{ "swagger": "2.0", "info": { "title": "Security Center", "description": "API spec for Microsoft.Security (Azure Security Center) resource provider", "version": "2015-06-01-preview" }, "host": "management.azure.com", "schemes": [ "https" ], "consumes": [ "application/json" ], "produces": [ "application/json" ], "security": [ { "azure_auth": [ "user_impersonation" ] } ], "securityDefinitions": { "azure_auth": { "type": "oauth2", "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", "flow": "implicit", "description": "Azure Active Directory OAuth2 Flow", "scopes": { "user_impersonation": "impersonate your user account" } } }, "paths": { "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts": { "get": { "x-ms-examples": { "Get security alerts on a subscription": { "$ref": "./examples/Alerts/GetAlertsSubscription_example.json" } }, "tags": [ "Alerts" ], "description": "List all the alerts that are associated with the subscription", "operationId": "Alerts_List", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataFilter" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataSelect" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataExpand" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/alerts": { "get": { "x-ms-examples": { "Get security alerts on a resource group": { "$ref": "./examples/Alerts/GetAlertsResourceGroup_example.json" } }, "tags": [ "Alerts" ], "description": "List all the alerts that are associated with the resource group", "operationId": "Alerts_ListByResourceGroup", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataFilter" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataSelect" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataExpand" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { "get": { "x-ms-examples": { "Get security alerts on a subscription from a security data location": { "$ref": "./examples/Alerts/GetAlertsSubscriptionsLocation_example.json" } }, "tags": [ "Alerts" ], "description": "List all the alerts that are associated with the subscription that are stored in a specific location", "operationId": "Alerts_ListSubscriptionLevelAlertsByRegion", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataFilter" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataSelect" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataExpand" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { "get": { "x-ms-examples": { "Get security alerts on a resource group from a security data location": { "$ref": "./examples/Alerts/GetAlertsResourceGroupLocation_example.json" } }, "tags": [ "Alerts" ], "description": "List all the alerts that are associated with the resource group that are stored in a specific location", "operationId": "Alerts_ListResourceGroupLevelAlertsByRegion", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataFilter" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataSelect" }, { "$ref": "../../../common/v1/types.json#/parameters/ODataExpand" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { "get": { "x-ms-examples": { "Get security alert on a subscription from a security data location": { "$ref": "./examples/Alerts/GetAlertSubscriptionLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Get an alert that is associated with a subscription", "operationId": "Alerts_GetSubscriptionLevelAlert", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/Alert" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { "get": { "x-ms-examples": { "Get security alert on a resource group from a security data location": { "$ref": "./examples/Alerts/GetAlertResourceGroupLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Get an alert that is associated a resource group or a resource in a resource group", "operationId": "Alerts_GetResourceGroupLevelAlerts", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/Alert" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss": { "post": { "x-ms-examples": { "Update security alert state on a subscription from a security data location": { "$ref": "./examples/Alerts/UpdateAlertSubscriptionLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Update the alert's state", "operationId": "Alerts_UpdateSubscriptionLevelAlertStateToDismiss", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/reactivate": { "post": { "x-ms-examples": { "Update security alert state on a subscription from a security data location": { "$ref": "./examples/Alerts/UpdateAlertSubscriptionLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Update the alert's state", "operationId": "Alerts_UpdateSubscriptionLevelAlertStateToReactivate", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss": { "post": { "x-ms-examples": { "Update security alert state on a resource group from a security data location": { "$ref": "./examples/Alerts/UpdateAlertResourceGroupLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Update the alert's state", "operationId": "Alerts_UpdateResourceGroupLevelAlertStateToDismiss", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/reactivate": { "post": { "x-ms-examples": { "Update security alert state on a resource group from a security data location": { "$ref": "./examples/Alerts/UpdateAlertResourceGroupLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Update the alert's state", "operationId": "Alerts_UpdateResourceGroupLevelAlertStateToReactivate", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } } }, "definitions": { "AlertList": { "type": "object", "description": "List of security alerts", "properties": { "value": { "type": "array", "items": { "$ref": "#/definitions/Alert" } }, "nextLink": { "readOnly": true, "type": "string", "description": "The URI to fetch the next page." } } }, "Alert": { "type": "object", "description": "Security alert", "properties": { "properties": { "x-ms-client-flatten": true, "$ref": "#/definitions/AlertProperties" } }, "allOf": [ { "$ref": "../../../common/v1/types.json#/definitions/Resource" } ] }, "AlertProperties": { "type": "object", "description": "describes security alert properties.", "properties": { "state": { "readOnly": true, "type": "string", "description": "State of the alert (Active, Dismissed etc.)" }, "reportedTimeUtc": { "readOnly": true, "type": "string", "format": "date-time", "description": "The time the incident was reported to Microsoft.Security in UTC" }, "vendorName": { "readOnly": true, "type": "string", "description": "Name of the vendor that discovered the incident" }, "alertName": { "readOnly": true, "type": "string", "description": "Name of the alert type" }, "alertDisplayName": { "readOnly": true, "type": "string", "description": "Display name of the alert type" }, "detectedTimeUtc": { "readOnly": true, "type": "string", "format": "date-time", "description": "The time the incident was detected by the vendor" }, "description": { "readOnly": true, "type": "string", "description": "Description of the incident and what it means" }, "remediationSteps": { "readOnly": true, "type": "string", "description": "Recommended steps to reradiate the incident" }, "actionTaken": { "readOnly": true, "type": "string", "description": "The action that was taken as a response to the alert (Active, Blocked etc.)" }, "reportedSeverity": { "readOnly": true, "type": "string", "enum": [ "Silent", "Information", "Low", "High" ], "x-ms-enum": { "name": "reportedSeverity", "modelAsString": true, "values": [ { "value": "Silent" }, { "value": "Information" }, { "value": "Low" }, { "value": "High" } ] }, "description": "Estimated severity of this alert" }, "compromisedEntity": { "readOnly": true, "type": "string", "description": "The entity that the incident happened on" }, "associatedResource": { "readOnly": true, "type": "string", "description": "Azure resource ID of the associated resource" }, "extendedProperties": { "$ref": "#/definitions/AlertExtendedProperties" }, "systemSource": { "readOnly": true, "type": "string", "description": "The type of the alerted resource (Azure, Non-Azure)" }, "canBeInvestigated": { "readOnly": true, "type": "boolean", "description": "Whether this alert can be investigated with Azure Security Center" }, "isIncident": { "readOnly": true, "type": "boolean", "description": "Whether this alert is for incident type or not (otherwise - single alert)" }, "entities": { "type": "array", "description": "objects that are related to this alerts", "items": { "$ref": "#/definitions/AlertEntity" } }, "confidenceScore": { "readOnly": true, "type": "number", "format": "float", "minimum": 0, "maximum": 1, "description": "level of confidence we have on the alert" }, "confidenceReasons": { "type": "array", "description": "reasons the alert got the confidenceScore value", "items": { "$ref": "#/definitions/AlertConfidenceReason" } }, "subscriptionId": { "readOnly": true, "type": "string", "description": "Azure subscription ID of the resource that had the security alert or the subscription ID of the workspace that this resource reports to" }, "instanceId": { "readOnly": true, "type": "string", "description": "Instance ID of the alert." }, "workspaceArmId": { "readOnly": true, "type": "string", "description": "Azure resource ID of the workspace that the alert was reported to." }, "correlationKey": { "readOnly": true, "type": "string", "description": "Alerts with the same CorrelationKey will be grouped together in Ibiza." } } }, "AlertConfidenceReason": { "type": "object", "description": "Factors that increase our confidence that the alert is a true positive", "properties": { "type": { "readOnly": true, "type": "string", "description": "Type of confidence factor" }, "reason": { "readOnly": true, "type": "string", "description": "description of the confidence reason" } } }, "AlertEntity": { "type": "object", "additionalProperties": true, "description": "Changing set of properties depending on the entity type.", "properties": { "type": { "readOnly": true, "type": "string", "description": "Type of entity" } } }, "AlertExtendedProperties": { "type": "object", "additionalProperties": true, "description": "Changing set of properties depending on the alert type." } }, "parameters": { "AlertName": { "name": "alertName", "in": "path", "required": true, "type": "string", "description": "Name of the alert object", "x-ms-parameter-location": "method" } } }