{ "swagger": "2.0", "info": { "title": "Security Center", "description": "API spec for Microsoft.Security (Azure Security Center) resource provider", "version": "2019-01-01" }, "host": "management.azure.com", "schemes": [ "https" ], "consumes": [ "application/json" ], "produces": [ "application/json" ], "security": [ { "azure_auth": [ "user_impersonation" ] } ], "securityDefinitions": { "azure_auth": { "type": "oauth2", "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", "flow": "implicit", "description": "Azure Active Directory OAuth2 Flow", "scopes": { "user_impersonation": "impersonate your user account" } } }, "paths": { "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts": { "get": { "x-ms-examples": { "Get security alerts on a subscription": { "$ref": "./examples/Alerts/GetAlertsSubscription_example.json" }, "Get security alerts, that were affected by auto dismiss rule, on a subscription": { "$ref": "./examples/Alerts/GetAlertsSubscriptionWithAutoDismissRule_example.json" } }, "tags": [ "Alerts" ], "description": "List all the alerts that are associated with the subscription", "operationId": "Alerts_List", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "#/parameters/ODataFilter" }, { "$ref": "#/parameters/ODataSelect" }, { "$ref": "#/parameters/ODataExpand" }, { "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/alerts": { "get": { "x-ms-examples": { "Get security alerts on a resource group": { "$ref": "./examples/Alerts/GetAlertsResourceGroup_example.json" }, "Get security alerts, that should be dismissed by auto dismiss rule, on a resource group": { "$ref": "./examples/Alerts/GetAlertsResourceGroupWithAutoDismissRule_example.json" } }, "tags": [ "Alerts" ], "description": "List all the alerts that are associated with the resource group", "operationId": "Alerts_ListByResourceGroup", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/ODataFilter" }, { "$ref": "#/parameters/ODataSelect" }, { "$ref": "#/parameters/ODataExpand" }, { "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { "get": { "x-ms-examples": { "Get security alerts on a subscription from a security data location": { "$ref": "./examples/Alerts/GetAlertsSubscriptionsLocation_example.json" }, "Get security alerts, that should be dismissed by auto dismiss rule, on a subscription from a security data location": { "$ref": "./examples/Alerts/GetAlertsSubscriptionsLocationWithAutoDismissRule_example.json" } }, "tags": [ "Alerts" ], "description": "List all the alerts that are associated with the subscription that are stored in a specific location", "operationId": "Alerts_ListSubscriptionLevelAlertsByRegion", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/ODataFilter" }, { "$ref": "#/parameters/ODataSelect" }, { "$ref": "#/parameters/ODataExpand" }, { "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { "get": { "x-ms-examples": { "Get security alerts on a resource group from a security data location": { "$ref": "./examples/Alerts/GetAlertsResourceGroupLocation_example.json" }, "Get security alerts, that should be dismissed by auto dismiss rule, on a resource group from a security data location": { "$ref": "./examples/Alerts/GetAlertsResourceGroupLocationWithAutoDismissRule_example.json" } }, "tags": [ "Alerts" ], "description": "List all the alerts that are associated with the resource group that are stored in a specific location", "operationId": "Alerts_ListResourceGroupLevelAlertsByRegion", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" }, { "$ref": "#/parameters/ODataFilter" }, { "$ref": "#/parameters/ODataSelect" }, { "$ref": "#/parameters/ODataExpand" }, { "$ref": "#/parameters/AutoDismissRuleName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { "get": { "x-ms-examples": { "Get security alert on a subscription from a security data location": { "$ref": "./examples/Alerts/GetAlertSubscriptionLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Get an alert that is associated with a subscription", "operationId": "Alerts_GetSubscriptionLevelAlert", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/Alert" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { "get": { "x-ms-examples": { "Get security alert on a resource group from a security data location": { "$ref": "./examples/Alerts/GetAlertResourceGroupLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Get an alert that is associated a resource group or a resource in a resource group", "operationId": "Alerts_GetResourceGroupLevelAlerts", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/Alert" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss": { "post": { "x-ms-examples": { "Update security alert state on a subscription from a security data location": { "$ref": "./examples/Alerts/UpdateAlertSubscriptionLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Update the alert's state", "operationId": "Alerts_UpdateSubscriptionLevelAlertStateToDismiss", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/reactivate": { "post": { "x-ms-examples": { "Update security alert state on a subscription from a security data location": { "$ref": "./examples/Alerts/UpdateAlertSubscriptionLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Update the alert's state", "operationId": "Alerts_UpdateSubscriptionLevelAlertStateToReactivate", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss": { "post": { "x-ms-examples": { "Update security alert state on a resource group from a security data location": { "$ref": "./examples/Alerts/UpdateAlertResourceGroupLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Update the alert's state", "operationId": "Alerts_UpdateResourceGroupLevelAlertStateToDismiss", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/reactivate": { "post": { "x-ms-examples": { "Update security alert state on a resource group from a security data location": { "$ref": "./examples/Alerts/UpdateAlertResourceGroupLocation_example.json" } }, "tags": [ "Alerts" ], "description": "Update the alert's state", "operationId": "Alerts_UpdateResourceGroupLevelAlertStateToReactivate", "parameters": [ { "$ref": "../../../common/v1/types.json#/parameters/ApiVersion" }, { "$ref": "../../../common/v1/types.json#/parameters/SubscriptionId" }, { "$ref": "../../../common/v1/types.json#/parameters/AscLocation" }, { "$ref": "#/parameters/AlertName" }, { "$ref": "../../../common/v1/types.json#/parameters/ResourceGroupName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../common/v1/types.json#/definitions/CloudError" } } } } } }, "definitions": { "AlertList": { "type": "object", "description": "List of security alerts", "properties": { "value": { "type": "array", "items": { "$ref": "#/definitions/Alert" } }, "nextLink": { "readOnly": true, "type": "string", "description": "The URI to fetch the next page." } } }, "Alert": { "type": "object", "description": "Security alert", "properties": { "properties": { "x-ms-client-flatten": true, "$ref": "#/definitions/AlertProperties" } }, "allOf": [ { "$ref": "../../../common/v1/types.json#/definitions/Resource" } ] }, "AlertProperties": { "type": "object", "description": "describes security alert properties.", "properties": { "state": { "readOnly": true, "type": "string", "description": "State of the alert (Active, Dismissed etc.)" }, "reportedTimeUtc": { "readOnly": true, "type": "string", "format": "date-time", "description": "The time the incident was reported to Microsoft.Security in UTC" }, "vendorName": { "readOnly": true, "type": "string", "description": "Name of the vendor that discovered the incident" }, "alertName": { "readOnly": true, "type": "string", "description": "Name of the alert type" }, "alertDisplayName": { "readOnly": true, "type": "string", "description": "Display name of the alert type" }, "detectedTimeUtc": { "readOnly": true, "type": "string", "format": "date-time", "description": "The time the incident was detected by the vendor" }, "description": { "readOnly": true, "type": "string", "description": "Description of the incident and what it means" }, "remediationSteps": { "readOnly": true, "type": "string", "description": "Recommended steps to reradiate the incident" }, "actionTaken": { "readOnly": true, "type": "string", "description": "The action that was taken as a response to the alert (Active, Blocked etc.)" }, "reportedSeverity": { "readOnly": true, "type": "string", "enum": [ "Informational", "Low", "Medium", "High" ], "x-ms-enum": { "name": "reportedSeverity", "modelAsString": true, "values": [ { "value": "Informational" }, { "value": "Low" }, { "value": "Medium" }, { "value": "High" } ] }, "description": "Estimated severity of this alert" }, "compromisedEntity": { "readOnly": true, "type": "string", "description": "The entity that the incident happened on" }, "associatedResource": { "readOnly": true, "type": "string", "description": "Azure resource ID of the associated resource" }, "extendedProperties": { "$ref": "#/definitions/AlertExtendedProperties" }, "systemSource": { "readOnly": true, "type": "string", "description": "The type of the alerted resource (Azure, Non-Azure)" }, "canBeInvestigated": { "readOnly": true, "type": "boolean", "description": "Whether this alert can be investigated with Azure Security Center" }, "isIncident": { "readOnly": true, "type": "boolean", "description": "Whether this alert is for incident type or not (otherwise - single alert)" }, "entities": { "type": "array", "description": "objects that are related to this alerts", "items": { "$ref": "#/definitions/AlertEntity" } }, "confidenceScore": { "readOnly": true, "type": "number", "format": "float", "minimum": 0, "maximum": 1, "description": "level of confidence we have on the alert" }, "confidenceReasons": { "type": "array", "description": "reasons the alert got the confidenceScore value", "items": { "$ref": "#/definitions/AlertConfidenceReason" } }, "subscriptionId": { "readOnly": true, "type": "string", "description": "Azure subscription ID of the resource that had the security alert or the subscription ID of the workspace that this resource reports to" }, "instanceId": { "readOnly": true, "type": "string", "description": "Instance ID of the alert." }, "workspaceArmId": { "readOnly": true, "type": "string", "description": "Azure resource ID of the workspace that the alert was reported to." }, "correlationKey": { "readOnly": true, "type": "string", "description": "Alerts with the same CorrelationKey will be grouped together in Ibiza." } } }, "AlertConfidenceReason": { "type": "object", "description": "Factors that increase our confidence that the alert is a true positive", "properties": { "type": { "readOnly": true, "type": "string", "description": "Type of confidence factor" }, "reason": { "readOnly": true, "type": "string", "description": "description of the confidence reason" } } }, "AlertEntity": { "type": "object", "additionalProperties": true, "description": "Changing set of properties depending on the entity type.", "properties": { "type": { "readOnly": true, "type": "string", "description": "Type of entity" } } }, "AlertExtendedProperties": { "type": "object", "additionalProperties": true, "description": "Changing set of properties depending on the alert type." } }, "parameters": { "ODataFilter": { "name": "$filter", "in": "query", "required": false, "type": "string", "description": "OData filter. Optional.", "x-ms-parameter-location": "method" }, "ODataSelect": { "name": "$select", "in": "query", "required": false, "type": "string", "description": "OData select. Optional.", "x-ms-parameter-location": "method" }, "ODataExpand": { "name": "$expand", "in": "query", "required": false, "type": "string", "description": "OData expand. Optional.", "x-ms-parameter-location": "method" }, "AlertName": { "name": "alertName", "in": "path", "required": true, "type": "string", "description": "Name of the alert object", "x-ms-parameter-location": "method" }, "AutoDismissRuleName": { "name": "autoDismissRuleName", "in": "query", "type": "string", "description": "The name of an existing auto dismiss rule. Use it to simulate the rule on existing alerts and get the alerts that would have been dismissed if the rule was enabled when the alert was created", "x-ms-parameter-location": "method" } } }