From e53373536c9a0405bf262bffdcd955bd45a5080d Mon Sep 17 00:00:00 2001
From: Ruoxuan Wang <52271048+ruowan@users.noreply.github.com>
Date: Fri, 18 Dec 2020 21:25:48 +0800
Subject: [PATCH 1/6] Update comment.yml (#12143)
remove checkbox
---
.github/comment.yml | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/.github/comment.yml b/.github/comment.yml
index bd362a081f6e..382a48c511fa 100644
--- a/.github/comment.yml
+++ b/.github/comment.yml
@@ -8,14 +8,6 @@
- WaitForARMFeedback
onCheckedComments: "Hi, @${PRAuthor} your PR are labelled with WaitForARMFeedback. A notification email will be sent out shortly afterwards to notify ARM review board(armapireview@microsoft.com). cc @${PRAssignee} "
-- rule:
- type: checkbox
- variables:
- openapiHub: https://portal.azure-devex-tools.com
- keywords:
- - "I have reviewed the [documentation](https://aka.ms/ameonboard) for the workflow."
- onCheckedComments: "Hi, @${PRAuthor} Thanks for your PR. I am workflow bot for review process. Here are some small tips.
Please ensure to do self-check against checklists in first PR comment. PR assignee is the person auto-assigned and responsible for your current PR reviewing and merging. For specs comparison cross API versions, Use [API Specs Comparison Report Generator](${openapiHub}/tools/diff?pr=${owner}/${repo}/${PRNumber}) If there is CI failure(s), to fix CI error(s) is mandatory for PR merging; or you need to provide justification in PR comment for explanation. [How to fix?](https://github.com/Azure/azure-rest-api-specs/blob/master/documentation/ci-fix.md) Any feedback about review process or workflow bot, pls contact swagger and tools team. vsswagger@microsoft.com"
-
- rule:
type: label
label: BreakingChangeReviewRequired
@@ -47,6 +39,6 @@
openapiHub: https://openapihub.test.azure-devex-tools.com/
keywords:
- "I have reviewed the [documentation](https://aka.ms/ameonboard) for the workflow."
- onOpenedComments: "Hi, @${PRAuthor} Thanks for your PR. I am workflow bot for review process. Here are some small tips. Please ensure to do self-check against checklists in first PR comment. PR assignee is the person auto-assigned and responsible for your current PR reviewing and merging. For cross api-version diff. See [OpenAPI Hub Diff](${openapiHub}diff?pr=${owner}/${repo}/${PRNumber}) If there is CI failure(s), to fix CI error(s) is mandatory for PR merging; or you need to provide justification in PR comment for explanation. [How to fix?](https://github.com/Azure/azure-rest-api-specs/blob/master/documentation/ci-fix.md) Any feedback about review process or workflow bot, pls contact swagger and tools team. vsswagger@microsoft.com"
+ onOpenedComments: "Hi, @${PRAuthor} Thanks for your PR. I am workflow bot for review process. Here are some small tips. Please ensure to do self-check against checklists in first PR comment. PR assignee is the person auto-assigned and responsible for your current PR reviewing and merging. For specs comparison cross API versions, Use [API Specs Comparison Report Generator](${openapiHub}/tools/diff?pr=${owner}/${repo}/${PRNumber}) If there is CI failure(s), to fix CI error(s) is mandatory for PR merging; or you need to provide justification in PR comment for explanation. [How to fix?](https://github.com/Azure/azure-rest-api-specs/blob/master/documentation/ci-fix.md) Any feedback about review process or workflow bot, pls contact swagger and tools team. vsswagger@microsoft.com"
From 5a6276c5d71420c445bd0951d2d5f3008a274821 Mon Sep 17 00:00:00 2001
From: shschwar <55053268+shschwar@users.noreply.github.com>
Date: Fri, 18 Dec 2020 17:46:35 +0200
Subject: [PATCH 2/6] Commint new examples and paths (#11875)
---
.../2019-01-01-preview/SecurityInsights.json | 540 +++++++++++++++++-
.../examples/entities/GetQueries.json | 457 +++++++++++++++
.../entities/insights/PostGetInsights.json | 101 ++++
3 files changed, 1097 insertions(+), 1 deletion(-)
create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json
create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/insights/PostGetInsights.json
diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
index 17abc447493b..e99fa4b8ce1f 100644
--- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
@@ -2200,6 +2200,108 @@
}
}
},
+ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/queries": {
+ "get": {
+ "x-ms-examples": {
+ "Get Entity Query": {
+ "$ref": "./examples/entities/GetQueries.json"
+ }
+ },
+ "tags": [
+ "Entities"
+ ],
+ "description": "Get Insights and Activities for an entity.",
+ "operationId": "Entities_Queries",
+ "parameters": [
+ {
+ "$ref": "#/parameters/ApiVersion"
+ },
+ {
+ "$ref": "#/parameters/SubscriptionId"
+ },
+ {
+ "$ref": "#/parameters/ResourceGroupName"
+ },
+ {
+ "$ref": "#/parameters/OperationalInsightsResourceProvider"
+ },
+ {
+ "$ref": "#/parameters/WorkspaceName"
+ },
+ {
+ "$ref": "#/parameters/EntityId"
+ },
+ {
+ "$ref": "#/parameters/EntityQueryKindParam"
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "$ref": "#/definitions/GetQueriesResponse"
+ }
+ },
+ "default": {
+ "description": "Error response describing why the operation failed.",
+ "schema": {
+ "$ref": "#/definitions/CloudError"
+ }
+ }
+ }
+ }
+ },
+ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/getInsights": {
+ "post": {
+ "x-ms-examples": {
+ "Entity Insight": {
+ "$ref": "./examples/entities/insights/PostGetInsights.json"
+ }
+ },
+ "tags": [
+ "Entities"
+ ],
+ "description": "Execute Insights for an entity.",
+ "operationId": "Entities_GetInsights",
+ "parameters": [
+ {
+ "$ref": "#/parameters/ApiVersion"
+ },
+ {
+ "$ref": "#/parameters/SubscriptionId"
+ },
+ {
+ "$ref": "#/parameters/ResourceGroupName"
+ },
+ {
+ "$ref": "#/parameters/OperationalInsightsResourceProvider"
+ },
+ {
+ "$ref": "#/parameters/WorkspaceName"
+ },
+ {
+ "$ref": "#/parameters/EntityId"
+ },
+ {
+ "$ref": "#/parameters/GetInsightsEntityQueriesRequestBody"
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "$ref": "#/definitions/EntityGetInsightsResponse"
+ }
+ },
+ "default": {
+ "description": "Error response describing why the operation failed.",
+ "schema": {
+ "$ref": "#/definitions/CloudError"
+ }
+ }
+ }
+ }
+ },
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/entities/{entityId}/relations": {
"get": {
"x-ms-examples": {
@@ -6242,6 +6344,18 @@
}
}
},
+ "GetQueriesResponse": {
+ "description": "Retrieve queries for entity result operation response.",
+ "properties": {
+ "value": {
+ "description": "The query result values.",
+ "items": {
+ "$ref": "#/definitions/EntityQueryItem"
+ },
+ "type": "array"
+ }
+ }
+ },
"EntityInnerKind": {
"description": "The kind of the entity",
"enum": [
@@ -6475,7 +6589,8 @@
"kind": {
"description": "The kind of the entity query",
"enum": [
- "Expansion"
+ "Expansion",
+ "Insight"
],
"type": "string",
"x-ms-enum": {
@@ -6484,6 +6599,9 @@
"values": [
{
"value": "Expansion"
+ },
+ {
+ "value": "Insight"
}
]
}
@@ -6862,6 +6980,156 @@
},
"type": "object"
},
+ "InsightQueryItem": {
+ "allOf": [
+ {
+ "$ref": "#/definitions/EntityQueryItem"
+ }
+ ],
+ "description": "Represents Insight Query.",
+ "properties": {
+ "properties": {
+ "description": "Properties bag for InsightQueryItem",
+ "$ref": "#/definitions/InsightQueryItemProperties"
+ }
+ },
+ "type": "object",
+ "x-ms-discriminator-value": "Insight"
+ },
+ "InsightQueryItemProperties": {
+ "allOf": [
+ {
+ "$ref": "#/definitions/EntityQueryItemProperties"
+ }
+ ],
+ "description": "Represents Insight Query.",
+ "properties": {
+ "displayName": {
+ "type": "string",
+ "description": "The insight display name."
+ },
+ "description": {
+ "type": "string",
+ "description": "The insight description."
+ },
+ "baseQuery": {
+ "type": "string",
+ "description": "The base query of the insight."
+ },
+ "tableQuery": {
+ "type": "object",
+ "description": "The insight table query.",
+ "properties": {
+ "columnsDefinitions": {
+ "type": "array",
+ "description": "List of insight column definitions.",
+ "items": {
+ "properties": {
+ "header": {
+ "type": "string",
+ "description": "Insight column header."
+ },
+ "outputType": {
+ "type": "string",
+ "description": "Insights Column type.",
+ "enum": [
+ "Number",
+ "String",
+ "Date",
+ "Entity"
+ ]
+ },
+ "supportDeepLink": {
+ "type": "boolean",
+ "description": "Is query supports deep-link."
+ }
+ }
+ }
+ },
+ "queriesDefinitions": {
+ "type": "array",
+ "description": "List of insight queries definitions.",
+ "items": {
+ "properties": {
+ "filter": {
+ "type": "string",
+ "description": "Insight column header."
+ },
+ "summarize": {
+ "type": "string",
+ "description": "Insight column header."
+ },
+ "project": {
+ "type": "string",
+ "description": "Insight column header."
+ },
+ "linkColumnsDefinitions": {
+ "type": "array",
+ "description": "Insight column header.",
+ "items": {
+ "properties": {
+ "projectedName": {
+ "type": "string",
+ "description": "Insight Link Definition Projected Name."
+ },
+ "Query": {
+ "type": "string",
+ "description": "Insight Link Definition Query."
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "chartQuery": {
+ "type": "object",
+ "description": "The insight chart query."
+ },
+ "additionalQuery": {
+ "type": "object",
+ "description": "The activity query definitions.",
+ "properties": {
+ "query": {
+ "type": "string",
+ "description": "The insight query."
+ },
+ "text": {
+ "type": "string",
+ "description": "The insight text."
+ }
+ }
+ },
+ "defaultTimeRange": {
+ "type": "object",
+ "description": "The insight chart query.",
+ "properties": {
+ "beforeRange": {
+ "type": "string",
+ "description": "The padding for the start time of the query."
+ },
+ "afterRange": {
+ "type": "string",
+ "description": "The padding for the end time of the query."
+ }
+ }
+ },
+ "referenceTimeRange": {
+ "type": "object",
+ "description": "The insight chart query.",
+ "properties": {
+ "beforeRange": {
+ "type": "string",
+ "description": "Additional query time for looking back."
+ }
+ }
+ }
+ },
+ "type": "object",
+ "x-ms-discriminator-value": "Insight"
+ },
"ActivityTimelineItem": {
"allOf": [
{
@@ -10669,6 +10937,237 @@
}
},
"type": "object"
+ },
+ "EntityGetInsightsParameters": {
+ "description": "The parameters required to execute insights operation on the given entity.",
+ "type": "object",
+ "properties": {
+ "startTime": {
+ "description": "The start timeline date, so the results returned are after this date.",
+ "format": "date-time",
+ "type": "string"
+ },
+ "endTime": {
+ "description": "The end timeline date, so the results returned are before this date.",
+ "format": "date-time",
+ "type": "string"
+ },
+ "addDefaultExtendedTimeRange": {
+ "description": "Indicates if query time range should be extended with default time range of the query. Default value is false",
+ "type": "boolean"
+ },
+ "insightQueryIds": {
+ "description": "List of Insights Query Id. If empty, default value is all insights of this entity",
+ "type": "array",
+ "items": {
+ "description": "Insight Query Id (GUID)",
+ "format": "uuid",
+ "type": "string"
+ }
+ }
+ },
+ "required": [
+ "startTime",
+ "endTime"
+ ]
+ },
+ "EntityGetInsightsResponse": {
+ "description": "The Get Insights result operation response.",
+ "properties": {
+ "metaData": {
+ "$ref": "#/definitions/GetInsightsResultsMetadata",
+ "description": "The metadata from the get insights operation results."
+ },
+ "value": {
+ "description": "The insights result values.",
+ "items": {
+ "$ref": "#/definitions/EntityInsightItem"
+ },
+ "type": "array"
+ }
+ }
+ },
+ "GetInsightsResultsMetadata": {
+ "description": "Get Insights result metadata.",
+ "properties": {
+ "totalCount": {
+ "description": "the total items found for the insights request",
+ "type": "integer",
+ "format": "int32"
+ },
+ "errors": {
+ "description": "information about the failed queries",
+ "items": {
+ "$ref": "#/definitions/GetInsightsError"
+ },
+ "type": "array"
+ }
+ },
+ "required": [
+ "totalCount"
+ ],
+ "type": "object"
+ },
+ "GetInsightsError": {
+ "description": "GetInsights Query Errors.",
+ "properties": {
+ "kind": {
+ "description": "the query kind",
+ "type": "string",
+ "enum": [
+ "Insight"
+ ]
+ },
+ "queryId": {
+ "description": "the query id",
+ "type": "string"
+ },
+ "errorMessage": {
+ "description": "the error message",
+ "type": "string"
+ }
+ },
+ "required": [
+ "kind",
+ "errorMessage"
+ ],
+ "type": "object"
+ },
+ "EntityQueryItem": {
+ "description": "An abstract Query item for entity",
+ "type": "object",
+ "discriminator": "kind",
+ "properties": {
+ "kind": {
+ "$ref": "#/definitions/EntityQueryKind",
+ "description": "The entity query kind type."
+ },
+ "id": {
+ "description": "Query Template ARM ID",
+ "type": "string",
+ "format": "uuid",
+ "readOnly": true
+ },
+ "name": {
+ "description": "Query Template ARM Name",
+ "type": "string"
+ },
+ "type": {
+ "description": "ARM Type",
+ "type": "string"
+ }
+ },
+ "required": [
+ "kind"
+ ]
+ },
+ "EntityQueryItemProperties": {
+ "description": "An properties abstract Query item for entity",
+ "type": "object",
+ "properties": {
+ "dataTypes": {
+ "description": "Data types for template",
+ "type": "array",
+ "items": {
+ "properties": {
+ "dataType": {
+ "description": "Data type name",
+ "type": "string"
+ }
+ }
+ }
+ },
+ "inputEntityType": {
+ "description": "The type of the entity",
+ "$ref": "#/definitions/EntityInnerType"
+ },
+ "requiredInputFieldsSets": {
+ "description": "Data types for template",
+ "type": "array",
+ "items": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ },
+ "entitiesFilter": {
+ "description": "The query applied only to entities matching to all filters",
+ "type": "object"
+ }
+ }
+ },
+ "EntityInsightItem": {
+ "description": "Entity insight Item.",
+ "type": "object",
+ "properties": {
+ "queryId": {
+ "type": "string",
+ "description": "The query id of the insight"
+ },
+ "queryTimeInterval": {
+ "type": "object",
+ "description": "The Time interval that the query actually executed on.",
+ "properties": {
+ "startTime": {
+ "format": "date-time",
+ "type": "string",
+ "description": "Insight query start time"
+ },
+ "endTime": {
+ "format": "date-time",
+ "type": "string",
+ "description": "Insight query end time"
+ }
+ }
+ },
+ "tableQueryResults": {
+ "$ref": "#/definitions/InsightsTableResult",
+ "description": "Query results for table insights query."
+ },
+ "chartQueryResults": {
+ "type": "array",
+ "description": "Query results for table insights query.",
+ "items": {
+ "$ref": "#/definitions/InsightsTableResult",
+ "description": "Query results for table insights query."
+ }
+ }
+ }
+ },
+ "InsightsTableResult": {
+ "type": "object",
+ "description": "Query results for table insights query.",
+ "properties": {
+ "columns": {
+ "type": "array",
+ "description": "Columns Metadata of the table",
+ "items": {
+ "properties": {
+ "type": {
+ "type": "string",
+ "description": "the type of the colum"
+ },
+ "name": {
+ "type": "string",
+ "description": "the name of the colum"
+ }
+ }
+ }
+ },
+ "rows": {
+ "type": "array",
+ "description": "Rows data of the table",
+ "items": {
+ "type": "array",
+ "description": "Single row of data",
+ "items": {
+ "type": "string",
+ "description": "Cell in the table"
+ }
+ }
+ }
+ }
}
},
"parameters": {
@@ -10864,6 +11363,16 @@
},
"x-ms-parameter-location": "method"
},
+ "GetInsightsEntityQueriesRequestBody": {
+ "description": "The parameters required to execute insights on the given entity.",
+ "name": "parameters",
+ "in": "body",
+ "required": true,
+ "schema": {
+ "$ref": "#/definitions/EntityGetInsightsParameters"
+ },
+ "x-ms-parameter-location": "method"
+ },
"EntityId": {
"description": "entity ID",
"in": "path",
@@ -10916,6 +11425,27 @@
"type": "string",
"x-ms-parameter-location": "method"
},
+ "EntityQueryKindParam": {
+ "description": "The Kind parameter for queries",
+ "in": "query",
+ "name": "kind",
+ "required": true,
+ "type": "string",
+ "enum": [
+ "Insight"
+ ],
+ "x-ms-enum": {
+ "modelAsString": true,
+ "name": "EntityItemQueryKind",
+ "values": [
+ {
+ "description": "insight",
+ "value": "Insight"
+ }
+ ]
+ },
+ "x-ms-parameter-location": "method"
+ },
"ODataFilter": {
"description": "Filters the results, based on a Boolean condition. Optional.",
"in": "query",
@@ -11078,6 +11608,14 @@
},
"x-ms-parameter-location": "method"
},
+ "ThreatIntelligenceIndicatorEntityKind": {
+ "description": "The threat intelligence entity kind",
+ "in": "query",
+ "name": "ctiEntityKind",
+ "required": false,
+ "type": "string",
+ "x-ms-parameter-location": "method"
+ },
"ThreatIntelligenceAppendTags": {
"description": "The threat intelligence append tags request body",
"in": "body",
diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json
new file mode 100644
index 000000000000..e0f5831092bf
--- /dev/null
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/GetQueries.json
@@ -0,0 +1,457 @@
+{
+ "parameters": {
+ "api-version": "2019-01-01-preview",
+ "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+ "resourceGroupName": "myRg",
+ "workspaceName": "myWorkspace",
+ "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+ "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1",
+ "kind": "Insight"
+ },
+ "responses": {
+ "200": {
+ "body": {
+ "value": [
+ {
+ "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/6db7f5d1-f41e-46c2-b935-230b36a569e6",
+ "name": "6db7f5d1-f41e-46c2-b935-230b36a569e6",
+ "type": "Microsoft.SecurityInsights/entities/queries",
+ "kind": "Insight",
+ "properties": {
+ "displayName": "Actions on account",
+ "description": "Summary of actions taken on the specified account, grouped by action: password resets and changes, account lockouts (policy or admin), account creation and deletion, account enabled and disabled\n",
+ "baseQuery": "let GetAccountActions = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string, v_Account_AADUserId:string, v_Account_SID:string){\nAuditLogs\n| where OperationName in~ ('Delete user', 'Change user password', 'Reset user password', 'Change password (self-service)', 'Reset password (by admin)', 'Reset password (self-service)', 'Update user')\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n| extend Account_Name = tostring(split(UserPrincipalName, '@')[0])\n| extend Account_UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n| extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\n| extend ModifiedProperty = parse_json(Action).displayName\n| extend ModifiedValue = parse_json(Action).newValue\n| extend Account_AADUserId = tostring(TargetResources[0].id)\n| extend DisableUser = iif(ModifiedProperty =~ 'AccountEnabled' and ModifiedValue =~ '[false]', 'True', 'False')\n| union isfuzzy=true (\nSecurityEvent\n| where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\n| extend OperationName = tostring(EventID)\n| where AccountType =~ \"user\" or isempty(AccountType)\n| extend Account_Name = TargetUserName, Account_NTDomain = TargetDomainName, Account_SID = TargetSid\n)\n| where (Account_Name =~ v_Account_Name and (Account_UPNSuffix =~ v_Account_UPNSuffix or Account_NTDomain =~ v_Account_NTDomain)) or Account_AADUserId =~ v_Account_AADUserId or Account_SID =~ v_Account_SID\n};\nGetAccountActions('CTFFUser4', '', 'seccxp.ninja', '', '')\n",
+ "tableQuery": {
+ "columnsDefinitions": [
+ {
+ "header": "Action",
+ "outputType": "String",
+ "supportDeepLink": false
+ },
+ {
+ "header": "Most Recent",
+ "outputType": "Date",
+ "supportDeepLink": false
+ },
+ {
+ "header": "Count",
+ "outputType": "Number",
+ "supportDeepLink": true
+ }
+ ],
+ "queriesDefinitions": [
+ {
+ "filter": "where OperationName in~ ('Change user password', 'Reset user password', 'Change password (self-service)', 'Reset password (by admin)', 'Reset password (self-service)', '4724', '4723')",
+ "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName",
+ "project": "project Title = OperationName, MostRecent, Count",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "Count",
+ "Query": "{{BaseQuery}} | "
+ }
+ ]
+ },
+ {
+ "filter": "where OperationName in~ ('Blocked from self-service password reset', '4740')",
+ "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName",
+ "project": "project Title = OperationName, MostRecent, Count",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "Count",
+ "Query": "{{BaseQuery}} | "
+ }
+ ]
+ },
+ {
+ "filter": "where OperationName == '4725' or (OperationName =~ 'Update user' and DisableUser =~ 'True')",
+ "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName",
+ "project": "project Title = OperationName, MostRecent, Count",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "Count",
+ "Query": "{{BaseQuery}} | "
+ }
+ ]
+ },
+ {
+ "filter": "where OperationName in~ ('Add user', '4720')",
+ "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName",
+ "project": "project Title = OperationName, MostRecent, Count",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "Count",
+ "Query": "{{BaseQuery}} | "
+ }
+ ]
+ },
+ {
+ "filter": "where OperationName in~ ('Delete user', '4726')",
+ "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName",
+ "project": "project Title = OperationName, MostRecent, Count",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "Count",
+ "Query": "{{BaseQuery}} | "
+ }
+ ]
+ },
+ {
+ "filter": "where OperationName in~ ('4725', 'Blocked from self-service password reset', '4740') or (OperationName =~ 'Update user' and DisableUser =~ 'True')",
+ "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName",
+ "project": "project Title = OperationName, MostRecent, Count",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "Count",
+ "Query": "{{BaseQuery}} | "
+ }
+ ]
+ },
+ {
+ "filter": "where OperationName in~ ('4722', '4767') or (OperationName =~ 'Update user' and DisableUser =~ 'False')",
+ "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName",
+ "project": "project Title = OperationName, MostRecent, Count",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "Count",
+ "Query": "{{BaseQuery}} | "
+ }
+ ]
+ },
+ {
+ "filter": "where OperationName in~ ('Update user','4738')",
+ "summarize": "summarize MostRecent = max(TimeGenerated), Count = count() by OperationName",
+ "project": "project Title = OperationName, MostRecent, Count",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "Count",
+ "Query": "{{BaseQuery}} | "
+ }
+ ]
+ }
+ ]
+ },
+ "chartQuery": {
+ "title": "Actions by type",
+ "dataSets": [
+ {
+ "query": "summarize Count = count() by bin(TimeGenerated, 1h), OperationName",
+ "xColumnName": "TimeGenerated",
+ "yColumnName": "Count",
+ "legendColumnName": "OperationName"
+ }
+ ],
+ "type": "BarChart"
+ },
+ "additionalQuery": {
+ "text": "See all account activity",
+ "query": "project TimeGenerated, UserPrincipalName, Account_Name, OperationName, Activity, DisableUser, TargetSid, AADUserId, InitiatedBy, AADTenantId, AccountType, Computer, SubjectAccount, SubjectUserSid, EventData"
+ },
+ "defaultTimeRange": {
+ "beforeRange": "12h",
+ "afterRange": "12h"
+ },
+ "referenceTimeRange": null,
+ "dataTypes": [
+ {
+ "dataType": "AuditLogs"
+ },
+ {
+ "dataType": "SecurityEvent"
+ }
+ ],
+ "inputEntityType": "Account",
+ "requiredInputFieldsSets": [
+ [
+ "Account_Name",
+ "Account_NTDomain"
+ ],
+ [
+ "Account_Name",
+ "Account_UPNSuffix"
+ ],
+ [
+ "Account_AADUserId"
+ ],
+ [
+ "Account_SID"
+ ]
+ ],
+ "entitiesFilter": {}
+ }
+ },
+ {
+ "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/0a5d7b14-b485-450a-a0ac-4100c860ac32",
+ "name": "0a5d7b14-b485-450a-a0ac-4100c860ac32",
+ "type": "Microsoft.SecurityInsights/entities/queries",
+ "kind": "Insight",
+ "properties": {
+ "displayName": "Anomalously high office operation count",
+ "description": "Highlight office operations of the user with anomalously high count compared to those observed in the preceding 14 days.",
+ "baseQuery": "let AScoreThresh = 3; \nlet maxAnomalies = 3;\nlet BeforeRange = 12d; \nlet EndTime = todatetime('{{EndTimeUTC}}'); \nlet StartTime = todatetime('{{StartTimeUTC}}');\nlet numDays = tolong((EndTime-StartTime)/1d); \nlet userData = (v_Account_Name:string, v_Account_UPNSuffix:string) { \n OfficeActivity \n | extend splitUserId=split(UserId, '@')\n | extend Account_Name = tostring(splitUserId[0]), Account_UPNSuffix = tostring(splitUserId[1])\n | where Account_Name =~ v_Account_Name and Account_UPNSuffix =~ v_Account_UPNSuffix }; \nuserData('CTFFUser4', 'seccxp.ninja')\n",
+ "tableQuery": {
+ "columnsDefinitions": [
+ {
+ "header": "Operation",
+ "outputType": "String",
+ "supportDeepLink": true
+ },
+ {
+ "header": "Expected Count",
+ "outputType": "Number",
+ "supportDeepLink": false
+ },
+ {
+ "header": "Actual Count",
+ "outputType": "Number",
+ "supportDeepLink": false
+ }
+ ],
+ "queriesDefinitions": [
+ {
+ "filter": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by Operation \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost=maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore-maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc\n",
+ "summarize": "take 1",
+ "project": "project Operation, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "Operation",
+ "Query": "{{BaseQuery}} \n| where TimeGenerated between (StartTime .. EndTime) \n| where Operation == ''\n"
+ }
+ ]
+ }
+ ]
+ },
+ "chartQuery": {
+ "title": "Anomalous operation timeline",
+ "dataSets": [
+ {
+ "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by Operation \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost=maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore-maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,round(postExpectedCount,2)) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc \n| take 1 \n| project Operation, TimeGenerated, count_\n| mvexpand TimeGenerated, count_ | project todatetime(TimeGenerated), toint(count_), Operation\n",
+ "xColumnName": "TimeGenerated",
+ "yColumnName": "count_",
+ "legendColumnName": "Operation"
+ }
+ ],
+ "type": "LineChart"
+ },
+ "additionalQuery": {
+ "text": "Query all anomalous operations",
+ "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by Operation \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_\n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies\n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh | order by maxAnomalyScorePost desc \n| project Operation, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)\n"
+ },
+ "defaultTimeRange": {
+ "beforeRange": "1d",
+ "afterRange": "0d"
+ },
+ "referenceTimeRange": {
+ "beforeRange": "12d"
+ },
+ "dataTypes": [
+ {
+ "dataType": "OfficeActivity"
+ }
+ ],
+ "inputEntityType": "Account",
+ "requiredInputFieldsSets": [
+ [
+ "Account_Name",
+ "Account_UPNSuffix"
+ ]
+ ],
+ "entitiesFilter": {}
+ }
+ },
+ {
+ "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/e6cf68e6-1eca-4fbb-9fad-6280f2a9476e",
+ "name": "e6cf68e6-1eca-4fbb-9fad-6280f2a9476e",
+ "type": "Microsoft.SecurityInsights/entities/queries",
+ "kind": "Insight",
+ "properties": {
+ "displayName": "Resource access",
+ "description": "Provides the count and distinct resource accesses by a given user account\n",
+ "baseQuery": "let Operations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet UserOperationToSharePoint = (v_Account_Name:string, v_Account_UPNSuffix:string) {\nOfficeActivity\n// Select sharepoint activity that is relevant\n| where RecordType in~ ('SharePointFileOperation')\n| where Operation in~ (Operations)\n| extend Account_Name = tostring(split(UserId, '@')[0])\n| extend Account_UPNSuffix = tostring(split(UserId, '@')[1])\n| where Account_Name =~ v_Account_Name and Account_UPNSuffix =~ v_Account_UPNSuffix\n| project TimeGenerated, Account_Name, Account_UPNSuffix, UserId, OfficeId, RecordType, Operation, OrganizationId, UserType, UserKey, OfficeWorkload, OfficeObjectId, ClientIP, ItemType, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName, SourceFileExtension , Start_Time , ElevationTime , TenantId, SourceSystem , Type\n};\nUserOperationToSharePoint ('CTFFUser4','seccxp.ninja')\n",
+ "tableQuery": {
+ "columnsDefinitions": [
+ {
+ "header": "Resource Type",
+ "outputType": "String",
+ "supportDeepLink": false
+ },
+ {
+ "header": "Distinct Resources",
+ "outputType": "Number",
+ "supportDeepLink": true
+ },
+ {
+ "header": "Total Resources",
+ "outputType": "Number",
+ "supportDeepLink": true
+ },
+ {
+ "header": "IPAddress(es)",
+ "outputType": "String",
+ "supportDeepLink": false
+ }
+ ],
+ "queriesDefinitions": [
+ {
+ "filter": "where Operation =~ 'FileUploaded'",
+ "summarize": "summarize DistinctResources = dcount(SourceFileName), TotalResources = count(SourceFileName), IPAddresses = make_set(ClientIP) by Operation",
+ "project": "project Title = Operation, DistinctResources, TotalResources, IPAddresses = case(array_length(IPAddresses) == 1, tostring(IPAddresses[0]), array_length(IPAddresses) > 1, 'Many', 'None')",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "DistinctResources",
+ "Query": "{{BaseQuery}} | "
+ },
+ {
+ "projectedName": "TotalResources",
+ "Query": "{{BaseQuery}} | "
+ }
+ ]
+ },
+ {
+ "filter": "where Operation =~ 'FileDownloaded'",
+ "summarize": "summarize DistinctResources = dcount(SourceFileName), TotalResources = count(SourceFileName), IPAddresses = make_set(ClientIP) by Operation",
+ "project": "project Title = Operation, DistinctResources, TotalResources, IPAddresses = case(array_length(IPAddresses) == 1, tostring(IPAddresses[0]), array_length(IPAddresses) > 1, 'Many', 'None')",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "DistinctResources",
+ "Query": "{{BaseQuery}} | "
+ },
+ {
+ "projectedName": "TotalResources",
+ "Query": "{{BaseQuery}} | "
+ }
+ ]
+ }
+ ]
+ },
+ "chartQuery": {
+ "title": "Resource access over time",
+ "dataSets": [
+ {
+ "query": "summarize DistinctResources = dcountif(Operation, Operation =~ 'FileUploaded'), TotalResources = countif(Operation =~ 'FileUploaded') by bin(TimeGenerated, 1h) | extend Legend = 'File Uploads'",
+ "xColumnName": "TimeGenerated",
+ "yColumnName": "TotalResources",
+ "legendColumnName": "Legend"
+ },
+ {
+ "query": "summarize DistinctResources = dcountif(Operation, Operation =~ 'FileDownloaded'), TotalResources = countif(Operation =~ 'FileDownloaded') by bin(TimeGenerated, 1h) | extend Legend = 'File Downloads'",
+ "xColumnName": "TimeGenerated",
+ "yColumnName": "TotalResources",
+ "legendColumnName": "Legend"
+ }
+ ],
+ "type": "LineChart"
+ },
+ "additionalQuery": {
+ "text": "See all resource activity",
+ "query": "where Operation in~ (Operations)"
+ },
+ "defaultTimeRange": {
+ "beforeRange": "12h",
+ "afterRange": "12h"
+ },
+ "referenceTimeRange": null,
+ "dataTypes": [
+ {
+ "dataType": "OfficeActivity"
+ }
+ ],
+ "inputEntityType": "Account",
+ "requiredInputFieldsSets": [
+ [
+ "Account_Name",
+ "Account_UPNSuffix"
+ ],
+ [
+ "Account_AADUserId"
+ ]
+ ],
+ "entitiesFilter": {}
+ }
+ },
+ {
+ "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/entities/e1d3d618-e11f-478b-98e3-bb381539a8e1/queries/cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4",
+ "name": "cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4",
+ "type": "Microsoft.SecurityInsights/entities/queries",
+ "kind": "Insight",
+ "properties": {
+ "displayName": "Anomalously high Azure sign-in result count",
+ "description": "Highlight Azure sign-in results by the user principal with anomalously high count compared to those observed in the preceding 14 days.",
+ "baseQuery": "let AScoreThresh=3; \nlet maxAnomalies=3; \nlet BeforeRange = 12d; \nlet EndTime=todatetime('{{EndTimeUTC}}');\nlet StartTime = todatetime('{{StartTimeUTC}}'); \nlet numDays = tolong((EndTime-StartTime)/1d); \nlet userData = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AADUserId:string) { \n SigninLogs \n | where TimeGenerated between ((StartTime-BeforeRange) .. EndTime)\n | extend splitUserId=split(UserPrincipalName, '@')\n | extend Account_Name = tostring(splitUserId[0]), Account_UPNSuffix = tostring(splitUserId[1])\n | where (Account_Name =~ v_Account_Name and Account_UPNSuffix =~ v_Account_UPNSuffix) or UserId =~ v_Account_AADUserId };\nuserData('CTFFUser4', 'seccxp.ninja', '')\n",
+ "tableQuery": {
+ "columnsDefinitions": [
+ {
+ "header": "Result Description",
+ "outputType": "String",
+ "supportDeepLink": true
+ },
+ {
+ "header": "Expected Count",
+ "outputType": "Number",
+ "supportDeepLink": false
+ },
+ {
+ "header": "Actual Count",
+ "outputType": "Number",
+ "supportDeepLink": false
+ }
+ ],
+ "queriesDefinitions": [
+ {
+ "filter": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by ResultDescription \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc\n",
+ "summarize": "take 1",
+ "project": "project ResultDescription, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)",
+ "linkColumnsDefinitions": [
+ {
+ "projectedName": "ResultDescription",
+ "Query": "{{BaseQuery}} \n| where TimeGenerated between (StartTime .. EndTime) \n| where ResultDescription == ''\n"
+ }
+ ]
+ }
+ ]
+ },
+ "chartQuery": {
+ "title": "Anomalous sign-in result timeline",
+ "dataSets": [
+ {
+ "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by ResultDescription \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_ \n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies \n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,round(postExpectedCount,2)) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc \n| take 1 \n| project ResultDescription, TimeGenerated, count_ \n| mvexpand TimeGenerated, count_ \n| project todatetime(TimeGenerated), toint(count_), ResultDescription \n",
+ "xColumnName": "TimeGenerated",
+ "yColumnName": "count_",
+ "legendColumnName": "ResultDescription"
+ }
+ ],
+ "type": "LineChart"
+ },
+ "additionalQuery": {
+ "text": "Query all anomalous sign-in results",
+ "query": "make-series count() default=0 on TimeGenerated from (StartTime - BeforeRange) to EndTime step 1d by ResultDescription \n| extend (anomalies,anomalyScore, expectedCount)=series_decompose_anomalies(count_,AScoreThresh,7,'linefit',numDays, 'ctukey') \n| extend count1=count_, TimeGenerated1=TimeGenerated, anomalyScore1=anomalyScore\n| mv-apply count1 to typeof(long), TimeGenerated1 to typeof(datetime), anomalyScore1 to typeof(double), anomalies to typeof(long) on (summarize totAnomalies=sumif(abs(anomalies), TimeGenerated1 < StartTime), baseStd=stdevif(count1, TimeGenerated1 < StartTime), baseAvg=avgif(count1, TimeGenerated1 < StartTime), maxCountPost=maxif(count1,TimeGenerated1 >= StartTime), maxAnomalyScorePost = maxif(anomalyScore1, TimeGenerated1 >= StartTime)) \n| extend count1=count_\n| mv-apply count1 to typeof(long), anomalyScore to typeof(double), expectedCount to typeof(double) on ( summarize (dummy, postExpectedCount, postActualCount)=arg_min(abs(anomalyScore - maxAnomalyScorePost), expectedCount, count1) ) \n| where totAnomalies < maxAnomalies\n| extend postAnomalyScore=iff(baseStd == 0 and maxCountPost > tolong(count_[0]),1000.0,maxAnomalyScorePost), postExpectedCount=iff(postExpectedCount < 0,0.0,postExpectedCount) \n| where maxAnomalyScorePost > AScoreThresh \n| order by maxAnomalyScorePost desc \n| project ResultDescription, expectedCount=round(postExpectedCount,2), actualCount=postActualCount, anomalyScore=round(postAnomalyScore,2)\n"
+ },
+ "defaultTimeRange": {
+ "beforeRange": "1d",
+ "afterRange": "0d"
+ },
+ "referenceTimeRange": {
+ "beforeRange": "12d"
+ },
+ "dataTypes": [
+ {
+ "dataType": "SigninLogs"
+ }
+ ],
+ "inputEntityType": "Account",
+ "requiredInputFieldsSets": [
+ [
+ "Account_Name",
+ "Account_UPNSuffix"
+ ],
+ [
+ "Account_AADUserId"
+ ]
+ ],
+ "entitiesFilter": {}
+ }
+ }
+ ]
+ }
+ }
+ }
+}
diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/insights/PostGetInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/insights/PostGetInsights.json
new file mode 100644
index 000000000000..74aed1a38eb8
--- /dev/null
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities/insights/PostGetInsights.json
@@ -0,0 +1,101 @@
+{
+ "parameters": {
+ "api-version": "2019-01-01-preview",
+ "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+ "resourceGroupName": "myRg",
+ "workspaceName": "myWorkspace",
+ "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+ "entityId": "e1d3d618-e11f-478b-98e3-bb381539a8e1",
+ "parameters": {
+ "addDefaultExtendedTimeRange": false,
+ "startTime": "2019-04-25T00:00:00.000Z",
+ "endTime": "2019-05-26T00:00:00.000Z",
+ "insightQueryIds": [
+ "cae8d0aa-aa45-4d53-8d88-17dd64ffd4e4"
+ ]
+ }
+ },
+ "responses": {
+ "200": {
+ "body": {
+ "value": [
+ {
+ "tableQueryResults": {
+ "columns": [
+ {
+ "name": "Title",
+ "type": "string"
+ },
+ {
+ "name": "NameCount",
+ "type": "long"
+ },
+ {
+ "name": "SIDCount",
+ "type": "long"
+ },
+ {
+ "name": "InternalOrder",
+ "type": "long"
+ },
+ {
+ "name": "Index",
+ "type": "long"
+ }
+ ],
+ "rows": [
+ [
+ "MyTitle",
+ "15",
+ "SID",
+ "1",
+ "1"
+ ]
+ ]
+ },
+ "chartQueryResults": [
+ {
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "Count",
+ "type": "long"
+ },
+ {
+ "name": "Legend",
+ "type": "string"
+ }
+ ],
+ "rows": [
+ [
+ "2019-04-25T00:00:00.000Z",
+ "55",
+ "SomeLegend"
+ ]
+ ]
+ }
+ ],
+ "queryTimeInterval": {
+ "startTime": "2020-07-07T23:35:20Z",
+ "endTime": "2020-11-11T23:35:20Z"
+ },
+ "queryId": "e29ee1ef-7445-455e-85f1-269f2d536d61"
+ }
+ ],
+ "metaData": {
+ "totalCount": 7,
+ "errors": [
+ {
+ "kind": "Insight",
+ "queryId": "4a70a63d-25c4-6312-b73e-4f302a90c06a",
+ "errorMessage": "Internal server error"
+ }
+ ]
+ }
+ }
+ }
+ }
+}
From ce64d347346dfcb8d7a1378dc269494f3adf7d21 Mon Sep 17 00:00:00 2001
From: napolish <67951636+napolish@users.noreply.github.com>
Date: Mon, 21 Dec 2020 03:47:42 +0200
Subject: [PATCH 3/6] [Hub Generated] Review request for
Microsoft.AlertsManagement to add version stable/2019-06-01 (#11833)
* Changing Swagger file
* Changing examples
* Fixing tags example
* Fixing tags example
* Fixing tags example
* prettier fix for white spaces
---
.../stable/2019-06-01/SmartDetectorAlertRulesApi.json | 10 ++++++++--
.../SmartDetectorAlertRule_CreateOrUpdate.json | 4 ++--
.../examples/SmartDetectorAlertRule_Get.json | 2 +-
.../examples/SmartDetectorAlertRule_List.json | 4 ++--
.../SmartDetectorAlertRule_ListByResourceGroup.json | 4 ++--
5 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/SmartDetectorAlertRulesApi.json b/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/SmartDetectorAlertRulesApi.json
index 2599e615fcb3..8afcd4fab926 100644
--- a/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/SmartDetectorAlertRulesApi.json
+++ b/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/SmartDetectorAlertRulesApi.json
@@ -384,7 +384,10 @@
},
"tags": {
"type": "object",
- "description": "The resource tags."
+ "description": "The resource tags.",
+ "additionalProperties": {
+ "type": "string"
+ }
}
},
"x-ms-azure-resource": true,
@@ -440,7 +443,10 @@
},
"tags": {
"type": "object",
- "description": "The resource tags."
+ "description": "The resource tags.",
+ "additionalProperties": {
+ "type": "string"
+ }
},
"properties": {
"x-ms-client-flatten": true,
diff --git a/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_CreateOrUpdate.json b/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_CreateOrUpdate.json
index 6d99b0ab58ae..635505e2f36b 100644
--- a/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_CreateOrUpdate.json
+++ b/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_CreateOrUpdate.json
@@ -36,7 +36,7 @@
"type": "Microsoft.AlertsManagement/smartDetectorAlertRules",
"name": "MyAlertRule",
"location": "global",
- "tags": "",
+ "tags": {},
"properties": {
"description": "Sample smart detector alert rule description",
"state": "Enabled",
@@ -65,7 +65,7 @@
"type": "Microsoft.AlertsManagement/smartDetectorAlertRules",
"name": "MyAlertRule",
"location": "global",
- "tags": "",
+ "tags": {},
"properties": {
"description": "Sample smart detector alert rule description",
"state": "Enabled",
diff --git a/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_Get.json b/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_Get.json
index d6adf957b004..c7e975931c6a 100644
--- a/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_Get.json
+++ b/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_Get.json
@@ -12,7 +12,7 @@
"type": "Microsoft.AlertsManagement/smartDetectorAlertRules",
"name": "MyAlertRule",
"location": "global",
- "tags": "",
+ "tags": {},
"properties": {
"description": "Sample smart detector alert rule description",
"state": "Enabled",
diff --git a/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_List.json b/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_List.json
index 3de1aac35a0a..adc1644e7f9c 100644
--- a/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_List.json
+++ b/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_List.json
@@ -14,7 +14,7 @@
"type": "Microsoft.AlertsManagement/smartDetectorAlertRules",
"name": "MyAlertRule",
"location": "global",
- "tags": "",
+ "tags": {},
"properties": {
"description": "Sample smart detector alert rule description",
"state": "Enabled",
@@ -41,7 +41,7 @@
"type": "Microsoft.AlertsManagement/smartDetectorAlertRules",
"name": "MySecondAlertRule",
"location": "global",
- "tags": "",
+ "tags": {},
"properties": {
"description": "Sample smart detector alert rule description",
"state": "Disabled",
diff --git a/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_ListByResourceGroup.json b/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_ListByResourceGroup.json
index f1e3a4f46cfb..8283132d39fe 100644
--- a/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_ListByResourceGroup.json
+++ b/specification/alertsmanagement/resource-manager/Microsoft.AlertsManagement/stable/2019-06-01/examples/SmartDetectorAlertRule_ListByResourceGroup.json
@@ -14,7 +14,7 @@
"type": "Microsoft.AlertsManagement/smartDetectorAlertRules",
"name": "MyAlertRule",
"location": "global",
- "tags": "",
+ "tags": {},
"properties": {
"description": "Sample smart detector alert rule description",
"state": "Enabled",
@@ -41,7 +41,7 @@
"type": "Microsoft.AlertsManagement/smartDetectorAlertRules",
"name": "MySecondAlertRule",
"location": "global",
- "tags": "",
+ "tags": {},
"properties": {
"description": "Sample smart detector alert rule description",
"state": "Disabled",
From c31b92dc05a9b57e52f2497773d928d255ce9057 Mon Sep 17 00:00:00 2001
From: Phoenix He
Date: Mon, 21 Dec 2020 11:01:58 +0800
Subject: [PATCH 4/6] Enable azure-sdk-for-net-track2 (#12169)
---
specificationRepositoryConfiguration.json | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/specificationRepositoryConfiguration.json b/specificationRepositoryConfiguration.json
index ee9f3dc430d4..37b32b1af862 100644
--- a/specificationRepositoryConfiguration.json
+++ b/specificationRepositoryConfiguration.json
@@ -19,6 +19,11 @@
"integrationRepository": "AzureSDKAutomation/azure-sdk-for-net",
"mainRepository": "Azure/azure-sdk-for-net"
},
+ "azure-sdk-for-net-track2": {
+ "integrationRepository": "AzureSDKAutomation/azure-sdk-for-net",
+ "mainRepository": "Azure/azure-sdk-for-net",
+ "configFilePath": "eng/swagger_to_sdk_config.json"
+ },
"azure-sdk-for-python": {
"integrationRepository": "AzureSDKAutomation/azure-sdk-for-python",
"mainRepository": "Azure/azure-sdk-for-python",
From 453f24ebec39d22b46e99abf5f31edb18fda7736 Mon Sep 17 00:00:00 2001
From: arpja <46751982+arpja@users.noreply.github.com>
Date: Mon, 21 Dec 2020 08:34:10 +0530
Subject: [PATCH 5/6] Updating existing CRR APIs with zone restore feature
(#12157)
* - Added change for support of cross zone restores.
* - updating example json
* - Fixing prettier
---
.../stable/2018-12-20/bms.json | 14 ++++++++++++++
.../examples/AzureIaasVm/RecoveryPoints_List.json | 5 ++++-
.../TriggerCrossRegionRestore_Post.json | 5 ++++-
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/bms.json b/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/bms.json
index 66fcf1cd106a..c5dd578ae810 100644
--- a/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/bms.json
+++ b/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/bms.json
@@ -2858,6 +2858,13 @@
"recoveryPointDiskConfiguration": {
"$ref": "#/definitions/RecoveryPointDiskConfiguration",
"description": "Disk configuration"
+ },
+ "zones": {
+ "description": "Identifies the zone of the VM at the time of backup. Applicable only for zone-pinned Vms",
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
}
},
"x-ms-discriminator-value": "IaasVMRecoveryPoint"
@@ -2953,6 +2960,13 @@
"diskEncryptionSetId": {
"description": "DiskEncryptionSet's ID - needed if the VM needs to be encrypted at rest during restore with customer managed key.",
"type": "string"
+ },
+ "zones": {
+ "description": "Target zone where the VM and its disks should be restored.",
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
}
},
"x-ms-discriminator-value": "IaasVMRestoreRequest"
diff --git a/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/examples/AzureIaasVm/RecoveryPoints_List.json b/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/examples/AzureIaasVm/RecoveryPoints_List.json
index 6504b3546ee9..207d7279b695 100644
--- a/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/examples/AzureIaasVm/RecoveryPoints_List.json
+++ b/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/examples/AzureIaasVm/RecoveryPoints_List.json
@@ -63,7 +63,10 @@
],
"isManagedVirtualMachine": true,
"virtualMachineSize": "Standard_D1",
- "originalStorageAccountOption": false
+ "originalStorageAccountOption": false,
+ "zones": [
+ "1"
+ ]
}
}
],
diff --git a/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/examples/AzureIaasVm/TriggerCrossRegionRestore_Post.json b/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/examples/AzureIaasVm/TriggerCrossRegionRestore_Post.json
index ea31f675cf4d..4b56c8015e36 100644
--- a/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/examples/AzureIaasVm/TriggerCrossRegionRestore_Post.json
+++ b/specification/recoveryservicesbackup/resource-manager/Microsoft.RecoveryServices/stable/2018-12-20/examples/AzureIaasVm/TriggerCrossRegionRestore_Post.json
@@ -41,7 +41,10 @@
"targetDomainNameId": null,
"targetResourceGroupId": "/subscriptions/f2edfd5d-5496-4683-b94f-b3588c579009/resourceGroups/00networkAckl",
"targetVirtualMachineId": "/subscriptions/f2edfd5d-5496-4683-b94f-b3588c579009/resourceGroups/00networkAckl/providers/Microsoft.Compute/virtualMachines/gaallaVM",
- "virtualNetworkId": "/subscriptions/f2edfd5d-5496-4683-b94f-b3588c579009/resourceGroups/00networkAcklVaultCCY/providers/Microsoft.Network/virtualNetworks/00networkAcklVaultCCY-vnet"
+ "virtualNetworkId": "/subscriptions/f2edfd5d-5496-4683-b94f-b3588c579009/resourceGroups/00networkAcklVaultCCY/providers/Microsoft.Network/virtualNetworks/00networkAcklVaultCCY-vnet",
+ "zones": [
+ "2"
+ ]
}
}
},
From 5ffa05df8f46a74aaf8e406001f184d86ced0fc3 Mon Sep 17 00:00:00 2001
From: ShaniFelig <74960756+ShaniFelig@users.noreply.github.com>
Date: Mon, 21 Dec 2020 08:58:16 +0200
Subject: [PATCH 6/6] lastUpdatedDate for templates (#11900)
* lastUpdatedDate for templates
* fix
---
.../preview/2019-01-01-preview/SecurityInsights.json | 6 ++++++
.../alertRuleTemplates/GetAlertRuleTemplateById.json | 1 +
.../examples/alertRuleTemplates/GetAlertRuleTemplates.json | 3 +++
3 files changed, 10 insertions(+)
diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
index e99fa4b8ce1f..dbd3198621ef 100644
--- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
@@ -4824,6 +4824,12 @@
"description": "the number of alert rules that were created by this template",
"type": "integer"
},
+ "lastUpdatedDateUTC": {
+ "description": "The last time that this alert rule template has been updated.",
+ "format": "date-time",
+ "readOnly": true,
+ "type": "string"
+ },
"createdDateUTC": {
"description": "The time that this alert rule template has been added.",
"format": "date-time",
diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json
index 71168e4b9897..c8bf2e708639 100644
--- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplateById.json
@@ -30,6 +30,7 @@
"PrivilegeEscalation",
"LateralMovement"
],
+ "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
"createdDateUTC": "2019-02-27T00:00:00Z",
"status": "Available",
"requiredDataConnectors": [
diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json
index fe89ccfea2d4..d7465f160737 100644
--- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/alertRuleTemplates/GetAlertRuleTemplates.json
@@ -28,6 +28,7 @@
"PrivilegeEscalation",
"LateralMovement"
],
+ "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
"createdDateUTC": "2019-02-27T00:00:00Z",
"status": "Available",
"requiredDataConnectors": [
@@ -55,6 +56,7 @@
"Exfiltration",
"CommandAndControl"
],
+ "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
"createdDateUTC": "2019-07-25T00:00:00Z",
"status": "Available",
"severity": "High",
@@ -70,6 +72,7 @@
"productFilter": "Microsoft Cloud App Security",
"displayName": "Create incidents based on Microsoft Cloud App Security alerts",
"description": "Create incidents based on all alerts generated in Microsoft Cloud App Security",
+ "lastUpdatedDateUTC": "2020-02-27T00:00:00Z",
"createdDateUTC": "2019-07-16T00:00:00Z",
"status": "Available",
"alertRulesCreatedByTemplateCount": 0