitions/SecurityTaskProperties", "x-ms-client-flatten": true } }, "type": "object" }, "SecurityTaskList": { "description": "List of security task recommendations", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "items": { "$ref": "#/definitions/SecurityTask" }, "readOnly": true, "type": "array" } }, "type": "object" }, "SecurityTaskParameters": { "additionalProperties": true, "description": "Changing set of properties, depending on the task type that is derived from the name field", "properties": { "name": { "description": "Name of the task type", "readOnly": true, "type": "string" } }, "type": "object" }, "SecurityTaskProperties": { "description": "Describes properties of a task.", "properties": { "creationTimeUtc": { "description": "The time this task was discovered in UTC", "format": "date-time", "readOnly": true, "type": "string" }, "lastStateChangeTimeUtc": { "description": "The time this task's details were last changed in UTC", "format": "date-time", "readOnly": true, "type": "string" }, "securityTaskParameters": { "$ref": "#/definitions/SecurityTaskParameters" }, "state": { "description": "State of the task (Active, Resolved etc.)", "readOnly": true, "type": "string" }, "subState": { "description": "Additional data on the state of the task", "readOnly": true, "type": "string" } }, "type": "object" }, "TopologyList": { "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "items": { "$ref": "#/definitions/TopologyResource" }, "readOnly": true, "type": "array" } }, "type": "object" }, "TopologyResource": { "allOf": [ { "$ref": "#/definitions/Resource" }, { "$ref": "#/definitions/Location" } ], "properties": { "properties": { "$ref": "#/definitions/TopologyResourceProperties", "readOnly": true, "x-ms-client-flatten": true } }, "type": "object" }, "TopologyResourceProperties": { "properties": { "calculatedDateTime": { "description": "The UTC time on which the topology was calculated", "format": "date-time", "readOnly": true, "type": "string" }, "topologyResources": { "description": "Azure resources which are part of this topology resource", "items": { "$ref": "#/definitions/TopologySingleResource" }, "readOnly": true, "type": "array" } }, "type": "object" }, "TopologySingleResource": { "properties": { "children": { "description": "Azure resources connected to this resource which are in lower level in the topology view", "items": { "$ref": "#/definitions/TopologySingleResourceChild" }, "readOnly": true, "type": "array" }, "location": { "description": "The location of this resource", "readOnly": true, "type": "string" }, "networkZones": { "description": "Indicates the resource connectivity level to the Internet (InternetFacing, Internal ,etc.)", "readOnly": true, "type": "string" }, "parents": { "description": "Azure resources connected to this resource which are in higher level in the topology view", "items": { "$ref": "#/definitions/TopologySingleResourceParent" }, "readOnly": true, "type": "array" }, "recommendationsExist": { "description": "Indicates if the resource has security recommendations", "readOnly": true, "type": "boolean" }, "resourceId": { "description": "Azure resource id", "readOnly": true, "type": "string" }, "severity": { "description": "The security severity of the resource", "readOnly": true, "type": "string" }, "topologyScore": { "description": "Score of the resource based on its security severity", "readOnly": true, "type": "integer" } }, "type": "object" }, "TopologySingleResourceChild": { "properties": { "resourceId": { "description": "Azure resource id which serves as child resource in topology view", "readOnly": true, "type": "string" } }, "type": "object" }, "TopologySingleResourceParent": { "properties": { "resourceId": { "description": "Azure resource id which serves as parent resource in topology view", "readOnly": true, "type": "string" } }, "type": "object" } } }